Mobile parking apps are often insecure, according to an investigation by security researchers at NCC Group.
Firms running paid-for parking schemes across the UK are introducing mobile applications as an alternative to paying with coins and/or card at the parking meter. Parking vendors generally cater for customers using Apple iOS and Android.
NCC’s investigation focused on Android parking apps, placing six (unnamed) applications under the microscope. The researchers wanted to highlight the sort of security vulnerabilities that commonly affect these apps in general rather than throwing praise or scorn on particular apps.
Security assessment was limited to the attack surface available on the smartphone itself, which included the APK distributed by the vendor and any data stored on the phone as a result of interaction with supporting servers on the internet. No attempts were made to probe for problems by manipulating data sent to the server, so the exercise omitted steps that would be carried out during a full penetration test.
NCC’s team concluded that nearly all the apps it looked at were “affected by security vulnerabilities – some more serious than others”, with mediocre cryptographic implementations being one common thread, as a blog post by NCC explains.
All of the vendors appeared to recognise the need for some form of encryption when transmitting sensitive data to the server. The reason this is important is that data sent without encryption may potentially be intercepted or altered by an attacker connected to the same network.
The majority of the applications used Transport Layer Security (TLS). However, none of the apps verified the certificate used by the server, which meant that Man-in-the-Middle attacks were still possible using an intercepting proxy tool.
Man-in-the-middle attacks occur when the attacker has some control over the network accessed by a vulnerable device. Most of the time parking applications will be used when connected to mobile data connections – rather than an unsecured public Wi-Fi network. This means that the likelihood of such attacks may be reduced but not eliminated as it may be possible for an attacker to create a fake GSM base station, as NCC notes.
Much more seriously one of the vendors accessed chose not to use industry-standard TLS, opting to "roll their own" encryption scheme instead. “Unless you have extensive experience with developing cryptographic algorithms and implementing them in software this is generally a bad idea,” said Chris Spencer, a senior security consultant at NCC.
Sure enough, in the case in point, the keys used to “encrypt” credit card details and passwords were stored in the application code and “easily retrieved by decompiling the app”. That left it open for a potential hacker to “recover credit card details from network traffic they may have intercepted during the registration process”.
NCC also discovered more subtle vulnerabilities lurking in some of the apps in areas such as data storage of PIN or password. For example, many of the apps offered the user a facility for saving their password or PIN locally on the device, to enable subsequent ’auto-login’. One of the applications stored the password for the system (unencrypted) in the application's private data directory on a smartphone. Attackers wouldn’t be able to get at this directly but in cases where they manage to infect an Android device with malware then this information would be exposed.
Despite the problems it uncovered NCC reports that many of the application developers had taken steps to secure their apps against trivial attacks, for example, through the correct use of hashing algorithms to store representations of sensitive data. Spencer nonetheless remains critical of the overall quality of the apps he and his team reviewed.
“We saw that using parking applications on Android could potentially put some of our sensitive data at risk, and potentially allow an active attacker to compromise your phone,” Spencer concludes. “This isn't good, and vendors clearly have some work to do in order to provide better security for their users.”
NCC Group contacted vendors of apps affected by serious vulnerabilities and offered full details of the flaws the UK-based security consultancy found before it went public with its findings today.
The security of mobile parking apps rated worse than those typically available for major online shopping sites, gambling sites or gaming studios. NCC rated them as roughly on par with apps offered by some of the smaller games developers.
NCC’s blog offers top tips for developers in remediating the types of apps it discovered when putting apps through their paces. Using the latest Android API to develop apps; applying securely configured TLS, with Certificate Pinning to mitigate against man-in-the-middle attacks on connections; avoiding the export of Android components where possible; and protecting data at rest using an appropriate hashing algorithm are all recommended. ®