Mobile app security testing of Confide, the messaging app of choice for President Trump’s aides, has numerous vulnerabilities in it.
Researchers from IOSActive report the security flaw’s to the developers of Confide, which advertises itself as an encrypted messaging app. After Confide patched the app, the researchers released the results of their mobile app security testing.
Looking at the Android app on 4.04 using mobile app security testing techniques such as reverse-engineering, observation, examining the API the problems identified were:
- HTTPS: the app’s notification system was open to a Man-in-the-Middle attack with no requirement for a valid SSL server certificate
- Messaging: it was possible for unencrypted messages to be sent, and the UI failed to show when the user received unencrypted messages.
- Accounts: the app gave attackers a way to extract all of Confide’s user accounts, with personally identifying information such as names, email addresses, and phone number. There was inadequate protection for passwords and low standards for the passwords users were allowed to set
These problems left the app wide open to attacks such as hijacking sessions to impersonate other users, taking over accounts through brute force password attacks, extracting user details, intercepting messages, and altering the text of messages.
The developers behind Confide claim that there were no exploits launched against the users of the apps.
This one of a number of stories where app’s with claims to a particular security features, such as secure password managers, anti-malware apps, VPN apps, and secure messaging apps were shown to be false after mobile app security testing. It remains to be seen whether these apps have improved at all or are continue to use security as a feature for advertising.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.