I was preparing for a talk this past weekend which saw me spending a bunch of time looking at the way apps on my iPhone were talking to the underlying services which sit on the web. It takes about a minute to set things up so that all the communications between the device and the servers are on show. What is normally out of sight is now front and centre and suddenly you start to get a whole new sense of how your data is being handled which immediately demonstrates a rather serious problem.
Try this: go to your bank’s website (it doesn’t matter which bank) and load the login page. You’ll see an HTTPS address and a padlock and almost certainly a big green bar with your bank’s name on it indicating an ”Extended Validation” certificate. This alone should give you some confidence that the site is securely handling your data in transport (although certainly there’s good SSL and bad SSL), not to mention confidence in who you’re sending your data to. It’s all very confidence inspiring.
Now open the banking app on your mobile device. See the padlock on the address bar? No, of course you don’t because there isn’t one. If there is, it’s mere clipart and it isn’t independent assurance like you get in the browser. The truth is you have no idea how your bank’s mobile app is talking to their servers, you just have to trust them. They’ll usually get it right. Usually…
A little while back I was looking at a banking app – my bank’s app – and discovered that they’d entirely disabled certificate validation which effectively rendered their encryption useless. I reported it privately and there was very quickly a “feature update” in the app store, but this showed that indeed banks can get it wrong. This simply cannot happen with websites loaded in the browser as your browser is the one doing the validation, not some third part app.
Although not as serious as the banking example, in my travels last weekend I found a major fast found chain with a mobile app. When you opened the app they served up the menu over an encrypted connection (which was probably a little unnecessary), then they proceeded to send your login credentials with no encryption whatsoever. You’d know this in the browser because you’d see the lack of the aforementioned padlock but in a mobile app, you’ve got no idea.
But what really got me was the extent and invasiveness of tracking and personal data collection. Now in the browser, there’s only so much you can track and it usually boils down to some very generic info about the device (browser, operating system, resolution) and of course the ability to join the dots between different sites you visit using the same tracker. Mobile though gets personal – very personal – and that’s because of two primary reasons: mobile devices have access to way more information than browsers do and mobile apps have the ability to access it.
Here’s a good example – after logging in to a major online grocery chain down here in Australia, they take your first and last names, your home address and your exact latitude and longitude down to 14 decimal places and send it off to a third party tracker. Oh – and they do that insecurely over an unencrypted connection too. That simply wouldn’t work on a secure webpage but in a mobile app, you can get away with these sorts of shenanigans.
Or here’s another one and this time it involves a major online payment service you do know of. When logging on to this particular service, they take your device name (the name you give it when you set it up) and how much capacity it has along with the SSID of the network you’re connected to and the MAC address of the router you’re talking through and send it all off with the login request. You have no idea of this (and frankly no, burying it in their terms doesn’t count), it just happens and there goes details about your private network off to some faraway land. Google tried capturing this data some time back and didn’t exactly get a warm reception when they did it.
Mobile apps hide serious compromises of security and privacy, compromises you could never get away with in the browser. We’re now about to see the technology environment that allows these compromises to happen expand enormously with the emergence of wearables and it’ll be more than just your lat and long and network data at stake, it’ll be all that juicy health data they’re busy collecting too. This is just the tip of the iceberg right now.
Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security
