Uber has shown that it understands the need for mobile app security testing with a bug bounty program that promises up to $10,000 for “bugs and glitches”. This was in response to the high number of Uber login credentials for sale on the dark web at 40¢ each.
This program of bug bounties and mobile app security testing has, in some respects, failed as security researchers at the Portuguese security research company, Integrity. The security vulnerabilities ranged from a flaw in Uber’s account activation process that made it possible to add pseudo driver profiles to Uber’s database and a flaw for creating pseudo coupon codes giving drivers a further $100 in revenue. The security researchers give details of their mobile app security testing of Uber with more of the flaws due to be published after remediation at Uber.
Aside from abuse of the Uber app’s logic there are numerous privacy problems that came to light from their research, The extent of data accessible from these flaws exposes personal information, such as user email addresses and profile pictures, device data, such as UUIDs and phone numbers, and a complete history of the journeys made by riders and drivers.
It is a cause for concern that a company with $12.51bn in funding is caught out, what is the issue here? Is Uber neglecting to protect it’s reputation, investment, and users. This kind of embarrassment is avoidable with infrastructure for mobile app security testing and public bug bounties. In this case, Uber’s fortunate that the people who discovered these flaws follow the ethical code of white hat hackers.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.