Security Gaps in Web Apps

Today it is hard to imagine a smartphone without apps. In 2013 some 102 billion apps were downloaded worldwide. The easy money with short times-to-market, however, comes at a price to the user: Security shortcomings. This is the case even with apps developed by large corporations or banks. Just how safe are mobile web apps and what are the most serious security shortcomings? Researchers at the University of Bremen’s Technology Center for Informatics and Information Security (TZI) have been looking into this. They downloaded representative apps from the GooglePlay Store to analyze their communication capabilities and software codes.

Authorizations make it easy for hackers to capture data

“We are constantly coming across two particularly common malware gateways for data spies”, says TZI staff member Karsten Sohr. One of these is that apps ask for a long list of authorizations, although many of them are quite superfluous for their functionality. An example of this is the type of app distributed by large corporations which ask for authorization to send corporate news and information. “We have identified 22 such authorizations, although the only really important one is to access the Internet. The more authorizations, though, the easier it is for spies to capture data – or even manipulate smartphone functions like the camera, microphone, contacts or GPS location. The user notices nothing”, explains Christian Liebig, who chose the topic for the Master Thesis he submitted to the TZI.

Infiltration of malware through incomplete SSL encryption

The other malware gateway is connected with encryption and the SSL standard. According to Sohr: “Because the procedure is highly complex and calls for considerable know-how, programmers frequently make mistakes”. The slightest gap in security though opens a malware gateway for trojans. “We have even found non-encrypted malware gateways in apps used in highly sensitive areas like online banking or the control of alarm systems”, says Liebig. The framework Cordova by Apache is used as the basis for many apps. Programmers are able to adapt it quite easily to the various app stores but it calls for a large number of authorizations. “However, when using Cordova the programmer must be sure to make the whole software code secure and take the time to ensure that the user is only asked to approve authorizations that are necessary for the app’s smooth functioning”, says Liebig. In order to facilitate programming another member of the TZIU team, Bernhard Berger, has developed a tool which makes it possible to automatically identify security shortcomings in Cordova apps for Android.

You can obtain more information by contacting:
University of Bremen
Technology Center for Informatics and Information Security (TZI)
Karsten Sohr
Phone: +49 421 218-63922
email: sohrprotect me ?!tziprotect me ?!.de


Knut Köstergarten
Phone: +49 421 3800353
Mobile: +49 176 28059267
email: koestergartenprotect me ?!wortpiratenprotect me ?!.de

Smartphone mit verschiedenen Icons.
Smartphone with apps