PHOENIX, Aug. 6, 2019 /PRNewswire/ — Bishop Fox, the largest private professional services firm focused on offensive security testing, has uncovered an alarming number of security flaws in most major cities’ mass transit apps. Specifically, Senior Security Engineer Priyank Nigam found significant vulnerabilities in the mobile apps for Amtrak and Greyhound Lines, Inc. He presented his research, “Reverse Engineering Mobile Apps: Never Pay for Transit Again,” today at the 2019 BSides Las Vegas conference.
Successful exploitation of mobile mass transit apps can range from the relatively harmless “stealing” (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers. Mobile apps are often synonymous with thick clients – meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors.
“I was purchasing Amtrak tickets and saw an authentication bypass vulnerability almost immediately in their mobile app. We contacted Amtrak, told them about the issue, and they fixed it quickly. As I dug more deeply into other application-specific attack vectors, I found other mass transit companies with similar problems,” said Nigam. “Most mass transit and city level transit systems outsource the development of their mobile apps to a small number of vendors, so this is the tip of the iceberg in terms of potential exposure. Yet, many of these vendors were indifferent to fixing the vulnerabilities we identified for them.”
During his presentation, Nigam demonstrated multiple vulnerabilities in well-known mass transit mobile apps and how client-side obfuscation measures – such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) – could be bypassed.
About Bishop Fox
Bishop Fox is the largest private professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world’s leading organizations — working with over 25% of the Fortune 100 — to help secure their products, applications, networks, and cloud resources with penetration testing and security assessments. In February 2019, Bishop Fox closed $25 million in Series A funding from ForgePoint Capital, which will allow the company to continue to grow its research capabilities and develop next generation offensive security technologies. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.
SOURCE Bishop Fox