While some organizations and executives may not be fully aware of all the threats to their mobile applications, the risks are real and growing. Vulnerabilities arise from code flaws, encryption errors, unsecured data transmission or data exposure. Attackers are ready to exploit these vulnerabilities to steal data, money and trade secrets and undermine your brand.
Reflecting on some recent high-profile mobile application security breaches helps drive home the dangers of not properly securing your mobile apps. With that in mind, we present a round-up of the top five mobile breaches that have occurred over the past year.
Last August, Air Canada confirmed a breach of its mobile app in which attackers may have gained unauthorized access to 20,000 users’ profile data, including names and contact information. In addition, more sensitive information such as passport numbers, traveler redress numbers and the like may have been exposed if users had added them to their profiles.
Air Canada responded to the breach by locking the accounts of its mobile app users and forcing a password reset.
In January, a 14-year-old discovered a FaceTime vulnerability that enabled people to eavesdrop on audio of unanswered group chats. In some cases, users could also view live video. Not only did this bug violate privacy, the exploit was relatively easy to pull off even for novice hackers.
Apple took the unprecedented step of yanking FaceTime group chats before it could issue an iOS update to fix the bug the following week.
A vulnerability that prompted Twitter to urge its 330 million users to change their passwords was the first of a few for the company. In the May 2018 incident, Twitter discovered that a software bug resulted in user passwords being written to an internal log before completing the hashing process, which means they were exposed on the company’s internal systems. Twitter found and fixed the problem.
In September, Twitter found and patched a bug in its API that exposed some direct messages and private Tweets to third-party developers. And in December, Twitter disclosed a possible state-sponsored attack that targeted a vulnerability in its support form. The since-resolved vuln allowed attackers to discover users’ country of origin and map their accounts.
UC Browser and UC Browser Mini for Android, both used by hundreds of millions of users, were discovered in March to expose users to man-in-the-middle attacks. A feature in the browser allows the Chinese-made browser to download new libraries and modules and install them on users’ mobile devices without their knowledge.
The plugins bypass Google Play and are sent over an unsecured channel (HTTP network traffic), making them vulnerable to code injection of malicious software used to steal sensitive data. Researchers notified maker UCWeb and it issued an update.
The WhatsApp mobile exploit was both the most recent and the most severe. Discovered this May, the vulnerability leveraged a bug in the audio call feature of the app to allow attackers to remotely install spyware on the device being called, whether the call was answered or not. They accomplished this via a buffer overflow attack.
Facebook-owned WhatsApp suspected the spyware was a commercial-grade snooping package called Pegasus that its Israeli-based creator, the NSO Group, sold to nation states. Once installed on a victim’s device, Pegasus can record phone calls, open messages, activate the phone’s camera and microphone, and relay location data. It is believed the exploit targeted human rights groups.
While WhatsApp quickly issued an update, the fallout from the attacks still lingers.
How to Protect Your Mobile Apps
In addition to instilling best practices for secure mobile app development, we recommend that organizations test all the apps that they build and buy. Get a free one-month trial of the NowSecure platform for automated mobile app security testing to ensure your apps are free of security, privacy and compliance holes.