The researcher took advantage of the Fitbit gallery which allows developers to submit apps that enhance the functionality of the core app.
Security researchers find vulnerabilities in different ways. Sometimes, it’s as a result of their routine work while sometimes they happen to be curious and specifically test a particular application.
An example of the latter occurred recently where Kev Breen, Director of Cyber Threat Research at Immersive Labs decided to build a spyware app for Fitbit and succeeded in doing so with the app being delivered through the official Fitbit website.
How he did this was by making use of the Fitbit gallery which allows developers to submit apps that enhance the functionality of the core app. This way, the researcher also submitted his app which was then available there and would allow users to install it on both the iOS and Android versions of the Fitbit app.
The app which is a Watch/Clock Face could collect a range of data and then deliver it to the hypothetical attacker’s server using Fitbit’s application’s API. The data, according to the researcher’s blog post, includes the following:
- User device OS and its current version
- The names, gender, age, height, heart rate, and weight of the users
- Calendar information which could lead to the leakage of PII
However, since Kev was only testing the exploit, he did not collect any real information by leaving the attacker’s server address as empty.
As for Fitbit’s response, the company acknowledged the issue and have made a few changes as of yesterday. These involve giving a disclaimer notice to users when installing apps from private links, letting users know which apps are not publicly listed (more on this below), and making permission settings “opted-out by default” when the user proceeds to install the app.
An important distinction here is that the malicious app developed was not “publicly listed” or “published” but was still shareable and available to users. This has to do with a technicality of the Fitbit app store where the URL of an app such as “https://gallery.fitbit.com/details/*****” is available before it is manually approved by a member of Fitbit’s team and is still therefore shareable.
Therefore concluding, to fix the issue at hand, merely letting users know which apps are not published would not suffice. Instead, the availability of unpublished apps through URLs needs to be completely stopped.