Android parking apps found to be vulnerable

Researchers at NCC Group, an information security firm, have been looking into six Android parking applications, and have found multiple security flaws in all of them.

The researchers found that the flaws could allow attackers to steal user logins, and even take over their mobile devices.

According to their blog post, the NCC Group found that even though the apps all use encryption in order to protect customer data, none of them were verifying certificates.  This leaves the apps wide open to man-in-the-middle attacks, especially if the apps were using Android WebView and contained a bridge that might enable JavaScript to access the native device functions.

A man-in-the-middle attack is when an attacker reroutes communication between users without their knowledge. The users unknowingly send traffic to and receives traffic from the attacker instead of the intended recipient.  An attacker could impersonate one or both of them.

“In this scenario the attacker could inject HTML or JavaScript into the web page requested from the server,” writes NCC Group researcher Chris Spencer in a blog post. “This script then executes within the context of the Android application and can potentially instruct the device to download a malicious payload from the attacker’s server, providing access to the user’s phone with the privileges of the application.”

Several of the apps let their users save their passwords or PINs on their devices so that they could be logged in automatically.  One of the apps that was studied stored this sensitive information on the devices without encryption.

NCC Group has shared this information with each of these app vendors.  There is currently no news on whether or not they have been fixed.  Since NCC Group does not name the apps, it is possible that they haven’t been patched yet.

For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.

 

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *