STRAVA is a social network for athletes and those who train aggressively and like to share socially. While the community bond of working out can be strong, the social nature of sharing information and losing control of that information is a double-edged sword. As reported in the Washington Post, a series of mobile apps all built by or connecting with the STRAVA social network have been sharing and publishing activity by geolocation – including what should be highly confidential information about U.S. personnel and military staff locations. Seemingly unbeknownst to soldiers, their FitBits, Garmin, Jawbones, iWatch, AndroidWear, and more have been uploading their aggregated and anonymized tracking information to STRAVA and then sharing out with the world.
As a security conscious government agency, military organization or enterprise, you should be conscious of what kind of geo-tracking software might be tracking you and your staff, how that data is collected, where that data goes and who has access to that data. The military takes great care to ensure soldiers and equipment cannot be tracked, including specific OPSEC instructions for social media, such as not geo-tagging posts or sharing active engagement details. The challenge is even with policy in place, there needs to be a technical review to ensure that mobile apps used by soldiers and staff do not track and share confidential information at all, or that they can be configured to disable all tracking and data sharing features. In this situation, by accident or ignorance, it appears social data for soldiers’ training workouts and possibly even patrol routes has been shared, leading to significant risk exposure.
NowSecure has analyzed millions of 3rd-party mobile app store apps and custom internally developed mobile apps. In fact, the NowSecure Platform – NowSecure AUTO (pen-testing risk analysis of custom mobile apps) and NowSecure Platform (risk analysis of 3rd-party app store apps) – is used by many government organizations to specifically check for just this kind of malicious intentional or inadvertent unintentional leakage of personal information, agency data, geo location and more.
The NowSecure Research Team recently published deeper analysis of 45,000 3rd-party app store apps, including apps that use the STRAVA social network. Using the OWASP MASVS requirements, they found a number challenging trends that all agencies and enterprises should be concerned about actively addressing:
- 85% of app store mobile apps violate one or more of the OWASP MASVS
- 50% of app store mobile apps leak data on device with 85% of Android apps violating M2-Insecure Data Storage (data leakage, client-side injection, weak server-side control)
- 48% of app store mobile apps leak data over the air with 76% of iOS showed M3-Insecure Communication (poor handshake, SSL/TLS/Cert issues, transfer in clear text)
- 32% of app store mobile apps violate M7-Client Code Quality (code mistakes, buffer overflows, format string vulns) and 32% violate M8-Code Tampering (arbitrary code execution)
- 92% of app store Android mobile Apps violate M10-Extraneous Functionality (allow backup, Dev/QA inadvertent disabling security, hidden backdoors)
To learn more about this large dataset on 3rd Party Mobile App Risk, access the webinar replay of “85% of AppStore Apps Fail OWASP MASVS: Are you exposed?”
Clearly not all mobile apps have risky behaviors. Even a well-secured app can ultimately still be sending location data securely to the service back-end. So organizations need to thoroughly test any mobile apps used by their staff – with advanced appsec testing technology such as the NowSecure Platform – for full visibility to know which apps securely collect/transmit critical data and which apps leak critical data so that security teams are better informed to make risk-based decisions.
While security risks are typically top of mind, mobile app testing should not only cover security vulnerabilities, but also test for compliance exposure and privacy gaps. Key security requirements should be incorporated from NIST publications, FISMA (Federal Information Security Modernization Act) and NIAP (National Information Assurance Partnership). In terms of personal privacy and user protections, government regulations vary widely and now the European Union is taking the lead with new GDPR regulations that start this year.
What’s particularly interesting with STRAVA is that dozens of 3rd-party apps along with the devices above have been built to connect with the social sharing backend, from competitive training with your peers to charity events to healthy living. These numerous inputs can mean widespread data gathering to become an intelligence goldmine. As a result, these engaging experiences and this social training sharing infrastructure can easily be exploited by nation-states and opponents as open source intelligence (OSINT) to feed their collection activities and potentially operational activities.
NowSecure recommends 3 steps to protect organizations and their staff from risks like STRAVA data collection and sharing:
- For individuals: follow OPSEC rules for mobile and social apps, be sure to disable any central tracking or reporting or sharing of information with other unapproved parties. Don’t trust that apps are protecting your privacy without proactively checking.
- For agencies: implement a mobile app vetting program to ensure the organization is protected from risky apps, data leakage, intentional or inadvertent tracking and more. Assume all apps are risky until they have been properly vetted, just as you assume all external networks and public wifi are untrusted. And with the rapid rate of mobile app updates be sure to continuously monitor for changes in mobile app security and privacy.
- Register with NowSecure for one free 3rd-party mobile app risk report so that you can start down the path of better visibility and control of mobile appsec.