Researchers from the University of New Haven have taken to Youtube this week to publicize vulnerabilities in a dozen Android apps, including Instagram, Vine and OKCupid.
Researchers at the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) have chosen to disclose the issues, most which result from the storage of unencrypted content on the apps’ servers, over the course of five videos in five days.
The researchers found the flaws by creating a test network using Windows 7’s virtual mini port adapter to monitor all traffic to and from the phone. They then captured and analyzed the traffic via tools such as NetworkMiner, a free Network Forensic Analysis Tool (NFAT) for Windows, and Wireshark, a network protocol analyzer for Unix and Windows.
On Monday, the team discussed the first three bugs they found in the photo sharing app Instagram, the dating app OKCupid and the messaging app ooVoo. On Tuesday they publicized insecurities they found in a trio of cross-platform instant messengers: Tango, Nimbuzz, and Kik.
On Instagram Direct, the app’s direct messaging functionality, the researchers were able to use NetworkMiner and discover they could easily sniff photos sent between users. The researchers also discovered – with help from Wireshark – that some images they had sent weeks prior still laid on Instagram’s servers, unencrypted, without authentication.
On OKCupid, the researchers were able to sniff out certain keywords over HTTP, essentially giving them the ability to search for keywords and see what users they were sent to and who.
Key phrases and photos sent between users on the messaging app ooVoo were also picked up by NetworkMiner and similar to Instagram’s vulnerabilities, photos were found hanging around on the app’s servers for far longer than a user would expect them to be, unencrypted and without authentication.
The issues with Tango, Nimbuzz and Kik were similar to those the researchers discussed on Monday’s. They were able to sniff images sent on Tango, sketches sent on Kik. Users’ images, location points, and videos could all be gleaned from Nimbuzz. The app also stored users’ passwords in plain text.
“Anyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances” Ibrahim Baggili, an Assistant Professor of Computer Science at the school and head of cFREG, said last week in advance of the group’s Youtube campaign.
cFREG apparently tried to notify the developers behind the apps in question but were met with formulaic support contact forms and no direct way to contact the developers. The group plans to post videos dissecting the remaining vulnerabilities in Android apps like Vine, GroupMe, Words with Friends and Grindr throughout the rest of the week.
The group, a collection of UNH students led by Baggili, has proved adept at digging up vulnerabilities in applications, especially those of the messaging and photo-sharing variety, over the last year.
The researchers found similar issues in Viber and WhatsApp earlier this year. Again using NetworkMiner, they were able to sniff out images, doodles, and videos users sent to each other. The apps developers were quick to respond and pushed fixes for the issues, which wound up affecting both Android and iOS apps, within several days.
