Personal security apps are increasing in popularity for good reason. Such apps are designed to alert your family and emergency services if you’re in danger.
But like all apps, even personal security apps can be subject to security challenges such as poor development processes and external threats.
Wandera researchers discovered a data leak in a PanicGuard, a popular personal security application that was putting users’ personally identifiable information and IP addresses at risk. This was due to the transfer of user information unencrypted over-the-air during both the login and registration processes.
The security implications
*An update from PanicGuard. The developer claims to have since fixed at least some of these issues, and have informed us that the vulnerability was partly a result of a staggered rollout of application updates to users. This has now been updated to a 100% rollout of the new version of the application. PanicGuard also states that the majority of PanicGuard users use partner versions of the personal security app, and do not use the generic version that was tested in this advisory.*
The primary vulnerability in the PanicGuard app was identified by Wandera’s machine intelligence technology MI:RIAM as the transmission of sensitive data over the insecure and unencrypted HTTP channel.
This means the user’s information was travelling over the internet in plaintext, risking its exposure to third parties. This was happening in both the iOS and Android versions of the application, specifically during the login and registration process.
In addition, MI:RIAM discovered that the user’s internal IP address was being leaked due to the cookie element of the HTTP request. When this is exposed, it becomes quite simple for a hacker to obtain the location of victims and track their movements.
What was being leaked?
The data leaks were occurring during the login processes that are shared between the PanicGuard Android and iOS apps, and on the registration page of the iOS app. These findings were replicable as of Tuesday 20th June 2017.
The PII (Personally Identifiable Information) exposed during the login procedure include:
Location (longitude, latitude)
The PII (Personally Identifiable Information) exposed during a registration request via the iOS app include:
First, Last name
Date Of Birth
Emergency Contact Full Name
Emergency Contact E-mail
Emergency Contact Phone Number
What can be done?
Businesses should have an active mobile security service deployed to monitor and block data leaks within their mobile fleets.
It’s also important that individuals avoid using apps over unsecured Wi-Fi networks where information is even more likely to be intercepted by third parties through Man-in-the-Middle attacks.
App developers are advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, or other sensitive data to a backend API or web service. It’s always a good idea to utilize mobile app security services to keep out unwanted data vulnerabilities.