All your family secrets belong to us—Worrisome security issues in tracker apps
Conference: Defcon 26
2018-08-01
Summary
The presentation discusses the vulnerabilities found in tracking applications on Google Play Store and emphasizes the importance of implementing proper security measures on both client-side and server-side.
- Client-side authorization and vulnerabilities
- Server-side vulnerabilities
- Responsible disclosure process
- Importance of proper security measures on both client-side and server-side
Abstract
Google Play Store provides thousands of applications for monitoring your children/family members. Since these apps deal with highly sensitive information, they immediately raise questions on privacy and security. Who else can track the users? Is this data properly protected? To answer these questions, we analyzed a selection of the most popular tracking apps from the Google Play Store. Many apps and services suffer from grave security issues. Some apps use self-made algorithms instead of proper cryptography for data storage and transmission. Others do not even attempt to protect their communication at all and make use of the unprotected http protocol, or even give an attacker full access to a vulnerable backend system. Hard coded database credentials in apps allowed access to all stored user locations. We would be able to extract hundreds of thousands of tracking profiles, even in real time. In others, this wasn't even necessary, because the user authentication could be bypassed altogether. Flaws in server API allowed us to extract all user credentials (1.7m plain text passwords), further we saw full communication histories containing messages, pictures and location data. In total, the state of tracker apps is worrisome, effectively leading to users unknowingly installing espionage software on their devices.
Materials:
Tags: