The presentation discusses the vulnerabilities found in tracking applications on Google Play Store and emphasizes the importance of implementing proper security measures on both client-side and server-side.
- Client-side authorization and vulnerabilities
- Server-side vulnerabilities
- Responsible disclosure process
- Importance of proper security measures on both client-side and server-side
The speaker shared a story about how tracking devices have evolved from small radio receivers in pipes and cameras in cigarette packs to the current smartphone, which has a lot of sensors that can collect a lot of information. The presentation also highlighted the different reasons why people use tracking applications, such as for families, couples, and friends, and how it can be difficult to differentiate between good and bad apps.
Google Play Store provides thousands of applications for monitoring your children/family members. Since these apps deal with highly sensitive information, they immediately raise questions on privacy and security. Who else can track the users? Is this data properly protected? To answer these questions, we analyzed a selection of the most popular tracking apps from the Google Play Store. Many apps and services suffer from grave security issues. Some apps use self-made algorithms instead of proper cryptography for data storage and transmission. Others do not even attempt to protect their communication at all and make use of the unprotected http protocol, or even give an attacker full access to a vulnerable backend system. Hard coded database credentials in apps allowed access to all stored user locations. We would be able to extract hundreds of thousands of tracking profiles, even in real time. In others, this wasn't even necessary, because the user authentication could be bypassed altogether. Flaws in server API allowed us to extract all user credentials (1.7m plain text passwords), further we saw full communication histories containing messages, pictures and location data. In total, the state of tracker apps is worrisome, effectively leading to users unknowingly installing espionage software on their devices.