Pierluigi Paganini September 10, 2014

Researchers from the UNHcFREG (University of New Haven) is publishing on YouTube a series of videos to disclose vulnerabilities in a dozen Android apps.

Experts at the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) have decided to disclose vulnerabilities in a dozen Android apps, including the popular mobile applications Instagram, Vine and OKCupid. Just a few days ago the The CERT Coordination Center at Carnegie Mellon University (CERT/CC) has published the results of a session of tests conducted on popular Android applications that fail to properly validate SSL certificates, highlighting the urgency to increase security by design of mobile software. In April 2014, a team of researchers at UNH Cyber Forensics Research & Education Group (UNHcFREG) discovered a vulnerability in WhatsApp “Location Share” feature which exposes user’s location to the attackers and Viber, the vulnerabilities discovered in the popular app were caused by the lacks an implementation of security best practices threatening the privacy of hundreds of million users.

The researchers disclosed numerous security issues, the majority of which related to the storage of unencrypted content on the apps’ servers, the team has used YouTube as a distribution channel for the study proposing five videos in five days on their work.

The team created a test network by using Windows 7 virtual mini port adapter to analyze all traffic sent and received by the mobile devices, then they used popular network analyzer software such as NetworkMiner and Wireshark.

During  the first day, the researchers reported three flaws discovered respectively in Instagram, in the dating app OKCupid and the messaging app ooVoo. Exploiting the direct messaging functionality implemented by Instagram Direct, the experts were able to sniff photos sent between users, but they made another curious discovery analyzing the network traffic with Wireshark, some of the images they had sent weeks prior still laid on Instagram’s servers, without authentication and unencrypted. On OKCupid, the researchers were able to capture search keywords of users over HTTP giving them the ability to reproduce the same search and see content sent users by the users, including their final recipients.  In a similar way, the experts at UNHcFREG were able to intercept key phrases and photos sent between users of the messaging app ooVoo, and also in this case photos were still laying around the app servers for an undetermined period of time longer than necessary.

The day after, the UNHcFREG team discussed the flaws in other popular instant messaging platforms, Tango, Nimbuzz, and Kik. The situation is quite the same with Tango, Nimbuzz and Kik apps, the team was able to sniff images sent on Tango, sketches sent on Kik, meanwhile they captured users’ images, location and videos from Nimbuzz. In this case the mobile app also stored users’ passwords in plain text.

The third day the team investigated the security of other three chat and communications apps MeetMe, MessageMe and TextME.

The group plans to go on for the entire week with other interesting videos in which it will analyze flaws in Android apps like Vine, GroupMe, Words with Friends and Grindr.

Let us wait for bug fixing by the apps developers team.

Pierluigi Paganini

(Security Affairs –  mobile apps, Android, UNHcFREG)