The absence of security issues in mobile applications is no less important than the security of the server side. This statement should be an axiom, but it continues to be doubted - many people think that mobile applications do not carry any risks, since they are only displaying data from the server. Or, in extreme cases, the presence of a vulnerability there can only harm one user and will not affect the business in any way. Yuri Shabalin, CEO of Stingray Technologies, decided to dispel this misconception by collecting in one article the most interesting and high-profile vulnerabilities in mobile applications that led to serious financial and reputational losses for the companies that own them.
In the same year, other vulnerabilities were discovered, due to which attackers could manipulate user accounts, gain access to personal data, or distribute malicious content. In addition, TikTok began to be suspected of possible links with foreign governments. After this scandal, the app was blocked in a number of countries for downloading and banned from use.
In addition, a class-action lawsuit was filed against TikTok, and the company had to pay $ 92 million. In particular, the plaintiffs were unhappy that the app not only analyzes users ' faces, determining gender, age and ethnicity, but also transmits personal data in violation of the law. Almost all users from the United States were included in the settlement agreement.
This vulnerability emphasized the need to carefully monitor what exactly the mobile app collects as part of its work, and how it can violate privacy. And, of course, TikTok received a lot of negativity, lost most of the audience and a lot of money earned.
In addition, participants in various military conflicts report that they study this map for their own purposes. This incident has damaged Strava's reputation and sparked discussions about the security implications of sharing personal physical activity data through mobile apps. Moreover, some experts say that the information disclosed by Strava may be harmful to national security.
In the same year, a vulnerability known as "Media File Jacking" was discovered in WhatsApp, affecting versions for Android and iOS. This allowed attackers to manipulate media files (photos and videos) before they were opened or viewed by the recipient. Attackers could replace them with arbitrary content, which led to the most unfortunate consequences. For example, instead of receiving a photo of a cat, the user opened a photo containing indecent images or calls for various illegal actions.
In 2021, a security researcher discovered a vulnerability in the WhatsApp group chat invitation mechanism. The vulnerability allowed attackers to add users to arbitrary group chats without their consent, which could expose them to unwanted content, and significantly simplified phishing and social engineering attacks.
Obviously, all these stories have led to the fact that the application's fans have significantly decreased, and it is very difficult to get rid of the fame of the “leaky messenger”.
In 2021, a vulnerability was discovered in the Microsoft Authenticator app for iOS, which is used for two-factor authentication in many services. The vulnerability allowed an attacker to bypass the app's security mechanisms and gain access to a user's account on a compromised device.
Despite the fact that users are already accustomed to various security issues in Microsoft products, the message about another vulnerability in versions for mobile solutions (where the giant does not occupy a large market share, but would very much like to) could not but deal a serious blow to the company's reputation.
In the same year, the app was criticized for lying about encryption. It was discovered that Zoom's encryption implementation allowed the company to access video and audio content of participants. This has raised concerns about user privacy and the security of sensitive conversations. As a result, the company was forced to change the way user data was encrypted in a short time and implement a number of information security measures, which was associated with serious costs. And just in time - the ease of use, the absence of serious problems and vulnerabilities allowed Zoom to "fly up” into a pandemic, when all meetings around the world went into virtual space.
In 2020, a vulnerability was discovered in Snapchat, which allows attackers to track users ' location in real time. Using it, third parties could monitor people's movements without their knowledge or consent, creating threats to personal security and privacy.
Publicizing these and other information security issues of the service caused a negative reaction among users and led to a reduction in its audience.
And in conclusion, I would like to address, first of all, the users. Think about how much personal and confidential information is stored on your device, and how much data you share with various apps. And you probably use the same passwords for many services. Try not to do this as much as possible. And also do not use suspicious applications, and even more so do not enter confidential information into questionable services. After all, no one knows where the next vulnerability will be found or where a leak will occur.
And also for you, mobile app developers. After reading this article, think about what would happen to you or your business if one of the problems described was found in your app. Would you be able to recover from such a blow to your reputation, from an outflow of users, or from financial losses? And don't assume that there's nothing wrong with your security - it's just that no one has searched properly yet.
1. TikTok: Clipboard data disclosure and other security concerns
In 2020, it was discovered that the popular social app TikTok was accessing clipboard data on iOS devices without users ' explicit consent. This has raised concerns about privacy and possible disclosure of sensitive information.In the same year, other vulnerabilities were discovered, due to which attackers could manipulate user accounts, gain access to personal data, or distribute malicious content. In addition, TikTok began to be suspected of possible links with foreign governments. After this scandal, the app was blocked in a number of countries for downloading and banned from use.
