Naked Security Naked Security

Car parking apps vulnerable to man-in-the-middle attacks

The next time you need to pay for parking, it might be best to have a handful of coins ready for the meter.

The next time you need to pay for parking, it might be best to have a handful of coins ready for the meter.

That’s the advice from researchers at NCC Group, who recently dissected 6 mobile apps being used as alternatives to paying with coins or cards at parking meters.

Their findings: nearly all were affected by security vulnerabilities, “some more serious than others.”

One serious vulnerability has to do with badly implemented encryption.

While the app makers all recognized the need for some form of encryption – after all, these apps send sensitive data such as credit card details and passwords to the server – they’re not necessarily doing it right.

NCC Group says that most of the apps used Transport Layer Security (TLS). The problem: none of the apps verified the certificate used by the server.

That leaves the apps – and users’ digital devices – susceptible to man-in-the-middle attacks by attackers who use intercepting proxy tools.

The researchers managed to leverage that vulnerability to launch a “far more serious” attack against one of the apps – one that ultimately resulted in unauthorized access to a phone.

Another serious problem was found in the app from a vendor that chose to forego TLS and instead rolled its own encryption.

Bad idea, NCC Group said, unless you have serious chops when it comes to developing cryptographic algorithms and implementing them in software.

The do-it-yourselfer’s scheme to “encrypt” credit card data and passwords used keys that were stored in the application code. Those keys were “easily retrieved” by decompiling the app, the researchers said.

The decryption routine was also retrievable from the app, which would allow an attacker to recover credit card details from network traffic they may have intercepted during the registration process.

Another vendor chose to confirm the username and password selected by users via email.

NCC Group said that in most cases, the “typical lack of encryption for SMTP email” means that an attacker on the same network as the user could intercept and recover these details.

Beyond encryption gotchas, some of the apps had more subtle security vulnerabilities.

One example was an auto-login feature offered by many of the apps. That feature allowed a password or PIN to be stored locally on the device.

That’s not a good idea, the researchers said, given the potential for unsafe storage.

Sure enough, that’s what they found on one vendor’s app: it stored the password for the system (unencrypted) in the application’s private data directory on the phone.

The subtle problems continue on up to the man-in-the-middle attack, wherein an attacker could inject a malicious payload into a web page requested from the server or could actually take control of a device – all in spite of the use of SSL/TLS, given the lack of security controls such as Certificate Pinning.

NCC Group focuses its research on Android apps, so it only looked at Android parking apps. The half-dozen apps it looked at are those that its consultants have used themselves.

As far as the vendors go, the company didn’t name names, in keeping with its policy on responsible disclosure.

It’s reached out to those vendors whose apps are suffering serious vulnerabilities and offered full details on what it’s found.

The apps represent a pretty good cross-section of parking apps available, NCC Group says, from those with a smaller install base of 5000 to 10,000, up to larger apps with between 500,000 and 1 million registered users.

NCC Group said it’s important to note that many of the attacks it’s described would depend on where the apps are used, particularly in terms of what network a phone’s connected to:

Man-in-the-Middle attacks occur when the attacker has some control over the network to which the vulnerable device is connected, the most common example being unsecured public Wi-Fi. Since most of the time parking applications will be used when connected to mobile data connections the likelihood of these attacks may be reduced (although it is possible for an attacker to create a fake GSM base station).

But it’s not hard to see how that notoriously risky beast – public Wi-Fi – could insert itself into scenarios where people use parking apps, NCC Group said, such as when extending a parking stay from a restaurant or coffee shop.

In its post, the group gave a list of recommendations for the app developers to try to remediate these problems.

We’ve written before about mobile apps that don’t take security as seriously as their desktop counterparts – let’s hope that research and disclosures like NCC’s will help to give mobile app developers a change of heart.

Image of car park courtesy of Shutterstock.com