Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile users at risk from lack of HTTPS use by mobile ad libraries, security researchers say

Lucian Constantin | Feb. 3, 2014
Researchers from security firm FireEye recently reported that many ad libraries expose sensitive functionality to JavaScript code over insecure connections, making apps using them vulnerable to man-in-the-middle attacks.

The company makes significant efforts to encourage developers to use the latest version of the SDK, Davies said. "We conduct comprehensive marketing and communications campaigns when we launch products or new, improved versions of a product and this includes direct emails to developers and publishers in our database, as well as general public awareness tactics like press releases, articles, interviews, blog posts, videos, etc."

If it believes there is a significant security risk, the company will advise app developers to upgrade immediately to a new version of the SDK, he said.

Some security experts don't think the performance impact of implementing HTTPS should outweigh its security benefits.

"Plenty of applications such as email clients and social networking clients have already fully migrated to SSL without side effects," said Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender. "We are talking about personal information being sent unencrypted over the network, and this is something app developers should take seriously."

Last month researchers from Bitdefender found a vulnerability in an ad library called HomeBase SDK that would have posed less of a risk if the library had used HTTPS. They found that HomeBase was updating itself over HTTP, allowing man-in-the-middle attackers to potentially inject a rogue update package into the traffic that would then get executed on the device with the host application's permissions.

Widdit, the Israel-based company that develops HomeBase SDK, said at the time that it plans to secure the traffic with SSL by the end of January.

"By design, mobile devices spend most of the time connected to wireless networks that the user has no control over, such as those in coffee shops, airports and so on," Botezatu said. "More than that, anybody can set up a rogue access point with no security set in place, lure the nearby users into connecting to it and then intercept or manipulate traffic. Man-in-the-middle attacks on Wi-Fi networks are definitely a possibility that should be taken into account."

Even if there have been no reports so far of real world attacks exploiting the addJavascriptInterface issues, it's only a matter of time until attackers pick up on them, Robert Miller, a security consultant at MWR Infosecurity, said. "It's a question of when, not if."

MWR researchers built a proof-of-concept box that can be placed on any wireless network to intercept and exploit traffic from phones connected to that network, Miller said.

JavaScript bridge attacks are ridiculously easy to do, Miller said. By reading a Web page and using tools available online for free, an attacker could have it ready in half an hour, he said.

HTTPS would mitigate the man-in-the-middle attack vector, but not others like rogue ads potentially making their way into the ad network and exploiting this issue. However, adding HTTPS would massively increase the levels of security that ad library vendors offer to their customers, Miller said.

 

Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.