How Healthy Is Your Mobile Fitness App? 7 Common Security Vulnerabilities

Ironman triathlete or couch potato, there’s a mobile fitness app that promises to help you reach your health and fitness goals. Running with a buddy is great, but running with a fitness app is the preference of approximately 260 million consumers in 2018.

However, by tracking and collecting some of the user’s personal activity data—location, exercise, sleep, weight and more—along with credit card information, fitness apps house data that can be leveraged maliciously. A social fitness tracking app recently made headlines by inadvertently exposing the locations of U.S. military bases around the globe. Consider that besides potentially exposing your credit card information—what if an unsecured app revealed your daily routines to a potential criminal? Or provided a back door into your personal photo albums, invading your privacy?

To understand the security status of the popular fitness market better, SEWORKS analyzed the top 10 fitness apps in the Android and iOS market to identify any potential areas of concern. The result? All of the apps SEWORKS analyzed had some critical and medium security vulnerabilities. Each one that we looked at could potentially be decompiled, which could ultimately lead to malicious hacking.

Here’s what we found and what you, as a developer, should do.

Vulnerabilities and Guidelines

The following are 7 common security vulnerabilities uncovered in 10 popular mobile fitness apps.

  1. The file I/O (input/output) programming function allows data to transfer either to or from the app file system. If not secured, a hacker could inject malicious code and gain read or write access to resources such as user permissions and file structures. Developers should store the data needed for local files and encrypt them.
  2. A coding framework that allows apps and components to communicate with one another by passing messages. If not secured, it can be called to view other intents hidden within the mobile application, which could contain cached data with user passwords and credentials. Developers should change intent exports to “false” until otherwise needed.
  3. URL schemes are intents enabling applications to communicate with servers and web pages from inside an app. An insecure intent scheme URL can give malicious web pages a way to conduct intent-based attacks against apps, with virtually no protections. Developers must implement their security provisions for URL functions, instead of relying on browsers.
  4. Log files are used by developers to store a history of events or transactions for later review, statistics or debugging purposes, and can help improve app performance and usability. However without proper protection, hackers can write a malicious app and take advantage of vulnerability in the log processing utility. Developers should disable or restrict permissions for log reading to only classes that need access.
  5. Reflection is a relatively advanced programming technique provided in most APIs that allows developers to treat class definitions as objects and perform operations which would otherwise be difficult. However, attackers can potentially manipulate objects at runtime and inject damaging code. Developers should be proficient before implementing reflection; otherwise, it’s an unneeded risk.
  6. A software development kit contains what a developer may need to create apps on a specific platform, such as tools, libraries, relevant documents, sample code, processes and guides. To streamline development, SDKs may come with pre-built functionality. However, there’s also a possibility that a SDK could be compromised. Developers should only use SDKs that improve the function of the application.
  7. Supported obsolete program functions are removed after a new version is produced, but deprecated objects are often left in place. However this may alert a malicious attacker that the surrounding code could be vulnerable. Developers should remove any and all unused and outdated code.

While the growing market for mobile fitness applications presents strong revenue opportunities for companies, vulnerabilities were present during our security checkup. We firmly believe the best path for a healthy mobile fitness app (or any app, for that matter) is when security is implemented during the app development process itself, and is continuously updated to meet with the rapidly changing security trends.

Min Pyo Hong

Avatar photo

Min Pyo Hong

Min Pyo Hong, CEO and founder of SEWORKS, advises corporations, NGOs, and governments on digital and cyber security issues. Min led a team of five-time finalists at the annual DEF CON conference in Las Vegas, and is a PhD candidate at Korea University in SANE-LAB Information Security. A serial entrepreneur, his previous company, SHIFTWORKS, was sold to InfraWare. Min also founded the WOWHACKER Collective, a non-profit security research group in Korea.

min-pyo-hong has 2 posts and counting.See all posts by min-pyo-hong