Mobile App Vulnerabilities: How Popular Apps Leak Sensitive Data
On August 27, 2024, Symantec released a report highlighting the alarming vulnerabilities found in several popular mobile apps, both on Android and iOS platforms. The report reveals that these apps are failing to protect sensitive user data
Introduction
On August 27, 2024, Symantec released a report highlighting the alarming vulnerabilities found in several popular mobile apps, both on Android and iOS platforms. The report reveals that these apps are failing to protect sensitive user data, exposing millions of users to potential cyber threats. The findings underscore the critical need for stronger security measures in app development.
Report Overview
The vulnerabilities were uncovered through a meticulous analysis of network traffic and code inspection conducted by Symantec’s security team. These flaws were identified in eight widely used mobile apps, some of which have millions of downloads on Google Play Store and Apple’s App Store. Despite the growing awareness of cybersecurity threats, these apps transmit unencrypted data, making it vulnerable to interception and misuse.
Technical Details
Symantec’s report provides detailed insights into the security lapses:
- Klara Weather (Android): With over 1 million downloads, this app was found to send user location data unencrypted via HTTP. This makes it easy for attackers to intercept and misuse this information.
- Military Dating App - MD Date (iOS): This app, which has garnered over 17,700 ratings, was discovered to transmit user credentials, including usernames and passwords, over unencrypted HTTP traffic, exposing users to potential account hijacking.
- Sina Finance (Android): Despite having over 100,000 downloads, this app leaks device information, including device ID, SDK version, and IMEI, via unencrypted traffic.
- CP Plus Intelli Serve (Android): With over 50,000 downloads, this app transmits user credentials unencrypted, putting user accounts at risk.
- Latvijas Pasts (Android): This app, downloaded over 100,000 times, sends geolocation data unencrypted, which can be easily intercepted by malicious actors.
- HaloVPN: Fast Secure VPN Proxy (iOS): With 13,300 ratings, this app leaks device information, such as device ID and SIM data, over unencrypted channels.
- i-Boating: Marine Charts & GPS (iOS): This app, which has 11,600 ratings, was found to transmit device information unencrypted, making users vulnerable to tracking and data theft.
- Texas Storm Chasers (iOS): Despite its 9,200 ratings, this app sends user geolocation data unencrypted, exposing users to potential stalking and other privacy risks.
The consequences of these vulnerabilities are significant. By transmitting sensitive data unencrypted, these apps expose users to a variety of threats, including identity theft, unauthorized access, and data breaches. The implications extend beyond individual users, potentially affecting entire organizations if corporate devices are compromised.
Insights and Analysis
Symantec’s findings underscore a recurring issue in the mobile app development industry: the failure to prioritize user data security. The consistent use of unencrypted HTTP for transmitting sensitive data in these apps is a glaring oversight that puts millions of users at risk.
To mitigate these risks, app developers must prioritize security by:
- Using HTTPS: Ensure all data transmission between the app and the server is encrypted using HTTPS.
- Encrypting Sensitive Data: Utilize strong encryption methods to protect sensitive information both in transit and at rest.
- Regular Security Audits: Conduct regular code reviews and security audits to identify and rectify potential vulnerabilities.
For users, it is critical to maintain a strong situational awareness. Only download apps from trusted sources, keep software up to date, and pay attention to the permissions requested by apps. Regularly backing up important data and installing a reputable security app can also provide an added layer of protection.
Indicators of Compromise (IOCs)
No specific Indicators of Compromise (IOCs) were provided in the source material.
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Collection | Input Capture | T1056 | Techniques that capture keystrokes, credentials, or other input data from users. |
| Exfiltration | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | T1048.002 | Exfiltrating data via unencrypted HTTP traffic. |
| Initial Access | Drive-by Compromise | T1189 | Delivering malicious code through web traffic inspection or user interaction. |
References
Yuanjing GuoSoftware EngineerTommy DongSr Princ Software Engineer
Comments ()