Researchers specializing in enterprise data protection services have analyzed more than a dozen mobile apps provided by shared car companies and have discovered serious security gaps that can be exploited to obtain personal information and even steal vehicles.
The specialists have investigated a total of 13 apps to share cars running on Android. Apps are used for the United States, Europe and Russia, and have been downloaded more than 1 million times from Google Play.
These apps can be a tempting target for malicious actors for several reasons; they could hijack the legitimate user’s account to use cars without paying them, steal vehicles for their parts, or commit crimes, track user locations, and get personal information from the account holder.
While some of these are theoretical risks, specialists in enterprise data protection services comment that hacker groups are already selling stolen accounts from shared vehicle users. Those who sell this information say that these accounts can be useful for several things, even to drive a car without a license.
Researchers first verified whether apps could be reverse-engineered and whether they can run on rooted devices. If unauthorized people are not prevented from applying reverse engineering to an app, it increases the risk that someone will create a malicious version of its software. Allowing an app to run on a rooted device allows an attacker to access sensitive information.
Only one of the scanned apps had reverse-engineered protections, but it did not prevent execution on a rooted device. On the other hand, the app in question encrypted confidential data, mitigating the risk introduced by allowing it to run in rooted devices.
Specialists in enterprise data protection services also verified the strength of passwords that protect auto-sharing accounts. Experts found that in most cases developers set weak passwords or provide users with short and unique verification codes. This, combined with the lack of a boundary mechanism for the number of log in attempts, makes it easier to launch brute force attacks and get a one-use code.
Users of these apps often commit carelessness that expose their information, publish images on their social networks, and use specific hashtags that make their profiles easily identifiable. Phone numbers are important to attackers because this information can represent the user name and is where the app sends the user codes.
Researchers also noted that while apps use HTTPS for server communications, they all fail to verify the server’s certificate, making it easier to launch Man-in-the-Middle(MitM) attacks and intercept potentially confidential data.
Finally, specialists in enterprise data protection services checked whether apps include overlay protections. Specifically, they verified whether developers implemented any mechanism to prevent attackers who already have access to a smartphone from displaying a false window (that is, a phishing page) at the top of the true app. Unfortunately, none of the scanned apps protects the user against this threat.