The author surveyed over 230 applications (the full list of applications ,can be found in A Survey Of Mobile Device Security: Threats, Vulnerabilities and Defenses), including applications in the “Top” categories on the iTunes store to determine what type of information could be extracted from auditing packet streams. The results were quite surprising.

To perform this audit, the author launched one application at a time and used WireShark to capture and analyze packets. The experiment was performed on an open network that the author created. The access point was a Cisco Small Business router (WAP4410N) and was configured using a hidden SSID and MAC address authentication to prevent outside users from associating with the access point and introducing outside, extra packets. While the author realizes that hidden SSIDs and MAC address authentication are easily defeated mechanisms, it was used to prevent casual users from using the access point. The mobile devices used were an Apple iPod Touch 4G, an Apple iPad 1G and an iPhone 4, configured with iOS 5.0.1.

For reasons of classification, the authors created several different levels of potential security breaches. The levels are defined as:

  • None: This level is defined as having no potential security breaches and no exposure of confidential information.
  • Low: This level is defined as having a few potential security breaches or exposure of confidential information that could not directly affect the user, such as device IDs that could be used in tracking users (in iOS, these are called UUIDs).
  • Medium: This level is defined as having several potential security breaches or exposure of confidential information that is potentially serious or if information is exposed such that an attacker would be able to identify the user on an individual basis, such as addresses, latitudes or longitudes, etc.
  • High: This level is defined as having multiple potential security breaches or exposure of extremely confidential information, such as account numbers, PINs, and username/password combinations.

For more information on the specific application, including the version number of the application with the vulnerability, see Appendix A for a full listing.

Application

Level

Risks Found

GrubHub

Low

UUID

The Weather Channel

Low

Geocoded location

Path

Low

UUID

Handmade

Low

UUID

iHeartRadio

Low

Reverse Geocoded location

TabbedOut

Low

UUID, Platform

Priceline

Low

UUID, Geocoded location, “Search” API is unencrypted

Free WiFi

Low

Geocoded location

Coupious

Medium

Geocoded location, UUID, coupon redemption codes

Delivery Status

Medium

UPS transmits reverse geocoded locations and tracking numbers.

Color

Medium

Reverse geocoded location and photos taken and shared by users

Cloudette

Medium

Username in plaintext and password, hashed with MD5

Gas Buddy

Medium

Username and password, hashed with MD5

Ness

Medium

Reverse geocoded location

Southwest Airlines

High

Username and password in plaintext

Minus

High

Username and password in plaintext

WordPress

High

Username and password in plaintext

Foodspotting

High

Username and password, Geocoded location

ustream

High

Username and password, UUID, geocoded location

Labelbox

High

Username and password, geocoded location

 

The majority of the applications that were surveyed encrypted the exchanges of confidential or sensitive information, such as usernames, passwords and account numbers via SSL/TLS.

However, many applications performed some sort of tracking or storing of analytic information, such as passing the UUID in a call to a web service.  In some of the instances, this identifying information was not encrypted.  While not potentially dangerous in the sense that an attacker could use this information to “identify” a particular person, none of the applications let users know that their information such as UUID, phone OS and model, was being used or recorded, nor did they let the user “opt-out.”

The largest single potential security breach was with the Southwest Airlines application.  Due to the fact that the username and password were submitted to a web server via a POST operation in plaintext, an attacker could simply sniff for this data.  If an example was captured, one could use those credentials to log into a particular account and book travel, use award miles and possibly change information in the victims profile.  This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of a terrorists threats in air travel.

For example, consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security’s “No-Fly” list.  If this person were able to capture a victim’s credentials and create a fake ID, he could pass through TSA security without being stopped.

Of the 253 applications surveyed, 91.7% had no risk found, 3.1% had a low risk, 2.3% had a medium risk and 2.3% had a high risk.  While it would be desirable to have no applications in the “Medium” or “High” category, the number of applications the authors found presented a security risk was both surprising and far too numerous.  There are over 500,000 applications on the iOS App Store, so extrapolating the results, there could be at least 15,500 applications in the “Low” risk category and 11,500 applications in the “Medium” and “High” risk category.

