Easy hacks but easy fixes
The researchers downloaded the apps from Google Play Store. They analysed security and privacy issues by looking for personally identifiable information leakage, access control issues, improper authentication management, the presence of third-party trackers and other red flags.
They found that many apps did not properly authenticate server API endpoints, which could allow hackers access to sensitive personal data. Others had accounts that were found to be easily compromised; some were found to transmit users’ personal information unencrypted to either client-side servers or third-party domains. Dozens of other apps had multiple other vulnerabilities.
Once their analyses were complete, the researchers reached out to the developers of the apps found to have critical vulnerabilities to share their findings. Of the 35 developers they contacted, only seven responded, including two automated replies. The five others acknowledged the issues and forwarded them to their security teams.
“Many of these vulnerabilities can be mitigated if developers followed basic security best practices,” Kapoor says. “It should be relatively straightforward. Development teams should be more aware about security, but they are more worried about just delivering the product itself.”
Youssef adds that security is a non-functional requirement. “Prior to release, developers are testing functionality, but they may not be focusing on security.”