“As the Mobile Industry is moving so fast, so too do security and Privacy issues”
There has been rapid growth in the prevalence of mobile devices in last few years. Every day a new device is being launched and hence increasing the number of online transactions. BYOD (Bring Your Own Device) has further complicated the security challenges of enterprises as they’re now responsible for protecting data on devices that they don’t own. At the same time, mobile application developers are coding new apps every day, without focusing on security/privacy related issues.
In this Post we will focus on analyzing the ATN Live TV App for iOS using our own free service ZAP
(Zscaler Application Profiler). If you aren’t familiar with ZAP, it’s a simple web application which allows anyone to quickly analyze the security/privacy issues of any iOS or Android app by dynamically inspecting the web traffic generated by the app. Please have a look at our previous blog post
for more information.
App Name: ATN Live TV
You will need to provide the APP URL and some fake credential to ZAP in order to analyze the traffic for security/privacy leaks.
Once you are done with this, you’ll need to set the proxy setting on your device to point to ZAP. Hit the Proxy Scan button and follow the instructions for setting the proxy on your particular device.
In this analysis, we found that ATN Live TV is leaking passwords and Email IDs.
As you can see, the Email ID and the MD5 hashed password is being transferred to the server via GET request using HTTP. While the password is hashed via MD5, you can see that the data is not transmitted in an encrypted (HTTPS) channel. While MD5 is a one-way hash, an attacker that was able to sniff this traffic, could perform a dictionary attack to retrieve the clear text password.
Here is the Final Risk Score Report of ATN Live TV app from ZAP.
With the explosion of mobile app development, we’re seeing an increase in data and privacy leaks. This is occurring for the same reason that we saw so many web application vulnerabilities a decade ago – there are many new developers entering the space but few have access to the tools and knowledge necessary to develop secure apps and apps are often published without an independent security audit.
These issues were reported to the developer on 20/12/2013.