x-force security intelligence findings: vulnerabilities in mobile dating applications

© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

X-Force Security Intelligence Findings:Vulnerabilities in Mobile Dating Applications

Tom Mulvehill

Caleb Barlow

Eitan Worcel

IBM Cloud & Mobile Security Teams


IBM Security

2

Today’s Agenda

• Overview of Mobile Security Risks

• Mobile Dating App Vulnerabilities: A Closer Look

• Mobile Dating App Vulnerabilities: Methodology &

Impact of Vulnerabilities

• Questions-and-Answers Session

3 © 2015 IBM Corporation

Overview of Mobile Security Risks


IBM Security

4

Data leakage

– Attack from malware

– Account info. on

mobile device

Cracking mobile apps

– Easy access to

applications

– Reverse engineering

Little to no App control

– BYOD

– Consumer devices

User vs. Enterprise Risk

Threat from Malware

- Trojans and Spyware

Phishing

Fake Android marketplace

- Malware bundled with app

Unauthorized Use of:

- Contact DB

- Email

- SMS (text messages)

- Phone (placing calls)

- GPS (public location)

- Data on device

User Enterprise


IBM Security

5

Mobile Security Concerns

• Mobile security is broader than device management.


IBM Security

6

Risk from Mobile Malware’s Real & Growing


IBM Security

7

Reverse Engineering & IP Theft Risk

• 97% of top paid Android apps have been hacked

• 87% of top paid iOS apps have been hacked

• 80% of the most popular free Android apps have been hacked

• 75% of the most popular free iOS apps have been hacked

Source: State of Security in the App Economy

- “Apps Under Attack” (Dec 2014)


IBM Security

8

Sophistication of attacks increasing

New versions of Android OS helping to reduce risk, but…

… Android market is still very fragmented.

Android & Platform Risk

Android – February 2015 iOS – February 2015

https://developer.apple.com/support/appstore/https://developer.android.com/about/dashboards/index.

html?utm_source=ausdroid.net

2014 1.6%2013

2012 2010

2014


IBM Security

9

Mobile Permission Risk

Permissions vary by

OS & release

Users don’t

understand

Developers over

permission

Android

Pileup Flaw


IBM Security

10

OWASP Mobile Top 10 Risks (RC 2014 V1)

https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks


Mobile Dating App Vulnerabilities:

A Closer Look


IBM Security

12

Key Findings in IBM’s Analysis of Mobile Dating Apps on Android Devices

About the Organizations:

50% of enterprises have popular apps present on devices that

accessed confidential business data.

About the Applications:

73% of popular apps can access users’ current and past GPS

information.

60% of apps are vulnerable to cyber-attacks that could put

personal information & organizational data at risk.

49% of popular apps access to users’ billing information,

potentially jeopardizing credit card information in mobile wallets.

34% of popular apps have access to users’ cameras or

microphones.

12

Blog: "A Perfect

Match: Uniting

Mobile Security With

Online Dating Apps"

http://securityintelligence.com/datingapps/#.VN5I8Cjnbs2


IBM Security

13

Protecting Yourself Against Mobile Threats

Blog: "A Perfect

Match: Uniting

Mobile Security With

Online Dating Apps"



Mobile Dating App Vulnerabilities:

Methodology & Impact of Vulnerabilities


IBM Security

15

History of Mobile Application Vulnerabilities

July 2013 December 2013 March 2014

July 2014 August 2014


IBM Security

16

Risk of Malware for Mobile Apps

http://grahamcluley.com/2014/12/the-interview-android-app-malware/


IBM Security

17

Uploading A Mobile Application on AppScan Mobile Analyzer


IBM Security

18

App

Exposed

activityparameters

Non-exposed

Activityparameters

Public

Intent

Service

Receiver

Data store

Content

Provider

Manifest

Imitating A Hacker

Private

intent

App


IBM Security

19

HIGH

MEDIUM

What were we looking for?

• Android Fragment

Injection

• Android Class Loading

Hijacking

• Buffer Overflow

• Client-side SQL Injection

• Crash in Native Code

• Cross-Site scripting

via Man in the

Middle• Cross-Application

Scripting (XAS)

• Debug Flag Enabled

on Release Version

• Broken

Cryptography• File Manipulation

• Insecure File

Permissions

• Insecure Pending Intent

• Phishing via Man in

Middle • Unsafe Reflection

• Weak Random

Number Generators

• Activity Hijacking

• Backup Flag

Enabled

• Service Hijacking

• UI Spoofing

• Unhandled Java

Exception

• Unstripped Binary• Broadcast Theft

• Debug Version

Severities - Based on X-Force research

LOW

INFORMATIONAL


IBM Security

20

Reviewing the Results


IBM Security

21

Man in The Middle Attacks

• You don’t really know who’s on

the other end of the line.

• You cannot trust the application

that runs on your own device.

• Your sensitive information and

privacy are at risk.


IBM Security

22

Broken Cryptographic and Weak Random Number Generators

• Encrypted communication can be

decrypted by a hacker.

• Your “secrets” are not well-hidden.




IBM Security

23

2 Applications Left Debug Flag Enabled

• Information that flows into the

application can be hijacked and

modified.

• Malicious code can run in the context

of the app with access to anything the

app can access.




IBM Security

24

Learn How to Improve Your Mobile Security

Blog: "A Perfect Match: Uniting Mobile Security With Online Dating Apps"

24

YouTube Video: Digital Dating - It's Not You, It's Me

IBM News Room- IBM Security Finds Over 60 Percent of

Popular Dating Apps Vulnerable to Hackers

Share the Love!

Digital Dating – “It's

Not You, It's Me’


https://www.youtube.com/watch?v=RorMVfS5-No&feature=youtu.be

http://www-03.ibm.com/press/us/en/pressrelease/46023.wss

http://www-03.ibm.com/press/us/en/pressrelease/46023.wss


Questions-and-Answers Session

About the Research: IBM Security analysts from IBM’s Application Security Research team used

its new IBM AppScan Mobile Analyzer tool to analyze the top 41 dating apps available on Android

devices to identify vulnerabilities that can leave users open to potential cyberattacks and threats.

These apps were also analyzed to determine the granted permissions, unveiling a host of

excessive privileges. To understand enterprise adoption of these 41 dating apps, app data was

analyzed from IBM MobileFirst Protect™, formerly MaaS360. In advance of releasing this research

to the public, IBM Security has disclosed all affected app vendors identified with this research.


IBM Security

26

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

x-force security intelligence findings: vulnerabilities in mobile dating applications

Technology