A review of several Android pay-for-parking applications has uncovered a series of vulnerabilities that could allow attackers to steal drivers’ logins and hijack their mobile devices.
Conducted by information assurance firm NCC Group, the assessment analyzed six parking applications for the Android operating system. Some of the apps had been downloaded from Google Play between 5,000 and 10,000 times, whereas others boasted one million registered users.
The number of installs for each app ultimately did not matter, however, as all of the applications were affected by security vulnerabilities.
According to an NCC Group blog post the review determined that while all of the apps used encryption to protect their customers’ sensitive information – something from which four major airlines should learn a lesson or two – not one verified the certificate used by the server.
Chris Spencer of NCC Group adds that more persistent attacks could leverage an initial man-in-the-middle attack to eventually take control of the device. This is true even in the context of TLS/SSL encryption, though not all applications used this cryptographic standard.
One application in particular employed its own encryption standard that relied on keys stored in the application code. These keys, as well as the decryption method, could easily be retrieved, thereby allowing an attacker to steal users’ login credentials and credit card information.
If those vulnerabilities weren’t enough, most of the applications also exhibited flawed data storage procedures.
For example, some stored passwords and PINs locally on the device, which could lead to data theft if these pieces of information were not stored securely. One app tried to compensate for this by storing a user’s unencrypted password in the application’s private data directory on the phone, but NCC Group was able to exploit a file transversal vulnerability and recover it.
All of these vulnerabilities notwithstanding, the review did find that some of the apps had attempted to ward of attackers by using hashing algorithms and obfuscating their code.
NCC Group says that it responsibly disclosed details of the vulnerabilities to the app vendors.
Spencer writes that in order to protect their products from man-in-the-middle attacks, app developers should use a hashing algorithm, TLS, and Certificate Pinning, among other techniques.
As for the regular driver, it is highly ill-advised to use any application that could expose sensitive/financial information when you are connected to a public network. Sure, you might be connected to a data network only when paying for your parking. But even then, you might not be safe, as an attacker could create a fake GSM base station.
Ultimately, it might be better to just bring some change and pay for parking the old fashioned way.
flickr photo shared by compujeramey under a Creative Commons ( BY ) license.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “Vulnerable parking apps allow hackers to steal your login and credit card details”
Have there been any recent compromises with the parking meters that take credit cards instead of cash as well?
Can you name and shame these apps please?
I was forced to use a parking app at the weekend (against my better judgment) because all four machines in the car park were out of action. Other shoppers said "<expletive deleted> I don't have a phone" and walked off without paying.
Unfortunately, NCC Group has chosen not to name them in its report – so we're as much in the dark as you.
However, the report's authors are UK-based which narrows down the field somewhat and they give some indication of the user base for the apps.
When I think of parking apps used in the UK a couple of names immediately spring to mind, so I would be surprised if they weren't amongst those that NCC tested.
If anyone else knows more, please post a follow-up comment!
Webview and Java go to gather like Bonnie and Clyde! Infamous thieves,bank robbers.
This is one of the major reasons Google pulled Webview out of the os to update through playstore. Many apps use the native Webview for connecting to the web. Any version of Android running 4.3 jellybean and lower are especially vulnerable. And any browsers on those can be easily compromised. Last time I checked,there were like 7-10 major vulnerabilities for the older operating systems.