Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- 18 February, 2014 13:19
Mobile apps are presenting far too many surprises. Users who love the apps on their smartphones and tablets have no idea how much data those apps are retaining, or how easy it would be for someone else to access that data. But consumers aren't the only ones in the dark. Mobile's data dangers are also largely unknown to IT executives, app developers, marketers -- pretty much everyone, really.
The latest app providers to say as much include Delta Air Lines, Facebook, eHarmony and Match.com.
And what has happened with the Delta app over the past few days, since a security researcher found a wide range of problems with major Android mobile apps, illustrates that major companies are clueless about mobile security issues.
The Android mobile app for Delta properly encrypts all data on the app. Unfortunately, Delta was including the decryption key in the app's decompiled source code, according to security researcher Godfrey Nolan, who runs a mobile app development and security audit company called RIIS and is the author of Android Best Practices. (Oops!) When we contacted Delta on Friday (Feb. 14), the company was unaware that its app displayed the encryption key, but it tested it and confirmed that it did. The company worked through the weekend and issued a patch for its Android app yesterday (Feb. 17).
The intent of the patch was to remove the encryption key from an area where anyone can access it. Instead, a review of Delta's updated code by Nolan yesterday revealed that the airline simply moved the encryption key from its code to a shared preference file -- a move that does nothing to make the key any more difficult to access. Delta correctly said that the move had the effect of making each key "uniquely generated for each device," but that doesn't really help. Anyone with access to the phone can still decrypt the password and anything else.
"It literally took me two minutes to find where it was," Nolan said, after he reviewed Delta's updated code. "What they apparently thought was 'If we take it out of the file, nobody can decompile the file.' They have no idea that I can back up the shared preferences file. All they did was move it from A to B and they don't think that anyone can get at B. But everyone can get at B."
Like all companies, Delta wants you to know that it takes data security seriously. In a statement issued yesterday, Delta spokesperson Paul Skrbec said, "We take all reports of potential security risks very seriously, regardless of the nature or risk level. Security is a top priority for Delta and we routinely perform activities to ensure data privacy for our customers even amidst rapid changes in technology which have the potential to expose vulnerabilities."
Why, then, did those routine privacy scans not detect the hole that Nolan found? Presumably, Nolan was more creative in where he looked. That's the thing, though. Companies have to be just as creative in hunting down problems like these.
Nolan said the problem is that large companies are hiring mobile code jockeys who have simply not been tested with any serious security attacks. "It is just a level of arrogance. Whoever is doing it has not spent much time reverse-engineering mobile apps."
Even with mobile security hires, Nolan said, most companies are hiring the wrong talent. "What's happened is that people are hiring security people, but they're Web security people, not mobile security people. And that is a huge difference."
And, of course, there's a difference between taking security seriously and fully understanding security issues. Nolan worked with Delta's mobile technical team back in May 2013 and told them at that time that the encryption key was visible. Their response, he said, was to ask if they could simply make it more obscure by changing the name. Nolan countered that someone could simply search for the file's size or other attributes. It has to be secured, not hidden, he said.
After that, the airline made no changes until I called them on Friday.
At least Delta reacted to Nolan's discovery. Facebook's Android mobile app saves an apparently complete history of all text and Inbox messages -- and saves it in clear text, which means that anyone with access to the phone can peruse it, according to Nolan. Facebook has been aware of the problem since at least May 2013, when a security staffer wrote that "we might make some changes to our storage mechanisms at some point (e.g. encryption), but this doesn't qualify as a vulnerability." Nothing has changed since then, and Facebook said it has no plans to change anything.
Delta and Facebook are far from alone. It was just a month ago that I reported that the Starbucks iOS app was saving passwords in clear text, which Starbucks fixed shortly afterwards.
But there's more. Just in time for Valentine's Day, Nolan last week found issues with two online dating services, eHarmony and Match.com. In the case of eHarmony, the error was the same one that Starbucks had made: The customer's password and assorted preferences are stored in clear text. Match.com gets good security points for having encrypted customer passwords on the mobile device, but it didn't remember to encrypt consistently and it also houses a non-encrypted password on the phone, in a SQLite database. Match.com also included an extensive list of personal details, including profile questions and answers, a list of whom has been favorited and email exchanges unencrypted in SQLite. "This is the definition of sensitive information," Nolan said.
An underlying issue in all these cases is that, while app developers are performing functionality testing on mobile apps ("Do they function as they are supposed to?"), they are not doing any meaningful security testing (an open-ended look at everything being collected). I flagged some of these issues last month, noting my fear that we'd be hearing about a lot more mobile security holes as people started looking under the hood.
Those holes will become a critical problem as state governments, the U.S. federal government and the governments of other countries start to crack down on how personally identifiable information (PII) is handled. If we don't know what the devices that we own -- or that our employees and customers own -- are doing with PII, how can we even hope to be legally compliant?
"Most of these problems stem from obvious bad designs, but the real problem is that we're all still coming to grips with what private information really is and how to handle it," said Todd Michaud, the former vice president for IT at Focus Brands (which owns Cinnabon, Carvel, Schlotzsky's and Moe's Southwestern Grill) and former IT director at Dunkin' Brands (Dunkin' Donuts, Baskin Robbins). "Historically, in the IT world, encryption has always slowed things down. Today, technology has caught up, but a lot of developers are still in that mindset that 'I don't want to slow it down by adding encryption.'"
