10 ways your mobile phone leaks your sensitive information

Mobile Data Leakage.png

 

We all use mobile phones, but few of us are aware of how careless they can be with our information. It's not really the phones by themselves, though. It's the applications and how they interact with the operating system.

 

This article will walk through a few of the common dangers to your data security and privacy that come from poorly coded mobile applications.

 

Following the leaky data

 

colander2.jpg

 

Here in the Fortify on Demand we see a lot of mobile applications in our testing practice, and it's staggering to see how sensitive information being entered into the app can be leaked and otherwise misused.

 

It's helpful to think about this from a mobile architecture perspective, i.e. to think about how the data goes from you to your phone, from the phone across the network, and then from the network into some sort of back end.

 

Here are just a few ways data can be lost in these various categories, starting with the device itself.

 

Client

 

When you enter data into your device--sensitive data like credentials and financial data--where does it go? Unfortunately, the answer is that it can get scattered to the wind--even just on the phone or tablet. Here are some examples:

 

  1. Files: Developers commonly store sensitive data right onto the mobile file system with no data protection whatsoever. This includes data like usernames, passwords, and sensitive application data like PII, financial information, etc. 
  2. Databases: Storing this type of sensitive data in unencrypted SQLite databases is a common occurance. And there's nothing magically secure about a database--it's just a file that can be read like any other. If anything it's just making the data theft more orderly via SQL!
  3. Logs: Another common problem that mobile developers make is storing sensitive data such as credentials and PII in log files. If stored to the primary system log (which is usually what happens) other applications can read this data and do what they want with it!
  4. Photos: Just as with logs, we find mobile apps on a regular basis that capture sensitive data via the camera (or screenshots), and then store it outside of protected space on the device. This means that any other application can read those images.

Network

 

Not only do we have to worry about what the device is doing with our data, but we also have to think about what's done with it afterwards. Here are some common ways that mobile data is leaked over the network:

 

  1. Lack of Encryption: Many apps we see just outright lack TLS encryption. This means that if you're using an application to do something sensitive, and you happen to be in a public place, you could be spraying that sensitive data all over the coffee shop (and the street) for anyone to read. 
  2. Weak Encryption: A variation on this is when an attempt is made at encryption, but it's trivial to bypass. This materializes in a number of ways, including trusting any certificate, being able to downgrade from TLS to cleartext, etc.
  3. Legitimate Side-channels: We often test applications for customers where the developer has implemented (benign?) functionality that unknowingly sends data to a third party. A great example of this involves analytics networks: We regularly see these networks taking tokens of sensitive data and sending it back to the analytics network--often without HTTPS!
  4. Malicous Side-channels: Even worse than the accidental side-channel data leakage above, there are also many apps that do this on purpose. Of course the user never knows because the application just looks like it's working normally, but in the background it's collecting what it can and sending it back home.

Server

 

We've already seen that both the mobile device and the network it uses can be serious sources of data leakage in mobile apps. But we still haven't covered the other piece of the puzzle: the back end storage

 

One of the easiest ways of breaking into a mobile application is through its back end storage. Here are a few examples of the issues:

 

  1. Promiscuous APIs: Mobile devleopers are notorious for making the faulty assumption that the only client visiting their mobile back end is the mobile front end. This just isn't true. Back ends are just web sites and APIs, and obscurity does not make security. It's too often trivial to see where the mobile app is interacting and go there manually and extract the crown jewels.
  2. SQL Injection: We'd like to believe that SQL Injection is dead, but it isn't. And with mobile sites it tends to be quite bad when it happens.
  3. XSS and RFI: There are a legion of vulnerabilities that can lead to data loss on a web site or web service, but XSS and RFI are some particular nasty issues that we continue to see in mobile back ends. RFI vulnerabilities, in particular, often lead to gaining full access to the server (and all the data on it).

Know how to protect yourself

 

The most important thing to take away from all of this is a simple best practice:

 

  • Realize that when you enter data into a mobile device, that data often gets dropped in various places on your phone, moved across many seperate trust boundaries, sent over multiple networks, and even stored in multiple backends. 

Carefully consider the security and trustworthiness of the mobile application that you're using before you provide it with data you care about.

 

Whether you're worried about your personal device and data, or you're a corporation looking to enhance your mobile application security, consider reaching out to Fortify on Demand. 

 

hp.com/go/fortifyondemand

 

As always, feel free to reach out with any questions via Twitter (@danielmiessler) or via email (daniel.miessler@hp.com).

 

: :
 
Daniel Miessler is a Practice Principal with Fortify on Demand based out of San Francisco, California. His areas of expertise are web and mobile application security testing and building application security programs for the Global and Fortune 100. He can be reached at daniel.miessler@hp.com and on Twitter at @danielmiessler

 

Comments
David Mann | ‎04-11-2014 08:06 AM

I think the back-end has another leak: whatever we agreed to in the EULA that allows them to share the data you provide to the backend business' partners. 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
http://www.danielmiessler.com/about
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.