informa
Commentary

Mobile Application Security: 2021's Breaches

Many of last year's largest app breaches could have been prevented with testing, training, and the will to take app security seriously.

Last year, while the world focused on high-profile supply-chain attacks, another area came under siege: mobile applications. With over 200 billion downloads in 2020, mobile applications present a complex attack surface. It’s not surprising that one in four companies surveyed by Verizon suffered a mobile or Internet of Things data breach.

A look back at the top mobile data breaches of 2021 hints at what we can expect this year. From corporate giants such as Amazon Ring and Slack to US Customs and Border Protection (CBP), these are the mobile app breaches that made headlines. 

Amazon Ring App Leaks Data
Last January, a security flaw in the Amazon Ring Neighbors App leaked precise location and addresses of users who posted to the app. Although user posts are public, the app does not normally reveal precise locations. The bug did not display data to users of the app but collected hidden data, including the user's latitude, longitude, and home address. Despite security problems that have plagued Ring IoT doorbells and surveillance cameras since their introduction, the Ring Neighbors App reached 10 million users in 2020.

Slack Mobile App Exposes User Credentials
Popular team collaboration tool Slack shared more than ideas last year. As reported last January, a bug in the Android mobile app logged clear-text user credentials on devices. Affected customers were asked to reset passwords and wipe app data logs. Slack boasts more than 12 million daily users.

SHAREit File Sharing App Vulnerable to Remote Code Execution

In February, ZDNet reported that vulnerabilities in an Android file-sharing app with more than 1 billion downloads had gone unpatched for three months. Developers of the SHAREit app missed a bug that could be exploited to run malicious code on smartphones. SHAREit finally patched the vulnerability but not before the code was shared with millions.

13 Android Apps Leak Data of Millions of Users
What happens when mobile app developers fail to secure communication? Perhaps one of the largest mobile breach reports of 2021. In April, Check Point Research reported that 13 popular Android apps exposed data of as many as 100 million users. Developers failed to secure third-party cloud services, exposing personal data including emails, chat messages, passwords, and photos.

ParkMobile Breach Affects 21 Million Users
This year, KrebsOnSecurity found account information of as many as 21 million users of a parking app for sale on a dark market. Developers of ParkMobile then discovered that third-party software leaked personal data including customer email addresses, phone numbers, and license plate numbers. ParkMobile now faces a class-action lawsuit for exposing user data.

Klarna Payment App Exposes User Balances
In May, a mobile banking app from Klarna suffered a security breach that caused widespread customer confusion. Users of the app briefly saw account information of other users instead of their own. Per the Klarna disclosure, human error caused information to be cached in an unintended way. The incident occurred shortly after Klarna received $639 million in new investment.

COVID Passport App Exposes Users
In another example of hackers taking advantage of the pandemic, Portpass, a private Canadian COVID vaccination passport mobile app, exposed personal data of 650,000 users. Anyone could access profiles on its website, and the mobile app left personal data unencrypted and stored in plaintext.

Leaky Apps Make Leaky Borders
Six mobile passport control applications created by the US CBP exposed the personal data of as many as 10 million travelers when apps leaked personally identifiable information. An audit discovered the CBP failed to scan 91% of application updates released between 2016 and 2019 to detect vulnerabilities.

Zero-Day in Apple iMessage Affects 900 Million Devices
In one of the largest mobile breaches of the year, Apple fixed a zero-day flaw in iMessage that exposed all of its 900 million active users of iPhones, iPads, Watches, and MacBooks to spyware from the NSO Group. NSO exploited the vulnerability to spy on political activists.

The Usual Suspects
Many of this year's largest breaches came from the same vulnerabilities we see year after year. Most could have been prevented with dynamic mobile application security testing, better training for mobile developers, and the will to take mobile application security more seriously. Among the usual suspects:

  • Insecure code allows an attacker access or control. As in the case of iMessage, flawed code can give an attacker access to everything on a device.
  • Insecure network configurations between the mobile app and servers allow hackers to conduct man-in-the-middle attacks.
  • Insecure storage on the device allows a malicious user or malware to inspect sensitive data stores.
  • Apps that leak data, as with the Amazon Ring Neighbors App breach, come from improper coding, making the case for better testing.
  • Insecure configurations leak data over the network because communication between mobile apps, carriers, and servers creates a complex attack surface.
  • Insecure protection of sensitive data, as with the Klarna breach, mean mobile apps leave sensitive data such as passwords and credit card information exposed in plaintext.

What's Next This Year?
Mobile breaches like those we saw in 2021 cost businesses billions in lost revenue, remediation costs, damaged brand reputations, and more. Unfortunately, these kinds of breaches will continue throughout 2022.

Many of those pains will be self-inflicted through our own insecure coding practices and a lack of adequate testing. Security teams can significantly reduce their chances of a major mobile app breach in the coming year by testing apps throughout the software development life cycle and catching flaws sooner, while monitoring all mobile apps in production.

Recommended Reading: