Millions of users around the world regularly install tracker apps on their Android devices to help them keep track of friends and loved ones. Some of those tracker apps, however, contain vulnerabilities that could potentially enable an attacker to track the users of the apps.
Researchers from the Fraunhofer Institute for Secure Information Technology detailed 37 vulnerabilities found in 19 mobile tracking apps in a session at Defcon in Las Vegas on Aug. 11. The researchers responsibly disclosed the flaws to Google and noted that, as of the time of their presentation, 12 of the apps had been removed from the Google Play store, leaving seven still publicly available and vulnerable.
“In this project it was very easy to find vulnerabilities,” security researcher Siegfried Rasthofer said. “There were no sophisticated exploits.”
Rasthofer said that across the analyzed Android mobile tracker apps, it was very easy to enable premium features without paying, access highly sensitive data and perform mass surveillance.
Enabling premium features for the apps was a relatively simple exercise, due to a fundamental design flaw. Rasthofer explained that the mobile tracking apps saved user and configuration options in the shared preferences folder on Android. That folder is not protected and a user with local access can simply access the specific preferences file for a given application and change a variable to move from free to premium features.
In addition, Rasthofer found that some of the mobile tracking apps defined the user role in the shared preferences file as well. So, for example, a tracking app that a parent uses to track a child would typically have the parent as the administrator. Simply changing a single value in the shared preferences file could enable the child to become an administrator and then track the parent, he said.
Another common feature with its configuration stored in the shared preferences file is the need for a PIN or passcode to enter the tracking app. Rasthofer said that a simple variable in the shared preferences defines whether to have the PIN or not.
“So the lesson here is do not use SharedPreferences for authorization checks,” Rasthofer said.
Security researcher Stephan Huber noted that the analyzed trackers also did not properly implement cryptography, which could enable man-in-the-middle (MiTM) attacks. Huber said that simply by using Transport Layer Security (TLS) 1.2 or 1.3 along with a valid server certificate, the MiTM risk can be mitigated.
The researchers also found the server-side database of users for some of the apps to be lacking proper configuration. Huber said mobile app developers had not properly implemented what is known as a prepared statement in their MySQL database. A prepared statement is a functional method used to execute a certain function repeatedly. The developers of multiple mobile tracking apps had in fact enabled a SQL injection attack through the misconfigured prepared statement, enabling an attacker to easily get access to a complete database of user information, he said. In one case, Huber said he could have extracted the credentials for 1.7 million users.
Adding further insult to injury, Huber said it was also possible to bypass cloud authentication for some of the mobile tracking apps, enabling an attacker to get access to all images a user might have sent via the tracking app.
In the final analysis, the two researchers emphasized that developers could have easily avoided all the issues they found by using common, well-known security best practices. Among the key recommendations the researchers suggested are to make sure that cryptography is properly implemented and not to use plaintext communications. In addition, they said it’s important to consider both client-side and server-side security when it comes to mobile applications.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.