RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2019/12/26 08:15:01

Mobile applications for the alcohol choice

Main article: Mobile applications

2019: Rostelecom-Solar checked security of applications for the alcohol choice

On December 25, 2019 the Rostelecom-Solar company summed up the results of a research of security of mobile applications for the alcohol choice.

As noted in Rostelecom-Solar, in the Russian Federation the restriction for sale of alcoholic beverages via the Internet introduced by the government decree in 2007 works. This restriction became a subject of rough discussions more than once. As a result the Ministry of Finance of the Russian Federation in December, 2019 is going to enter the bill of alcohol online sale legalization to the Government of the Russian Federation. The main objective of the bill designates fight against shadow turnover in Runet of alcohol which illegal sales in the Russian Internet segment for 2018 grew by 23%, up to 2.1 billion rubles. In case of approval of the bill by the government the first stage of online trade in alcohol can start in January, 2020.

Rostelecom-Solar checked security of applications for the alcohol choice

Due to the relevance of subject experts of Rostelecom-Solar company using the Solar appScreener tool carried out an inspection of popular mobile applications for the choice of alcohol on existence in their program code of vulnerabilities and not declared opportunities. Services for the analysis were selected according to criterion of popularity: to the number of downloads and the taken position in the section "Food and drinks" in Google Play and App Store.

For participation in a research the following services were selected: Vivino, Simple Wine, Untappd, "Whisky", Whisky Suggest, "my Cocktail of Bars", "Cocktails recipes for a party", "Красное&Белое", "KUULKLEVER" ("Have a rest"), "Bristol", "Fragrant World" and "Vinlab". Applications were considered in versions for operating systems Android and iOS.

Among Android versions first place with a considerable separation from competitors was won by the "SimpleWine-wine and drinks from the sommelier" application: it gained 3.8 points from 5.0 as does not contain any critical vulnerability. The second and third place with the minimum separation was taken by the Fragrant World and Vivino-the wine scanner applications. They showed approximately identical, the good result, almost on 1 point the exceeding indicator of the overall level of security, average for the market, in 2.2 points from 5.0 is enough.

Android version of the KUULKLEVER (Have a Rest) and Vinlab applications is contained in the source code on 7 occurrences of critical vulnerabilities that exceeds a maximum permissible indicator in 5 units not to fall below an average on roar of the overall level of security. In this research the situation when the application (Bristol) containing only 2 occurrences of critical vulnerabilities in the source code receives a low estimate of the overall level of security because of a huge number of occurrences of vulnerabilities of the average level (10208 is for the first time observed!).

Approximately in a third of the studied Android-applications use of the empty password fraught with an application compromise – i.e. is observed by access for the stranger to the protected information.

File:Aquote1.png
"In this case for the user the main risks are connected with possible receiving by the malefactor access to the user account in social networks. Many of the studied applications support authentication through social networks. As a result to the malefactor there can be available a correspondence of the user and also the confidential information which is contained in his social account. In the next future, with introduction of permission to online trade in alcoholic products, users will have an opportunity of a binding to similar applications of these bank cards. What can lead further also to real financial loss for users as a result of an output by malefactors of money from the linked cards. Therefore the application developers for the alcohol choice who are going to perform online sales through the services should think of verification of the code of the developments on vulnerability",
File:Aquote2.png

80% of the Android applications considered in a research allow internal leak of valuable information on system configuration that facilitates to the malefactor preparation of the attack on the application.

IOS-VERSIONS of mobile applications for the choice of alcohol are protected much worse, than their analogs under Android. Here the best results showed the KUULKLEVER application ("Have a rest"), Bristol, "SimpleWine is wine and drinks" and Whisky Suggest. Service for the WineLab alcohol choice closes rating.

Such vulnerabilities as use unsafe a hash function which can lead to violation of confidentiality of these users are characteristic of IOS-VERSIONS of applications. Also in the studied applications application of the "debug" NSLog method which is potentially allowing disclosure of information which allows the malefactor to implement an attack on the application is observed. And because of application of an unsafe reflection the studied IOS-APPLICATION is potentially vulnerable to accomplishment of any malicious code as this method accepts data from not entrusted source as an argument.

By preparation of a research decompiling and a deobfuskation of applications was not made. Static analysis was performed concerning the binary code.

You See Also