After WhatsApp attack, how vulnerable are your apps?
Glenn Murray, QinetiQ Fellow and Principal Software Engineer
After the discovery of a targeted surveillance attack by hackers on messaging app WhatsApp, we consider how this attack could have happened, and what practical steps you can take to check the vulnerability of apps on your phone.
Why PACE Implementations Fail to Deliver Assured Battlefield Communications
21 Jan 2021
Adopting twins: will defence be next?
11 Dec 2020
Postcards from Space: Taking Heat Transfer Research to a New Level
07 Dec 2020
What can Mission-Led Innovation do for our customers?
02 Dec 2020
Batteries that last forever?
01 Dec 2020
According to media reports, WhatsApp discovered a surveillance attack targeted at selected users – reportedly journalists, lawyers and human rights experts – effected through the remote installation of surveillance software on mobile devices, exploiting a significant vulnerability in the messaging app.
It has been reported that the security flaw was exploited using WhatsApp's voice calling function to ring a target's device. The surveillance software would be installed even if the call was not taken, and the call would disappear from the call log.
How could the attack have happened?
The iOS attack is a clever code injection attack, allowing the attacker to inject code into the application via the VOIP (the communication of voice, data or video content over internet protocol networks) capability of the app. This attack allows the attacker to perform any action they want to on the device.
The android app has inside it a function call named 'DexClassLoader' that can run downloaded code and so this type of attack was previously theorized but maybe not exactly how it happened in this case. Any app with DexClassLoader within it is vulnerable to attack by the developer or someone who works out how to use it.
What security issues are there with apps?
From our regular testing of mobile applications we’ve identified these issues:
- Adware malware in the app
- Excess or unused permissions
- The ability to download and run code at will on your device
- Trackers in most apps: from 4 to 30+
- Taking of identification data from you, your device and your SIM
- Connections to over 50 network endpoints – often outside Europe and the US - within 10 seconds of an app starting
- Developers can be covering their costs by selling your data
Best practice and checks you can follow with Android apps
- 1. Install the Exodify chrome plugin on your pc
- Using this look through the apps you have installed on the Google Play store
- Consider removing apps with more than 15 trackers
- 2. Test any side loaded apps on VirusTotal before installation
- 3. Get a copy of DNS66: this will block many adverts and save around significant amount of your data each month
- 4. Install the NetGuard VPN or equivalent:
- Enable monitoring and packet capture
- For one app at a time monitor what communications it performs
- You can turn internet access off for individual apps
- 5. Install Process Monitor for Android 6 and less:
- This shows apps burning the battery: a number have been found, including Netflix and Chrome, continuously scanning the SD card
We can test a range of mobile applications:
- Do applications contain issues?
- Are the devices secure in relation to malware, networking and can they extract personal information?
For more information, please contact us