© 2015 IBM Corporation X-Force Security Intelligence Findings: Vulnerabilities in Mobile Dating Applications Tom Mulvehill Caleb Barlow Eitan Worcel IBM Cloud & Mobile Security Teams
Jul 18, 2015
© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
X-Force Security Intelligence Findings:Vulnerabilities in Mobile Dating Applications
Tom Mulvehill
Caleb Barlow
Eitan Worcel
IBM Cloud & Mobile Security Teams
© 2015 IBM Corporation
IBM Security
2
Today’s Agenda
• Overview of Mobile Security Risks
• Mobile Dating App Vulnerabilities: A Closer Look
• Mobile Dating App Vulnerabilities: Methodology &
Impact of Vulnerabilities
• Questions-and-Answers Session
© 2015 IBM Corporation
IBM Security
4
Data leakage
– Attack from malware
– Account info. on
mobile device
Cracking mobile apps
– Easy access to
applications
– Reverse engineering
Little to no App control
– BYOD
– Consumer devices
User vs. Enterprise Risk
Threat from Malware
- Trojans and Spyware
Phishing
Fake Android marketplace
- Malware bundled with app
Unauthorized Use of:
- Contact DB
- SMS (text messages)
- Phone (placing calls)
- GPS (public location)
- Data on device
User Enterprise
© 2015 IBM Corporation
IBM Security
5
Mobile Security Concerns
• Mobile security is broader than device management.
© 2015 IBM Corporation
IBM Security
7
Reverse Engineering & IP Theft Risk
• 97% of top paid Android apps have been hacked
• 87% of top paid iOS apps have been hacked
• 80% of the most popular free Android apps have been hacked
• 75% of the most popular free iOS apps have been hacked
Source: State of Security in the App Economy
- “Apps Under Attack” (Dec 2014)
© 2015 IBM Corporation
IBM Security
8
Sophistication of attacks increasing
New versions of Android OS helping to reduce risk, but…
… Android market is still very fragmented.
Android & Platform Risk
Android – February 2015 iOS – February 2015
https://developer.apple.com/support/appstore/https://developer.android.com/about/dashboards/index.
html?utm_source=ausdroid.net
2014 1.6%2013
2012 2010
2014
© 2015 IBM Corporation
IBM Security
9
Mobile Permission Risk
Permissions vary by
OS & release
Users don’t
understand
Developers over
permission
Android
Pileup Flaw
© 2015 IBM Corporation
IBM Security
10
OWASP Mobile Top 10 Risks (RC 2014 V1)
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
© 2015 IBM Corporation
IBM Security
12
Key Findings in IBM’s Analysis of Mobile Dating Apps on Android Devices
About the Organizations:
50% of enterprises have popular apps present on devices that
accessed confidential business data.
About the Applications:
73% of popular apps can access users’ current and past GPS
information.
60% of apps are vulnerable to cyber-attacks that could put
personal information & organizational data at risk.
49% of popular apps access to users’ billing information,
potentially jeopardizing credit card information in mobile wallets.
34% of popular apps have access to users’ cameras or
microphones.
12
Blog: "A Perfect
Match: Uniting
Mobile Security With
Online Dating Apps"
© 2015 IBM Corporation
IBM Security
13
Protecting Yourself Against Mobile Threats
Blog: "A Perfect
Match: Uniting
Mobile Security With
Online Dating Apps"
14 © 2015 IBM Corporation
Mobile Dating App Vulnerabilities:
Methodology & Impact of Vulnerabilities
© 2015 IBM Corporation
IBM Security
15
History of Mobile Application Vulnerabilities
July 2013 December 2013 March 2014
July 2014 August 2014
© 2015 IBM Corporation
IBM Security
16
Risk of Malware for Mobile Apps
http://grahamcluley.com/2014/12/the-interview-android-app-malware/
© 2015 IBM Corporation
IBM Security
18
App
Exposed
activityparameters
Non-exposed
Activityparameters
Public
Intent
Service
Receiver
Data store
Content
Provider
Manifest
Imitating A Hacker
Private
intent
App
© 2015 IBM Corporation
IBM Security
19
HIGH
MEDIUM
What were we looking for?
• Android Fragment
Injection
• Android Class Loading
Hijacking
• Buffer Overflow
• Client-side SQL Injection
• Crash in Native Code
• Cross-Site scripting
via Man in the
Middle• Cross-Application
Scripting (XAS)
• Debug Flag Enabled
on Release Version
• Broken
Cryptography• File Manipulation
• Insecure File
Permissions
• Insecure Pending Intent
• Phishing via Man in
Middle • Unsafe Reflection
• Weak Random
Number Generators
• Activity Hijacking
• Backup Flag
Enabled
• Service Hijacking
• UI Spoofing
• Unhandled Java
Exception
• Unstripped Binary• Broadcast Theft
• Debug Version
Severities - Based on X-Force research
LOW
INFORMATIONAL
© 2015 IBM Corporation
IBM Security
21
Man in The Middle Attacks
• You don’t really know who’s on
the other end of the line.
• You cannot trust the application
that runs on your own device.
• Your sensitive information and
privacy are at risk.
© 2015 IBM Corporation
IBM Security
22
Broken Cryptographic and Weak Random Number Generators
• Encrypted communication can be
decrypted by a hacker.
• Your “secrets” are not well-hidden.
• Your sensitive information and
privacy are at risk.
© 2015 IBM Corporation
IBM Security
23
2 Applications Left Debug Flag Enabled
• Information that flows into the
application can be hijacked and
modified.
• Malicious code can run in the context
of the app with access to anything the
app can access.
• Your sensitive information and
privacy are at risk.
© 2015 IBM Corporation
IBM Security
24
Learn How to Improve Your Mobile Security
Blog: "A Perfect Match: Uniting Mobile Security With Online Dating Apps"
24
YouTube Video: Digital Dating - It's Not You, It's Me
IBM News Room- IBM Security Finds Over 60 Percent of
Popular Dating Apps Vulnerable to Hackers
Share the Love!
Digital Dating – “It's
Not You, It's Me’
25 © 2015 IBM Corporation
Questions-and-Answers Session
About the Research: IBM Security analysts from IBM’s Application Security Research team used
its new IBM AppScan Mobile Analyzer tool to analyze the top 41 dating apps available on Android
devices to identify vulnerabilities that can leave users open to potential cyberattacks and threats.
These apps were also analyzed to determine the granted permissions, unveiling a host of
excessive privileges. To understand enterprise adoption of these 41 dating apps, app data was
analyzed from IBM MobileFirst Protect™, formerly MaaS360. In advance of releasing this research
to the public, IBM Security has disclosed all affected app vendors identified with this research.
© 2015 IBM Corporation
IBM Security
26
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.