Data is the most common target of hackers breaking into company servers. Successful attacks have had disastrous consequences for both the companies affected and their customers. Famous recent examples include:
- Hackers stealing 40% of the US population’s personal information from Equifax, which cost the company nearly $3 billion in clean-up costs and regulatory fines.
- In March 2020, Marriott Hotels announced they had been hacked, and more than 5 million customer records had been stolen. This wouldn’t be so notable if they hadn’t already been fined $123 million two years before for a data breach that compromised over 300 million records.
- British Airways being fined $230 million in 2019 for a data breach under new European GDPR rules governing data security.
While many data breaches can be traced to phishing attacks, poorly secured data, and vulnerable servers, an increasingly common attack vector for hackers is through the applications that businesses and other organizations use to provide services to customers and users. OWASP (the Open Web Security Project) has outlined the 10 app security risks that are the most critical for application developers and vendors to understand and mitigatet.
Largest app-related data breaches
Here we’ll have a look at some of the largest recent app-related data breaches and what application security solutions can be applied to prevent them.
App issue: Malware injection through insecure call function
WhatsApp is one of the most popular apps in the world, with over 1.5 billion users. A major reason for this is the end-to-end encryption it offers, which supposedly guarantees greater security than other messaging apps.
However, as the Financial Times first reported, WhatsApp contained a vulnerability in its VOIP function that allowed attackers to inject malware onto the victim’s device simply by calling their phone. The flaw was exploited in the wild in at least one set of attacks where commercial spyware was installed on the phones of a group of UK human rights lawyers. WhatsApp, which Facebook bought for $19 billion in 2014, has since patched the flaw.
App issue: Customers could see each other’s messages
The second-biggest pharmacy chain in the US was forced to declare a major data breach earlier this year when it was discovered that an error in its mobile app allowed users’ private messages to be viewed by other users. The breach in security of the app, which has been downloaded at least 60 million times on Android and iOS, exposed private information, including names, prescription numbers and medication names, store numbers, and shipping addresses.
App issue: Data breach reveals user details and passwords
The MyFitnessPal app is part of the sports and fitness company Under Armour and allows users to upload what they ate to monitor their diets. However, in 2018, the app was hacked, and Under Armour confirmed that 150 million users had been affected. While most of the passwords had been encrypted using a strong password-hashing function known as “bcrypt,” others were in SHA-1, an easier format to crack. Nearly a year after the breach discovery, some of the stolen records were discovered for sale on the dark web.
App issue: Insecure web app features
As one of the world’s biggest companies (in terms of revenue and users), Facebook has a lot of moving parts and is a massive target for hackers. This can result in near-disasters, such as its recent revelation that it had stored hundreds of millions of passwords in plain text. The FTC also fined them $5 billion for its part in the Cambridge Analytica scandal.
Back in 2018, Facebook also became notable as the victim of one of the most serious web application hacks.. In the case of the Facebook hack, attackers exploited flaws in its “View As” function, which mistakenly gave them OAuth tokens, affording them complete access to an account. This allowed the hacker to access any account that was signed into through Facebook. It was estimated that up to 50 million users could have been affected.
Web apps themselves are notoriously difficult to secure and can be vulnerable to numerous side-channel attacks or man-in-the-middle attacks through wireless networks. However, Intertrust has developed the industry’s first white-box cryptography solution specifically for web apps that secures web app encryption keys at all times, even when they are being used.
App issue: Hack revealing data of child users of app
The recent hack of WishBone, a comparison social media app, led to over 40 million of its users’ email addresses, phone numbers, locations, and poorly encrypted passwords being stolen. As around 70% of the app’s users are under the age of 18, this clearly demonstrates how privacy concerns extend beyond the simple “right thing” of protecting application user’s data and into child protection.
Various dating apps
App issues: Dating application vulnerabilities reveal data and locations
Following the hack of the Android dating application MobiFriends, where nearly four million weakly encrypted email addresses and passwords were stolen, further investigations were carried out into the data security problems of dating apps.
Among the most serious, besides the potential for fraud or phishing related to data breaches, was the fact that several dating apps—including Grindr, Romeo, and Recon—were found to enable precise location and tracking of users via triangulation and location-spoofing. For LGBTQ users in countries where people may be persecuted due to their sexual preference, poor app security could directly endanger users’ lives. Up to 10 million users were affected by the apps investigated by Pen Test Partners.
Application security solutions
Considering the financial and reputational risks presented by app-related data breaches, ensuring data security for any app that your organization distributes is essential. While much of cybersecurity focuses on creating a protective shield around servers or production facilities in the case of device manufacturers, this isn’t enough when it comes to apps.
Applications are particularly vulnerable, as they will always be used on smart devices outside of these defenses, making them prime targets for bad actors who can attempt to reverse engineer them under their own terms. That’s why application security solutions need to be robust enough to protect apps no matter where they are or who is using them.
Intertrust’s specialized application shielding solution suite, whiteCryption, uses a range of techniques to provide industry-leading protection across a number of vectors, including device protection, application security solutions, and key protection. To find out more about whiteCryption and how it can keep your applications safe, learn more about it here or reach out to our team.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.