In addition, a class-action lawsuit was filed against TikTok, and the company had to pay $ 92 million. In particular, the plaintiffs were unhappy that the app not only analyzes users ' faces, determining gender, age and ethnicity, but also transmits personal data in violation of the law. Almost all users from the United States were included in the settlement agreement.
This vulnerability emphasized the need to carefully monitor what exactly the mobile app collects as part of its work, and how it can violate privacy. And, of course, TikTok received a lot of negativity, lost most of the audience and a lot of money earned.
2. Strava app Activity Map data
In 2018, the fitness app Strava published a global heat map of user activity, including data on the daily movements of military personnel, as well as on movements at military bases and hot spots. The public was able to access information that is usually classified. Despite the fact that Strava representatives actively say that data about all users on the map is anonymized, some enthusiasts managed to find out that if you insert a route ID in the link on the app's site, you can see the best results of users and their public profiles.In addition, participants in various military conflicts report that they study this map for their own purposes. This incident has damaged Strava's reputation and sparked discussions about the security implications of sharing personal physical activity data through mobile apps. Moreover, some experts say that the information disclosed by Strava may be harmful to national security.
3. Hacking accounts in the Starbucks mobile app
In 2015, Starbucks encountered a vulnerability in its mobile app that allowed attackers to hijack user accounts. Insufficiently strong authentication mechanisms and insecure password reset processes were the cause of this problem. The attackers used the vulnerability to access customers ' payment data and make fraudulent transactions. This incident resulted in financial losses for the affected customers and significantly damaged the reputation and trust in Starbucks.4. WhatsApp: Spyware, Media File Jacking, and social media
In 2019, it was discovered that the popular WhatsApp messenger contains a vulnerability that allows attackers to install Pegasus spyware on users ' devices. Such software could access and collect sensitive information, including messages, call logs, etc. It is known that the smartphones of at least 100 journalists, human rights defenders and government officials were hacked to carry out surveillance and data theft.In the same year, a vulnerability known as "Media File Jacking" was discovered in WhatsApp, affecting versions for Android and iOS. This allowed attackers to manipulate media files (photos and videos) before they were opened or viewed by the recipient. Attackers could replace them with arbitrary content, which led to the most unfortunate consequences. For example, instead of receiving a photo of a cat, the user opened a photo containing indecent images or calls for various illegal actions.
In 2021, a security researcher discovered a vulnerability in the WhatsApp group chat invitation mechanism. The vulnerability allowed attackers to add users to arbitrary group chats without their consent, which could expose them to unwanted content, and significantly simplified phishing and social engineering attacks.
Obviously, all these stories have led to the fact that the application's fans have significantly decreased, and it is very difficult to get rid of the fame of the “leaky messenger”.
5. Disclosure of Clubhouse Audio App data
In February 2021, it was discovered that the Clubhouse audio social network has a vulnerability that allows an attacker to broadcast and record audio conversations without users ' knowledge. In addition, it turned out that user IDs are transmitted in clear text, so that communication could be deanonymized. This vulnerability caused a whole wave of negativity against the company, forced a large number of users to delete this application from their devices, and also drew attention to the security problem of audio data that is processed in applications.6. PIN brute-force attack in the Signal messenger
In October 2020, a researcher discovered a vulnerability in the popular messenger Signal, which allowed an attack by brute-forcing the PIN code. This vulnerability could potentially allow an attacker to gain unauthorized access to a user's account. Despite the fact that this messenger is positioned as “protected", vulnerabilities and security problems have not spared it. Of course, the presence of such a vulnerability could not but affect the reduction in the number of fans of the application.7. Problems with Microsoft mobile products
In December 2020, a vulnerability was discovered in the Microsoft Office mobile application for Android, which allowed attackers to remotely execute code on target devices. The vulnerability could be exploited if the user opened a specially created Office document in a mobile application, which led to a complete compromise of confidential information and all documents saved by the user on their device (and maybe even in the cloud).In 2021, a vulnerability was discovered in the Microsoft Authenticator app for iOS, which is used for two-factor authentication in many services. The vulnerability allowed an attacker to bypass the app's security mechanisms and gain access to a user's account on a compromised device.
Despite the fact that users are already accustomed to various security issues in Microsoft products, the message about another vulnerability in versions for mobile solutions (where the giant does not occupy a large market share, but would very much like to) could not but deal a serious blow to the company's reputation.
