Millions of people use apps every day to communicate with friends, track their daily run, transfer money or check their covid-19 test result. As a result, security has become more critical than ever before, because many of these apps use and track personal data. But are they really secure? This was the focus in the final project for a class of Master’s students attending the Network Security course taught by Associate Professor Diego F. Aranha. The students analysed an app of their own choice for potential threats and vulnerabilities. The 28 groups analysed 21 different apps, of which nine were found vulnerable enough for a follow-up vulnerability disclosure process. So far, students have been successfull in contacting half the companies to disclose their findings.
In 2015, Diego Aranha supervised a Bachelor’s project in Brazil, in which the student was investigating security breaches in eight banking apps. The student found security vulnerabilities in seven of them. All the banks were contacted regarding the issues, but many were not interested in the findings or the suggested solutions. This made headlines in the Brazilian press. The episode is behind the idea for the Master’s course Network Security, which Associate Professor Diego Aranha now teaches at Aarhus University.
“As a cryptographer, I know, that there are security breaches everywhere, but it was still alarming to see the number and seriousness of the errors in these banking apps,” says Diego, and continues: “This gave me the idea for a course project, in which the students analyse apps from their everyday life to investigate how widespread the problem with security actually is. Moreover, they have to come up with solutions to the issues identified. Many people believe that ‘hacking’ is something negative, but in this course we are the good guys, and we hack apps to secure the users’ personal data even better.”
In autumn 2020, 50 students from AU Engineering and the Department of Computer Science followed the Network Security Master’s course. On the course, the students learned about different layers of security and typical software vulnerabilities, attacks and counter-measures. The course wrapped up with an analysis of an app of the students’ own choice. Having practical work included in the course is something the students really enjoyed.
“I really liked that the course had very practical elements, for instance letting us try some attacks to get a better understanding of how they work in practice. Also, the final project was really fun. I liked working on an actual app and getting some real-life experience with security analysis,” says computer science student Anna Mie Hansen. She continues, “I’ve followed many theoretical cryptography courses but have always found it hard to learn the more practical side of things, but this course gave me some good starting points - and now that I’ve already tried some things, I have the courage to try to learn even more.”
Anders and Christian, who study Computer Engineering agree: “We really like the many practical exercises that allowed us to test all the theory we’ve learned on the course. It was especially exciting to get an overview of the many different ‘attack surfaces’ and vulnerabilities one has to take into account in almost all applications”.
The students chose their own case to analyse for the final project, but there was a requirement that the app in some way handled sensitive or personal data. Letting the students choose their own app to work with generally makes them more interested in the project, Diego explains.
Anna chose to work with a postal service app, while Anders and Christian completed their analysis of an app used for payroll management (company names are left out due to confidentiality agreements). Both groups found vulnerabilities in their analyses.
Anna’s postal app enables users to pick up packages via their phones’ Bluetooth connection, and the app has access to the users’ phone number and location via GPS. "I found a piece of code that goes against the most basic best practices for security, which was surprising to me as someone interested in security. At first, I couldn't believe that the developers had left it there, but I guess when you’re not a security specialist, things like this can be easy to miss,” says Anna.
Anders and Christian chose to analyse an app that is very relevant for themselves, as they both use it to report their working hours and receive their pay slip in their student jobs. The app has access to many kinds of sensitive information such as user names, addresses, social security numbers and salary information.
“In our analysis, we found a security gap that meant we were able to reset the password for any user in the system, and gain access to personal information or change it. This means that a malicious attacker could change bank information for any user on the system, and have the user’s salary paid into another account,” Anders and Christian explain. They continue, “we also found a way to access the API key for Google Maps, which a malicious attacker could use to spend money on Google Maps on behalf of the company. Both findings came as a surprise to us, as the app has many users and handles several types of personal data”.
The 28 groups analysed 21 different apps from Denmark, Germany, Slovakia, as well as international brands, and they found nine were vulnerable enough to deserve a follow-up vulnerability disclosure process with the company. Some of the flaws identified were insecure Internet connections that could be hijacked to capture sensitive information, hardcoded secrets, weak authentication, and breaches of user privacy.
The groups reached out to the companies to present their findings and possible solutions to the problems identified.The students were successfull in contacting half the companies. That means they got an acknowledgement and were able to share a report. We tried all of them through multiple means, but in some cases there was no response or just an automatic reply. “When the students contacted the companies we really met both extremes. Some were very open and interested in the findings, while others ignored them or refused to accept that there could be any security breaches in their app,” says Diego Aranha.
Anna was successful in contacting the company behind the app she investigated. “I presented the company with some of my findings. They said, "thank you", but I never heard anything else, and so far they have not updated the app. So, I guess the vulnerability is still there.” Anders and Christian were more successful: “We contacted the company and they responded very quickly, and asked to have a meeting with us. In fact, they reacted incredibly positively to our contact. They actually ended up hiring us on a consultant contract to do another ‘penetration-test’ of their app, after they had tried to fix the security problems. We’re still in dialogue with them about the results of this test, but we expect the vulnerabilities will be fixed,” says Anders and Christian.
"I was positively surprised about how much effort the students put into the course's final project, with many of them going way beyond what was necessary to get a good grade. It was not an easy task, but I hope the technical challenge gave the students something interesting to focus on during a global pandemic,” says Diego Aranha, and concludes, “I sense many of them got a pretty unique perspective about the security of digital services, and will now contribute this view to society as professionals and researchers in their respective areas."
From autumn 2021, a similar course –also taught by Diego Aranha - is being offered by the Department of Computer Science under the name Systems Security. For more information see the course catalogue https://kursuskatalog.au.dk/da/course/108987/Systems-Security or reach out to Associate Professor Diego F. Aranha dfaranha@cs.au.dk.
The course explores ways to attack and defend computer systems of different types. These include the building blocks of cryptography and software security, and how these can be applied to protect networked systems.