Android Apps Fail to Protect User Data During Device Transfer

Security

Multiple Android applications have been observed not invalidating or revalidating session cookies during app data transfer from one device to another.

The technique would enable attackers with a highly privileged device migration tool to move applications to a new Android device, causing migration issues, according to a new advisory by CloudSEK researchers.

“This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords,” the company wrote. 

CloudSEK explained that in specific applications such as WhatsApp, the actors could also bypass the 2FA mechanism. The security experts validated the claims by conducting an experiment using two Realme devices.

“This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on WhatsApp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.”

In the advisory, CloudSEK said it reported the vulnerability to Meta, which considered it a social engineering scenario and disregarded it as a security issue. Meta has not immediately replied to Infosecurity’s comment request on the matter.

“[We] tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login,” clarified CloudSEK.

Other popular apps that failed to invalidate session cookies include Canva, Snapchat, Telegram, LinkedIn, Discord and Booking.com.

Read more on Booking. com-focussed attacks: API Security Flaw Found in Booking.com Allowed Full Account Takeover

“To mitigate this threat, it is essential to secure your phone with a password,” CloudSEK warned. “If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access and to revoke permissions when the task is complete.”

The advisory comes weeks after Google unveiled a new policy for Android apps to mandate the addition of deletion option for both user accounts and the data associated with them.

Products You May Like

Articles You May Like

Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments
The Problem of Permissions and Non-Human Identities – Why Remediating Credentials Takes Longer Than You Think
Fake Donald Trump Assassination Story Used in Phishing Scam
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials
Chinese APT Group Targets Telecom Firms Linked to Belt and Road Initiative

Leave a Reply

Your email address will not be published. Required fields are marked *