Mobile App Security: A Mid-Year Breach Review
2021 is shaping up to be another challenging year for mobile security teams. At just the halfway point, mobile app breaches have already exposed private account details of more than one billion users, and revealed sensitive data through unpatched vulnerabilities and cloud misconfigurations. Here’s a month-over-month look at some of the most notable mobile app breaches of the year thus far and suggestions on reducing them in the future.
Amazon Ring Neighborhood Watch App Leaks Data
A security flaw in the Amazon Ring Neighbors App was found in January to have leaked precise location and addresses of users who posted to the app. While the user’s posts are public, the app does not normally reveal precise locations. The bug did not display data to users of the app, but more ominously collected hidden data, including the user’s latitude and longitude and their home address, from Ring’s servers. Ring soon fixed the issue. Security challenges have long plagued Ring IoT doorbells and surveillance cameras since their introduction.
Popular Android App SHAREit Vulnerable to Remote Code Execution
In February ZDNet reported that vulnerabilities in an Android app with more than one billion downloads had gone unpatched for three months. Developers of the SHAREit app failed to fix a bug that could be exploited to run malicious code on smartphones where the SHAREit app was installed. SHAREit finally patched the vulnerability that month.
Popular iPhone Call Recorder App Exposes Call Recording Data
Reported in March, a bug in the popular iPhone app Call Recorder exposed 130,000 recordings. The vulnerability allowed anyone to access call recordings without permission by knowing the phone number of the user. The vulnerability exposed recordings on a cloud storage bucket hosted on Amazon Web Services and allowed hackers to modify traffic going into and out of the app. The developer patched the bug soon after researchers reported it.
13 Android Apps Leak Data of Millions of Users
April had the the largest mobile breach of the year thus far occurred in April. That month, Check Point Research reported that 13 popular Android apps exposed data of as many as 100 million users. Research showed developers failed to secure third-party cloud services, exposing personal data including emails, chat messages, location, passwords and photos. Researchers approached both Google and the developers of the apps before sharing their findings. Not all apps made fixes, according to the report. Breaches like this show how cloud services such as cloud storage and analytics are critical components of mobile app software development. Their misconfiguration or exposure are growing risk factors.
ParkMobile Breach Affects 21 Million Users
Account information on 21 million users of a parking app were exposed in April by researcher Brian Krebs. The researcher was alerted when data on 21 million users of the ParkMobile app appeared for sale on dark web markets. Once notified, developers of ParkMobile discovered vulnerabilities in third-party software that had leaked personal data including customer email addresses, DOB, phone numbers, license plate numbers and hashed passwords. The company now faces a class-action lawsuit for exposing user data. The breach shows how a new software bill of materials, called for in the U.S. Executive Order on cybersecurity, might be used in the coming year to identify interdependencies.
Klarna Payment App Exposes User Balances
In May, a Swedish mobile banking app called Klarna suffered a severe security breach. Users of the app saw account information of other users instead of their own. Per the release by Klarna, human error caused information to be cached through the service in an unintended way and was quickly fixed. The Swedish Financial Supervisory Authority is investigating Klarna for potential violation of security laws. The breach came at a challenging time for Klarna, a rising $45 billion fintech company. It occurred shortly after it received $639 million in new capital investment.
Pre-Installed Samsung Secure Folder App Allow Attackers to Steal Data
Last month, flaws in pre-installed Samsung apps allowed attackers to steal a victim’s photos, videos, call records, contacts and messages. A mobile security firm discovered flaws in the Samsung Secure Folder app that could be used to steal contact information, and in Samsung Knox security software that could be used to install malicious apps. Samsung fixed the vulnerabilities.
Unlike supply-chain attacks such as SolarWinds or ransomware outbreaks such as Kaseya, mobile attackers are more likely to quietly collect data. Mobile breaches like those we’ve seen in 2021 already exposed personal and financial data of millions worldwide. That data contributes directly, through its sale on underground markets or use in cybercrime, to an estimated $1 trillion in cyber losses last year.
Fortunately, there are national efforts to slow supply chain attacks, stop breaches and protect privacy. The recent U.S. Executive Order on Improving the Nation’s Cybersecurity for example, calls for a software bill of materials (SBOM) to help identify vulnerabilities that lead to supply chain attacks. The order also requires agencies to automate security testing processes, and adhere to a unified standard established by the security community. While the order focuses on protecting the federal government, the effort has the potential to impact many commercial software vendors, too.
Expect these kinds of breaches to continue throughout the second half of 2021. Still if we are to reduce breaches, there are things developers and security professionals can do right away. Developer teams can adopt secure-by-design principles, and familiarize themselves with industry mobile application security standards such as OWASP, NIST and Mitre. Security professionals can work with devs and QA to automate security testing processes, allowing early testing of frequent builds.