While the World Cup is around the corner, football applications are becoming omnipresent. Among their features, you can check live scores, follow your team ranking, create an account linked to your social media etc. At first sight, nothing scary. But while investigating applications* connected to one of the most followed event in the world, Pradeo’s research team found out a worrying trend: most of them are highly intrusive and vulnerable. On top of the list, there is the Eurosport app which was downloaded more than 10 million times.
Here are the main outcomes of the analysis of the Eurosport Android app (available on Google Play) performed by Pradeo Security engine:
- Collected data through 8 advertising libraries
- Vulnerable to data leakage and Man-In-The-Middle attack (63 vulnerabilities)
It is important to notice that the collection of data stated in this article is mentioned in Eurosport’s privacy policy but never proactively displayed to the user. Are users really aware of the intrusive nature of this application and its security flaws, opening a path to massive data divulgation?
Massive data exposure
The Eurosport application collects and sends users’ terminal information and preferences to an average of 14 servers. Most of these servers belong to 8 advertising companies’ libraries integrated within the application, which harvest a maximum of users data. By integrating with as many applications as possible, marketing companies publishing these libraries establish very precise profiles of users, based on their habits, movements and opinions.
Vulnerable to data leakage and Man-In-The-Middle attack (63 vulnerabilities)
The Pradeo engine has detected 63 vulnerabilities in the Eurosport application, 11 of which are referenced by the OWASP community. In doing so, the application exposes the data it handles to potential leaks as well as Man-in-the-Middle and DoS attacks.
Although data protection regulations are currently being strengthened, this observation highlights a new grey zone: users cannot reasonably read the multitude of privacy policies associated with their mobile uses.
For Pradeo’s researchers, the protection of users' privacy cannot only be regulated by the law. It requires mobile protection technology that will help users regain control over what data they agree to share or not.
*Study performed on a sample of 250 official Google Play and App Store applications.
APP SPECS
Name: Eurosport
SHA1: 2b1415f4eca49a58acb00e411457b187c5591521
Package : com.eurosport
Version: 5.12.2
DATA DISCLOSURE
Phone data
- Phone network info: provider, network type (3G, 4G...)
- Device info: Manufacturer, model, battery level, battery status, OS version...
Application data
- Applications settings
- Application files (compiled files in the app)
VULNERABILITIES
| BROADCAST-ACTIVITY | The vulnerability gives permission to other applications to bypass some security access, to give direct access to potentially sensitive data. |
|
BROADCAST-PROVIDER |
The effect of this vulnerability is to give permission to any application the possibility to have direct access to sensitive data from the component. |
|
BROADCAST-SERVICE |
The vulnerability gives permission to other applications the power to start or bind the application's service. Using the flaw can lead to sensitive information leakage towards malicious apps or result in denial of service. |
|
BROADCST-RECEIVER |
The vulnerability gives permission to other applications to send malicious intent to the application. Acting on receipt of intent without validating the caller's identity may lead to sensitive data being revealed or to denial of service. |
|
URLCANONICALISATION |
Makes easier for another application to access your application data (file). Depending on the implementation of Content Provider, use of the method can lead to a directory traversal vulnerability. |
| LOG | Il est risqué de mettre en production une application qui affiche des sorties de log. Une application tierce pourra exécuter une commande et récupérer les logs contenant des informations potentiellement sensibles. |
|
IMPLICIT-INTENT |
A malicious activity or service can intercept an implicit intent and be started instead of the intended activity or service. This could result in the interception of data or in a denial of service. |
|
X.509TRUSTMANAGER |
Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. |
|
CLIPBOARD |
Passing potentially sensitive data to the clipboard allows third-party applications to access them. This can result in data leakage. |
|
WIDGET |
It is possible for a malicious application to gain access to sensitive data through widgets, exposing the app to data leakage. |
|
POTENTIALLY-BYPASS- SSL-CONNECTION |
The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection. |