8. Zoom: Meeting ID exploit and encryption issue
In April 2020, a vulnerability in the Zoom video conferencing app was identified, allowing attackers to join private meetings without being invited or knowing the meeting ID. This security issue, known as the "Zoom-bombing" attack, led to unauthorized access by unauthorized individuals to sensitive meetings and obtain information of interest to them. There is no confirmed data, and one can only imagine how much closed information about contracts, projects, contractors, financial indicators, tenders, etc. leaked through such virtual meetings.In the same year, the app was criticized for lying about encryption. It was discovered that Zoom's encryption implementation allowed the company to access video and audio content of participants. This has raised concerns about user privacy and the security of sensitive conversations. As a result, the company was forced to change the way user data was encrypted in a short time and implement a number of information security measures, which was associated with serious costs. And just in time - the ease of use, the absence of serious problems and vulnerabilities allowed Zoom to "fly up” into a pandemic, when all meetings around the world went into virtual space.
9. Vulnerabilities in Snapchat
Snapchat has faced several vulnerabilities over the years, including issues with user privacy and security. For example, in 2019, a "hole" was discovered that allowed attacks on Snapchat accounts, which gave them unauthorized access to user profiles (including the ability to act on their behalf) and sensitive information.In 2020, a vulnerability was discovered in Snapchat, which allows attackers to track users ' location in real time. Using it, third parties could monitor people's movements without their knowledge or consent, creating threats to personal security and privacy.
Publicizing these and other information security issues of the service caused a negative reaction among users and led to a reduction in its audience.
10. Capture accounts in the Uber app
In 2017, it became known about a vulnerability in the Uber app that allows attackers to hijack user accounts. Attackers could gain access to them, make unauthorized trips, and in some cases take possession of payment data. This vulnerability highlighted the importance of strong authentication mechanisms and the risks associated with compromising user accounts. And of course, all this led to huge losses for the company.11. Account takeover в Airbnb
In 2019, a vulnerability was discovered in the Airbnb authentication process, allowing attackers to hijack user accounts. Using it, third parties could gain access to personal information, make fraudulent bookings, or manipulate existing bookings. This incident had a very negative impact on the reputation of the service - it was followed by a large outflow of users who encountered fraudulent actions.12. Fortnite Account Vulnerabilities
In 2018, security researchers discovered vulnerabilities in Fortnite, a popular online game. Security holes allowed attackers to hijack user accounts, make unauthorized purchases, and gain access to personal information. This incident highlighted the risks associated with gaming applications and the importance of ensuring the security of user accounts and confidential data. Relatives of many players often point out problems with the security of such products, but enthusiastic children and teenagers do not always respond. This is why incidents of theft of user data and funds continue to occur.13. Vulnerabilities in operating systems
The final chord in today's selection will be vulnerabilities in the mobile operating systems themselves. Over the past few years, both Android and iOS have managed to “mark out", and the latter is relatively recent and several high-profile scandals at once. They were related to vulnerabilities called "Operation Triangulation “and” BlastPass", which allowed you to install spyware or execute code on the device simply by sending a message to iMessage (and it didn't even need to be read, the very fact of delivery already led to irreversible consequences). Vulnerabilities in the OS itself allow attackers to do a lot, including accessing calls, messages, data from other applications, manipulating the microphone, speaker, camera, etc. How many times did each of us ignore the suggestion to update the OS version on our devices? And some unscrupulous manufacturers are extremely reluctant to deliver security updates to their users.Conclusions
In conclusion, I would like to emphasize that there are very, very many vulnerabilities in mobile applications, but they are not always widely publicized and not always known about them. According to our research, at the end of 2022, 83% of mobile products contained high-level and critical problems. This year, we analyzed twice as many apps and will share the results with you soon.And in conclusion, I would like to address, first of all, the users. Think about how much personal and confidential information is stored on your device, and how much data you share with various apps. And you probably use the same passwords for many services. Try not to do this as much as possible. And also do not use suspicious applications, and even more so do not enter confidential information into questionable services. After all, no one knows where the next vulnerability will be found or where a leak will occur.
And also for you, mobile app developers. After reading this article, think about what would happen to you or your business if one of the problems described was found in your app. Would you be able to recover from such a blow to your reputation, from an outflow of users, or from financial losses? And don't assume that there's nothing wrong with your security - it's just that no one has searched properly yet.
