For flying enthusiasts and trainee pilots, SkyDemon is a popular solution that offers VFR flight planning and in-flight navigation. But Wandera has discovered the app and website might be leaving users vulnerable to data theft.

Although the audience for this kind of software seems quite niche, the SkyDemon app has a significant market penetration with up to 50,000 downloads.

How does it work?

Wandera researchers have discovered that the communication of the mobile application with the backend is done in plain-text, and that the only protected parameter is the password. This protection is in place during the login procedure. The password is hashed with the SHA1 algorithm, then base64 encoded.
Unfortunately this constitutes a poor means of protection, although the plain-text password is not revealed. The login procedure is susceptible to a “pass the hash” attack. This type of attack is a hacking technique that allows an agent to authenticate to a remote service just by using the underlying hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.
If the SkyDemon app becomes compromised, a hacker could use the exposed information to track and spy on users.
This data could lead to other sensitive information being leaked, such as flight plans, aircraft model registration details and even behavioural patterns like favourite destinations. All the flight related information simply comes on top of the already exposed personal information.

What’s being exposed?

The following personally identifiable information (PII) is exposed during the login procedure on the mobile application:

  • Username
  • Base64 encoded SHA1 Password

The following PII is exposed during the “Password Reset” functionality on the mobile application:

  • E-mail

The following PII is exposed when a user requests for a free trial through the website:

  • E-mail
  • First, Last Name
  • Country

What can you do?

Businesses should have an active mobile security service deployed. MDMs are able to restrict access to certain apps, but are unable to limit access to websites. These technologies should have filtering and blocking functionality that happens at the data level to block traffic to both leaky apps and vulnerable websites.