Several smartphone parking applications contain serious vulnerabilities which could allow a hacker to launch a Man in the Middle attack against their users and ultimately gain unauthorized access to the device, new research has found.
Information assurance firm NCC Group tested six popular but unnamed Android apps, some with an installed base of 5-10,000 users and others with registered users of up to one million.
Although the majority of the apps used TLS to encrypt sensitive data sent back to the server, none verified the certificate used by that server—exposing them to MITM attacks enabled by an "intercepting proxy tool."
One vendor had even chosen to build their own encryption system, but failed by storing the keys in the application code, so they were easily retrieved by decompiling the app.
Another confirmed the username and password via email—again meaning a hacker connected to the same network could intercept and recover these details.
However, NCC Group security consultant, Chris Spencer, clarified that MITM attacks can work only if the hacker has some control over the same network the vulnerable device is connected to—for example via unsecured Wi-Fi.
“Since most of the time parking applications will be used when connected to mobile data connections, the likelihood of these attacks may be reduced (although it is possible for an attacker to create a fake GSM base station),” he explained.
“There are circumstances where a user of the application may be connected to public Wi-FI, however, such as when extending a parking stay from a restaurant or coffee shop. Be careful when using any type of mobile application that may expose sensitive data when connected to a potentially unsecure network.”
Other security oversights included allowing passwords or PINs to be stored on the device to enable “auto-log-in.”
“This feature isn't generally a good idea, mainly as the password may not be stored securely,” wrote Spencer. “In fact, one of the applications stored the password for the system (unencrypted) in the application's private data directory on the phone.”
File traversal vulnerabilities made it possible for the NCC Group testers to access private data directories—on one occasion enabling them to recover an unencrypted password stored there.
However, the research did point to some good security practice among the app developers studied—for example ensuring any data stored on the device is done so using a recognized hashing algorithm.
NCC Group recommended developers of parking applications use securely configured TLS to encrypt data sent to the server; use the latest Android API version; use certificate pinning to mitigate the risk of MITM on TLS; and avoid exporting Android components if possible, among other steps.
Photo © smuay