A new research has found out that numerous parking applications available in the smartphone market contain strong vulnerabilities that can allow hackers to attack the user and gain illegal access to the smartphone.
NCC Group, the renowned information assurance firm tested six common Android parking applications with up to one million active users of which the name was kept hidden.
The majority of the apps used Transport Layer Security (TLS) to secure and encrypt sensitive data which is sent over the server, but the certificates used by the server were not verified which makes the man in the middle attacks (MITM) quite easy enabled by “Intercepting proxy tool”.
One of the application sellers decided to build and use their own encryption software but could not securely save the keys in code blocks making them easily retrievable by decompiling the apk file. Another case was confirmed where a username and password were hacked through email. However, Chris Spencer, the NCC’s consultant confirmed that MITM attacks can only be carried out if the hacker has some control over the network where the smartphone user is, just like an unsecured Wi-Fi connection.
Spencer also said, “Since most of the time parking applications will be used when connected to mobile data connections, the likelihood of these attacks may be reduced (although it is possible for an attacker to create a fake GSM base station).”
“There are circumstances where a user of the application may be connected to public Wi-Fi, however, such as when extending a parking stay from a restaurant or coffee shop. Be careful when using any type of mobile application that may expose sensitive data when connected to a potentially unsecured network.”
Most of the smartphones are vulnerable to hackers because of the “Remember Me”, “Auto-Login”, “Auto-Fill Form” and other such options which have important data like PINs and passwords.
“This feature isn’t generally a good idea, mainly as the password may not be stored securely,” wrote Spencer. “In fact, one of the applications stored the password for the system (unencrypted) in the application’s private data directory on the phone.”
The NCC testers accessed the private information database through file traversal vulnerabilities by which they successfully recovered unencrypted passwords stored in that database. This research did make some serious points to ponder for the developers who have developed or are developing such applications. NCC recommended some steps for the developers out of which some are:
- Use latest Android API.
- Use verified certificates that focus on minimizing the MITM attacks.
- Use properly configured TLS to encrypt and save the data which is sent over to the server.