Overall, the number of applications with some sort of security risk is low.  This is not very surprising to the authors as many of these applications are in the “Top” applications list and any potential security flaws would have already been found.

Due to the fact that iOS does not have a robust privilege system, there is no way that a user could know their information was being used in a dangerous or insecure way.  While there is support for showing users there is network traffic by  using a spinning “network activity indicator”, it is certainly not mandatory for them to do so.  In fact, a legitimate or malware application could access the network interfaces, sending and receiving information and never alert the user on iOS.

Developers typically do not follow the principle of least privilege.  If an application needs a set of privileges for functionality, they will request them up front, not just when they are needed.  This is particularly dangerous because this could be an entry point for an attacker to compromise the application.

[19] performed research where they surveyed 940 Android applications and found that more than 50% required 1 extra unnecessary permission and 6% required more than 4 unnecessary permissions.  The reasons that developers may request more permissions than are necessary could be because 1) they don’t understand the importance of security and least privilege, 2) they are planning on future releases that will require these privileges and 3) they don’t fully understand how to work with the platform and make the code function correctly.

Since mobile devices and smartphones are unique in that they have a built-in billing system, there must be ongoing education of developers with emphasis on security and privacy or additional built-in measures in the OS to enforce security over code the developers write or the permissions for which they ask.

Here is the full list of applications tested.

Bold applications represent applications bundled with iOS from Apple.

Application

Version

Application

Version

Messages 5.0.1 RedLaser Classic 2.9.8
Calendar 5.0.1 eBay 2.4.0
App Store 5.0.1 Craigslist 3.033
Settings 5.0.1 Key Ring 5.4
Spotify 0.4.21 Coupious 1.4.1
Contacts 5.0.1 Cars 1.6.1
Notes 5.0.1 Amazon PriceCheck 1.2.1
Newstand 5.0.1 Linode 1.0.6
Reminders 5.0.1 Unfuddle 1.1.1
Find My Friends 1.0 MiniBooks 1.0.2
Videos 5.0.1 iTC Mobile 2.4
Vlingo 2.1.1 Blueprint viewer 1.7
Photos 5.0.1 Square 2.2
Camera 5.0.1 WordPress 2.9.2
Instagram 2.0.5 Maps 5.0.1
iMovie 1.2.2 FlightTrack 4.2.2
DashOfColor 3.1 Kayak 19.0.6
ColorSplash 1.7.2 Southwest 1.8.2
UStream Broadcaster 2.1 American 1.3.3
TiltShiftGen 2.02 Fly Delta 1.6
Gorillacam 1.2.2 Flysmart 2.5.25
CameraPlus 2.4 Priceline Negotiator 5.6
PS Express 2.03 Free WiFi 1.1.2
Dropcam 1.4.3 Google Earth 3.2
Chase 2.14.5799 Translator 3.1
Citibank 3.7 Phone 5.0.1
Discover 2.1 Mail 5.0.1
Fidelity 1.6.1 Safari 5.0.1
TD Trader 115.12 Music 5.0.1
PayPal 3.6 Flixster 5.02
Mint.com 2.0 Boxee 1.2.1
Stock 5.0.1 redbox 2.3.1
thinkorswim 115.12 Youtube 5.0.1
Geico 2.0.2 Fandango 4.5
Dropbox 1.4.6 XFINITY TV 1.8
1Password 3.6.1 IMDb 2.3.1
Alarm Clock 1.1 i.TV 3.4.1
Planets 3.1 MobiTV 1.0
Dictation 1.1 Netflix 1.4
Inrix Traffic 3.5.1 VNC 3.2.1
Adobe Ideas 1.2 RDP 2.8
IP-Relay 1.2 TouchTerm 2.1
iLlumination 1.0.1 Scorekeeper 4.1
Fake-a-call 5.05 Statware 1.0.3
HeyTell 2.3.2 NIKE+ GPS 3.2.1
Weather 5.0.1 MiLB Triple A 1.1.0
The Weather Channel 2.1.1 Pandora 3.1.16
Calculator 5.0.1 Shazam 4.8.4
Clock 5.0.1 Soundhound 4.1.1
Compass 5.0.1 iHeartRadio 4.0.1
Voice Memos 5.0.1 Last.fm 3.2.0
AroundMe 5.1.0 Songify 1.0.6
myAT&T 2.1.2 iTunes 5.0.1
WeddingWire 3.1 Virtuoso 1.0
LogTen 3.3.1 I Am T-Pain 2.0.0
French 1.0 Scrabble 1.13.78
Binary Calc 1.4 Harbor Master 2.1
Amazon 1.8.0 Zombie Duck 4.1
Groupon 1.5.7 Zombieville 1.7
LivingSocial 3.2.2 Table Tennis 4.1.0
Yowza 2.5 iFighter 1.9
Coupons Hired Gun 1.8
Airport Utility 1.0 Lock n’ Roll 3.0
Walgreens 3.0.2 Sneezies Lite 1.3
MyHumana 3.0.2 Pad Racer 1.1
Nike + iPod Uno 2.0.0
Gold’s Gym Spotter 1.2 CamWow 2.2
Lose It! 3.7.2 Labelbox 1.3.1
FitnessTrack 1.5.5 Photosynth 1.1.2
LIVESTRONG 1.0.1 Color Effects 3.1
MyFitnessPal Saturation 1.0
Nutrisystem 2.3 Peppermint 1.1
Kindle 2.8.5 FlickStackrXP 1.9.6
Instapaper 4.0.1 Minus 2.1.3
iBooks 5.0.1 Gallery 2.0.1
Zinio 2.2 Handmade 1.1
Twitter 4.0 StubHub 2.4.1
Facebook 4.0.3 Pushpins 2.0.1
Google+ 1.0.7.2940 Black Friday 2.0
foursquare 4.1.2 Sam’s Club 2.1.1
LinkedIn 4.2 Cyber Monday 2.1.0
Meebo 1.95 Words With Friends 4.1
Yelp 5.5.0 Ultimate Free Word Finder 1.01
PingChat Mad Gab 2.0
Bump 2.5.6 Metal Storm 4.0.2
Color 1.1 Need For Speed 1.0.11
Cloudette 1.0.1 Madden NFL 2010
soundtracking 2.0.2 Shizzlr 3.2.1
Free RSS 3.4 Flashlight 5.1
NetNewsWire 2.0.5 Tip Calculator 1.3.1
FOX News 1.2.4 PCalc Lite 2.4.3
OpenTable 3.4.2 Fake Call 1.1
Urbanspoon 1.17 To Do 3.2
Epicurious 3.0.1 Google 1.0.0.8117
WinePhD 1.2 Evernote 4.1.6
TabbedOut 2.3.3 Coin Flip 2.2
Foodspotting 2.7 Grades 2 2.03
GrubHub 2.20 Sundry Notes 3.2
RecipeGrazer 1.3 OneNote 1.2
Starbucks 2.1.1 Enigmo 4.1
Starbucks Mobile Card Angry Birds 1.6.3
Ness 1.1 JellyCar 1.5.4
iDisk 1.2.1 Runway 1.6
Remote 2.2 RockBand Free 1.3.49
Apple Store 2.0 Game Center 5.0.1
Find iPhone 1.3 App For Cats 1.1
Pages 1.5 PadRacer 1.1
Places 1.31 Implode 2.2.4
TripAdvisor 5.9 Astronut 1.0.1
Google Latitude 2.2.1 Monopoly 1.2.9
Gas Buddy 1.10 Deliveries 4.5
Maplets 2.2.2 Skype 3.5.454
iTranslate 5.1 Units 2.1.2
Translate 1.6.2 NCAA Football 2011
KG Free ESPN ScoreCenter 2.2.2
Wikipedia 2.2 Ski Report 2.2.1
White Noise 5.0.3 EpicMix 2.0.1
Sleep Machine Lite 2.0.1 MLB At Bat 4.6.1
Inception 1.6 Purdue 3.0
Sleep 2.0.1 NASA 1.43
Night Stand 1.0.4 80,000 Wallpapers 1.98
Geico BroStache 1.0.1 Wedding 911 1.06
CamCard 2.6.0.4 Path 2.0.2
Offline Pages 1.5.2 Facebook Messenger 1.5.2
GPS Tracker 1.2.2 Quora 1.1
TextPics Free 2.2 Big Button Box 3.0
Peel 2.0

« »