A review of several Android pay-for-parking applications has uncovered a series of vulnerabilities that could allow attackers to steal drivers’ logins and hijack their mobile devices.
Conducted by information assurance firm NCC Group, the assessment analyzed six parking applications for the Android operating system. Some of the apps had been downloaded from Google Play between 5,000 and 10,000 times, whereas others boasted one million registered users.
The number of installs for each app ultimately did not matter, however, as all of the applications were affected by security vulnerabilities.
According to an NCC Group blog post the review determined that while all of the apps used encryption to protect their customers’ sensitive information – something from which four major airlines should learn a lesson or two – not one verified the certificate used by the server.
Chris Spencer of NCC Group adds that more persistent attacks could leverage an initial man-in-the-middle attack to eventually take control of the device. This is true even in the context of TLS/SSL encryption, though not all applications used this cryptographic standard.
One application in particular employed its own encryption standard that relied on keys stored in the application code. These keys, as well as the decryption method, could easily be retrieved, thereby allowing an attacker to steal users’ login credentials and credit card information.
If those vulnerabilities weren’t enough, most of the applications also exhibited flawed data storage procedures.
For example, some stored passwords and PINs locally on the device, which could lead to data theft if these pieces of information were not stored securely. One app tried to compensate for this by storing a user’s unencrypted password in the application’s private data directory on the phone, but NCC Group was able to exploit a file transversal vulnerability and recover it.
All of these vulnerabilities notwithstanding, the review did find that some of the apps had attempted to ward of attackers by using hashing algorithms and obfuscating their code.
NCC Group says that it responsibly disclosed details of the vulnerabilities to the app vendors.
Spencer writes that in order to protect their products from man-in-the-middle attacks, app developers should use a hashing algorithm, TLS, and Certificate Pinning, among other techniques.
As for the regular driver, it is highly ill-advised to use any application that could expose sensitive/financial information when you are connected to a public network. Sure, you might be connected to a data network only when paying for your parking. But even then, you might not be safe, as an attacker could create a fake GSM base station.
Ultimately, it might be better to just bring some change and pay for parking the old fashioned way.