WARNING: Use MWC Mobile App at Your Own Risk

Dubbed as the 'premier mobile industry event for the Americas', MWC is making its debut in San Francisco with glaring mobile app vulnerabilities.

As an attendee you would expect that a premier event such as MWC would take the appropriate measures to protect both itself and you, but they haven't. After leveraging our platform to rapidly analyze the MWC application we found multiple vulnerabilities that could put attendees at significant risk. What's worse is that one of the vulnerabilities has been around since 2012 and has been documented in at least nine different books (yes, nine) on mobile security and hacking mobile devices. The identification of this vulnerability goes back to Neil Bergman and was originally written about in a blog post here.

We take no credit for originally identifying this vulnerability, but we are nonetheless surprised to see it 5 years later in the attendee application for the 'premier' mobile industry event. The reason we're calling this out is two-fold; first, we think that event organizers and applications that will be installed on thousands of devices should hold themselves to a higher standard, and second, this vulnerability exists in too many applications and needs more exposure.

At a high level the MWC app was found to contain critical vulnerabilities that place users of the app, especially those at the conference, in danger of remote-code exploitation. This could, in turn, be used to attack the organizations they represent, their intellectual property, and their personal and private information. To say that this is concerning is an understatement.

Looking all the way back to 2014 we see FireEye talking about this vulnerability and dubbing it "JBOH", or JavaScript-Binding Over HTTP. Watch the BlackHat talk here. As estimated by FireEye’s research, more than 5 billion downloaded Android apps are vulnerable to remote attacks, but the JBOH vulnerability may be the riskiest one.

The root of the problem is a JavaScript binding method called addJavascriptInterface that is a common, but insecure, method of loading web content into an Android app. When an Android app invokes the method and loads the content from a web browser in WebView over HTTP, it opens the door for attackers to execute code remotely. In other words, attackers can hijack mobile communications to inject malicious content and links into the application, gaining full control of the app running on the device.

What's even more surprising than the MWC application having this vulnerability is that of all popular Android apps with more than 50,000 downloads each, 31% are highly vulnerable. Of these apps, 18% fall into categories with potentially sensitive data such as finance, shopping, medical and productivity.

OK, a lot of organizations are failing at application security, so what do we do?

The answer to that question is exactly why Mi3 Security was formed. We understand the difficulty in trying to keep up with market shifting customer demands while simultaneously trying to design, develop and test secure mobile applications via traditional means. The good news is that technology has advanced to a point where heavy automation, paired with big data, and analyzed via machine-learning, can provide early detection of high-risk vulnerabilities during the build process, before any lasting damage can be done via in-market applications.

Our overarching goal is to dramatically shift the security posture of organizations by providing tools that integrate deeply into build pipelines and the security review process. If you haven't seen what automation can do for your mobile application security, we urge you to spend at least 15 minutes with our machine learning based RECON platform and see the results for yourself.