Tracking apps with which parents can monitor the whereabouts of their children, for example, all have security vulnerabilities. They are so large that a hacker can easily create motion profiles of thousands of people.
Researchers at the Fraunhofer Institute for Secure Information Technology have examined popular tracker apps from the Google Play Store. The result: None of them was securely programmed, some of them had serious weak points. Attackers can use them to create motion profiles, read chats and SMS messages, and view images.
Especially explosive: Attackers do not have to monitor each smartphone individually, but can simultaneously attack millions of users who have these apps installed on their smartphones. For the first time, the scientists presented their results on August 11 at the DEF CON Hacking Conference in Las Vegas.
Smartphone users can be monitored with so-called monitoring or tracker apps. For example, parents use such an app to know where their children are at any time or what messages and pictures they are sending. The use of these apps is legal if the person being spied on agrees. Athletes like to use tracking apps to participate in virtual competitions or share their data with friends.
Scientists at Fraunhofer SIT have examined 19 legal apps offered on the Google Play Store. According to Google, the apps have been installed several million times. The scientists have examined how the highly sensitive user data collected by these apps is protected. The result: All apps have serious vulnerabilities, not a single application was programmed securely. In total, the researchers found 37 security holes.
Highly sensitive data is usually stored in plain text on a server without being secured by correct encryption.
»We only had to call up a specific website and enter a user name in the URL or guess it to call up a person's movement profile,« explains Fraunhofer project manager Siegfried Rasthofer, who investigated the apps together with the Fraunhofer hacking group TeamSIK. The researchers not only found data from individual persons on the servers, but were also able to read complete motion profiles from all users of these apps, which were stored on a server in an unsecured fashion. »This makes real-time tracking of thousands of people possible,« says Rasthofer. Using the insecurely programmed apps, attackers can not only retrieve metadata such as whereabouts, but also read and view content such as SMS messages and images of the monitored app users. »This enables complete monitoring,« explains Stephan Huber, member of TeamSIK and researcher at Fraunhofer SIT.
In addition, the scientists have succeeded in reading the login information of the app users. In most apps, these were also stored unencrypted or only secured with completely insufficient encryption - the team around Siegfried Rasthofer and Stephan Huber had, for example, found 1,700,000 login data in an app. The Fraunhofer scientists informed the app providers and the Google Play Store about their discoveries. 12 of the 19 apps examined have since been removed from the Play Store. Other providers, on the other hand, have not reacted at all.