Michaud, who today runs Power Thinking Media consulting, said companies need to understand exactly how customer information is being handled by every one of its mobile apps or risk being punished for every problem that results.
Gartner senior security analyst Avivah Litan said the security and privacy neglect -- and ignorance -- that major companies are showing with their mobile apps is a familiar pattern. "They are not making mobile app security a priority. It's kind of an afterthought," she said. "My message to those execs? Don't screw it up again like you did with Internet banking. They had to go back and retrofit the security on banking. Don't think it's going to be safe forever. Don't repeat the same mistakes."
Sometimes, apps have been neglected for legitimate business reasons. Thod Nguyen, eHarmony's chief technology officer, said his company's Android app had been built by a third party about five years ago and hasn't had a major update since. The company is planning a major overhaul of its Android app "in a couple of weeks," said Nguyen, adding that the update will fix the password-saved-in-clear-text problem. In eHarmony's defense, he said that, five years ago, allowing a mobile password to be saved in clear text wasn't considered security heresy, as it is today.
Why didn't eHarmony update its Android app sooner? Simple. Hardly anyone ever uses it, Nguyen said; the company's iOS app accounts for the overwhelming majority of its mobile app downloads. "We don't market the Android app at all," he said.
When contacted on Friday (Feb. 14), Match.com said that it had verified the issues that Nolan had discovered and that it would be issuing a patch to correct it later that day. A nice Valentine's Day gift for its love-seeking customers.
Facebook confirmed that its app retains much of a user's text and messages, but it said that's done to improve app performance. "It's common for developers to store certain data on mobile devices to reduce network and data usage costs," said Facebook spokesperson Jay Nancarrow. "Accessing this data improperly involves gaining physical access to an unlocked device, which is why we recommend using a password lock. You can also encrypt your local file system."
A source familiar with the security situation at Facebook said the exact amount of data stored will be different for different users, since the limit is based on the number of bytes being stored, as opposed to being restricted by a certain number of years' worth of data or a specific number of saved messages.
Saving it all locally on the phone is done simply "to avoid having to ping the network over and over," the Facebook source said.
The Facebook app's lack of encryption is not a traditional security issue per se, since much of the data can be accessed through the app itself, accessible to anyone with possession of the phone. The issue is the volume of data being retained and the fact that a small percentage of IT execs -- and even smaller percentage of consumers -- would even know that it was there.
In an IT context, even mobile users who take extreme precautions with email files and other sensitive data would probably never think that an app that is used solely to post an occasional comment is retaining -- and sharing -- so much information. And the information on the phone is not limited to data posted by the phone. The app downloads data from the Web to offer a complete message history, stored locally on the phone.
It's also important to note that nothing in security stays the same for long. For example, Nolan said, today the only way to access the mobile data described above is to have physical access to the phone. But that's unlikely to be the case for long. Someday soon, a Trojan horse app masquerading as, say, a popular game program could probably be downloaded and then do its magic to access the data and later transmit it. In theory, Android won't let apps interact, but cyberthieves are relentless at finding ways around OS security rules.
Simple, but not intuitive
So how did Nolan, the security researcher, uncover all that data? Delta's app is fairly simple to break, Nolan said. Here's how he accessed Delta's password in a process that he called "a step up from having the password in clear text, but not much of one."
His approach: "When you sign on to the Fly Delta app, it asks you for your login information. I logged in with my email address, a PIN and my last name. The PIN is saved, encrypted, to the SQLite database on the phone. I backed up the database onto my PC using an Android command called adb backup. I pulled the Android APK file off my phone using the Android command adb pull and then decompiled the code using a couple of tools called dex2jar and jd-gui. There's a Java file in the decompiled source called Crypto, which has the encryption key. I cut and pasted the Java code into a new file and passed it the encrypted PIN from the database. Bingo, I have my PIN back."
To be fair, that's not exactly an intuitive process, supporting the argument that the information is not especially easy to access unless you know what you're doing. It's not an especially meaningful threat from the neighborhood teen who steals mobile devices to sell. But just like hard disks, these devices will likely retain that information, and no one knows who will end up with them. It's a common tactic for information bandits -- and even run-of-the-mill cyberthieves -- to buy highly discounted laptops and desktops (and now mobile devices) anywhere they can and search them to find whatever information they can. (And physical access doesn't necessarily mean theft. A "borrowed" device is just as vulnerable, whether the borrower is a co-worker in a meeting or a romantic visitor.)
And, again, just like PCs and laptops, mobile phones retain an awful lot of data. Text messages and other items deleted from mobile devices remain as retained data, if you know where to look. The principle is the same as with mobile devices' Windows and Mac older brothers: Deleted data hangs around until it's overwritten. The larger the memory, the longer it can take before it's overwritten.
Moral of the story: know your mobile devices and understand everything they retain. Your vendors might very well have no idea, but that doesn't mean they'll let that ignorance stop them from offering authoritative answers. Test every device your people will use and determine for yourself what they retain. Before you can effectively protect devices and your company (and yourself), you need to know the nature of what you're supposed to protect. Your competitors and cyberthieves are counting on you opting to not bother.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at email@example.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.
Read more about security in Computerworld's Security Topic Center.