2015-01-16

InfoSec risks of android travel applications


I was offline for 95% of the xmas break, instead investing my keyboard time into: (a) the exercises in Structure and Interpretation of Computer Programs and (b) writing some stuff on the implications of the Sony debacle for my home network security architecture.

I'm going to start posting the latter articles in an out-of-order sequence, with this post: InfoSec risks of android travel applications

Summary:
1. Airline checkin & Travel apps- demand so many privileges that you can't trust corporate calendar/contact data to stay on the devices. Nor, in the absence of audit logs, can you tell if the information has leaked.

2. Budget Airline applications are the least invasive, "premium" airlines demand access to confidential calendar info.

3. Even train timetable apps like to know things like your contact list.

However hard you lock down your network infrastructure, mandate 26 digit high-unicode passwords rolled monthly, mandate encrypted phones and pin-protected SIM cards, if those phones say "android" when they boot you can't be confident that sensitive corporate data isn't leaking out of those phones if the users expect to be able to use their phones to check on buses, trains or airplanes.

Introduction

Normally the fact that Android apps can ask and get near-unlimited data access is viewed as a privacy concern. It is for home users. Once you do any of the following, it becomes an InfoSec issue:
  • Synchronise calendar with a work email service.
  • Maintain a contact list which includes potentially confidential contact/customers
  • Bond to a work Wifi network which offers network access to HTTP(S) sites without some form of auth.
  • Do the same via VPN
What is fascinating is that apps asking for access to calendar info -especially "confidential event information"- is something that mainstream airline travel apps demand in exchange for giving you the ability to check in to a flight on your phone, look at schedules and your tickets. Android does not provide a way to directly prevent this.

Demands of Applications

Noticing that one application update needed to want more information than I was expected, I went through all the travel apps on my android phone and looked at what permissions they demanded. These weren't explicitly installed for the experiment, simply what I use to fly on airlines, and some train and bus ones in the UK. I'm excluding tripit on the basis that their web infrastructure requests (optional) access to your google emails to autoscan for trip plans, which is in a different league from these.


EntityCalendarContactsNetworkLocation
British Airwaysconfidential, participantsNoYesPrecise
United Airlinesconfidential, participantsNoYes; view network connectionsPrecise
EasyjetNoNoYesPrecise
RyanairNoNoYesPrecise
National RailAdd, modify, participantsNoYesPrecise
National Express CoachNoYesYes; view network connections & wifiPrecise
First Great Western trainsNoNoYesPrecise
trainlineNoNoYes; view network connectionsPrecise
First BusNoNoYes; view network connectionsPrecise

When you look at this list, its appalling. Why does the company that I use to get a bus to LHR need to know my contact list? Why does BA need my confidential appointment data? Why does the UK National Rail app need to be able to enumerate the calendar and send emails to participants without the owner's knowledge?

British Airways: wants access to confidential calendar info and full network access. What could possibly go wrong?



United: wants to call numbers, take photos and access confidential calendar info


National Express Bus Service
This is a bus company. How can they justify reading my contact list -business as well as personal?

 
UK National Rail
Pretty much total phone control, though not confidential appointment info. Are event titles considered confidential though?


Google's business model is built on knowing everything about your personal life -but this isn't about privacy, it is about preventing data leakage from an organisation. If anyone connects to your email services from an android, your airline checkin apps get to see the title, body and participants in all calendar appointments, whether that is "team meeting" or "plans for takeover of Walmart" where the participants include Jim Bezos and Donald Trump(*).

What could be done?
  1. Log accesses. I can't see a way to do this today, yet it would seem a core feature IT security teams would like to know. Without it you can't tell what information apps have read.
  2. Track provenance of calendar events and restrict calendar access only to events created by the airline apps themselves. This would require the servers to add event metadata; as google own gmail they could add a new BigTable column with ease.
  3. Restrict network access HTTPS sites on specific subdomains. Requiring HTTPS is good for general wifi security, and stops (most) organisations from playing DNS games to get behind the firewall.
Above and beyond that: allow users to easily restrict what privileges applications actually get. Don't want to give an app access to the contacts? Flip a switch and have the API call return an empty list. Want to block confidential calendar access? Another switch, another empty payload. Apple lets me do that with foreground/background location data collection on their devices through a simple list of apps, but google doesn't.

In the absence of that feature, if you want to be able to check in on your android phone on a non-budget airline, you have to give up expectations of the security of your confidential calendar data and contact list.

And in a world of BYOD, where the IT dept doesn't have control of the apps on a phone, that means they can't stop sensitive calendar/contact data leaking at all.

(*) FYI, there are no appointments in my calendar discussing taking over Walmart that include both Jim Besos and Donald Trump. I cannot confirm or deny any other meetings with these participants or plans for Walmart involving other participants. Ask British Airways or UAL if you don't believe me.

"It is not necessary to have experience of Hadoop"


I don't normally post LinkedIn approaches, especially from our competitors, but this one was so painful it blew my "do your research" criteria so dramatically it merits coverage.

FWIW my reply was: this is some kind of spoof, no?

Col du Barrioz


On 01/16/15 2:56 AM, Jessica <surname omitted to avoid embarrassment> wrote:    
--------------------
Hi Steve,

I hope you are well?

We are currently hiring at Cloudera to expand our Customer Operations Engineering team.

We are looking to build this team significantly over the coming months and this is a rare opportunity to become involved in Cloudera's Engineering department.

The role is home based with very little travel required (just for training).

We are looking for people with strong Linux backgrounds and good experience with programming languages. It is not necessary to have experience of Hadoop - we will teach you !!

For the chance to be part of this team please send me your CV to <email omitted to avoid embarrassment>@cloudera.com alternatively we can organise a time to speak for me to tell you more about the role?

Regards
Jessica

--------------------

As an aside, I am always curious why recruiter emails always start with "I hope you are well?".

a) We both know that the recruiter doesn't care about my health as long as it doesn't impact my ability to work with colleagues, customers and, once my training in Hadoop is complete, maybe even to learn understand how to use things like DelegationTokenAuthenticatedURL —that being what I am staring at right now.(*)

b) We both know that she doesn't actually want details like "well, the DVLA consider my neurological issues under control enough for me to drive again —even down to places like the Alps, and the ripped up tendon off my left kneecap is manageable enough for me to do hill work when I get there"

(*) If anyone has got Jersey+SPNEGO hooked up to UserGroupInformation, I would love that code.