An event ticketing retailer, a major airline, and a popular social network walk into a...no, it’s not the start of a lame joke. What do all three have in common? Consumer-facing Android apps that pose a security risk, none of which is a laughing matter.
RIIS, LLC, an IT services firm, has released its Android App Security Index that ranks mobile apps according to their adherence to security policies. The alarming result? Of the 20 apps tested, each from a Fortune 500 company, all but four had some type of risk.
“When we tell companies there is an issue with their apps, they don’t seem to care,” said Godfrey Nolan, author of “Decompiling Android,” in an interview with Mobile Enterprise.
Take Facebook, for example. Nolan reported a privacy problem directly to the company regarding its Android app –inbox messages are being stored in cleartext in the SQLite database and can be viewed by anyone with access to an unlocked phone. In his report, he detailed step by step how such messages can be obtained.
The risk here is significantly mitigated by the fact it requires physical access to an unlocked phone and the ability to download the data via USB. If someone already has that much access to your phone, this avenue of attack is probably the least of your worries. :) But in all seriousness, these are very high hurdles for compromise. We might make some changes to our storage mechanisms at some point (e.g. encryption), but this doesn't qualify as a vulnerability.”
That glib email came from a member of the Facebook security team, who had the term “whitehat” in a return address. In the IT world, whitehat refers to the “ethical hacker” who penetrates systems in order to better secure them. Doesn’t particularly look like the case here.
In contrast to Facebook, Geico took immediate action after Nolan informed them of a different security issue. “I felt bad because I spoiled their weekend,” he said.
How Apps Were Scored
Nolan and his RIIS team analyzed 20 apps for encryption key and http issues. All apps already resided on members’ phones. All had valid user accounts.
The index based scoring on how well the app mitigated 10 mobile app security risks:
Notable risks include the ability to recover usernames and passwords from some of these apps as well as user’s messages and personal information in the remaining apps.
Insecure Data Storage
Weak Server Side Controls
Insufficient Transport Layer Protection
Client Side Injection
Poor Authorization and Authentication
Improper Session Handling
Security Decisions Via Untrusted Inputs
Side Channel Data Leakage
Sensitive Information Disclosure
Every major risk found was reported to its respective company. Aside from Geico taking action, and Facebook’s nonchalant reply, Nolan could not get through to the other enterprises, including Delta, StubHub and Walmart. He especially wants to see the LiveNation / Ticketmaster app fixed, a problem that an end-user would never even notice.
The individual signs in and enters a username and password. The password can be saved so it does not have to be entered on a subsequent visit. “That’s great for usability, not security,” Nolan said, because this particular shared preference is not encrypted. Meaning, anyone who obtains such information can go on a ticket shopping spree.
If an update has corrected the issue, the old version of the app is still the problem, since it is “out there” being used by those who do not know differently.
When It Happens to You
Does anyone long for the 90s? Boy bands were rampant and reality shows were just coming into vogue. Developers were also exposing code on websites which would give access to databases. No one seemed to think it was an issue, until of course, it started happening to them, and then they decided to fix it.
“History is repeating itself,” said Nolan, noting that many mobile developers are in their early 20s, and were not around for the last round of “Oh my, did we really do this?”
Nolan said his firm plans on testing another 20 apps within the next month and will update the report. And in the meantime, he stressed, think password protection. Unfortunately, it’s safe to say that most end-users in the United States do not protect their mobile devices. Nolan hopes, however, that by publicizing the problems with commonly used apps, it will not only raise awareness but spur action.
Is Your Phone Being Tapped?
Bring Your Own Problem
Ransomware Holds Android Hostage
Subscribe to our newsletter.