The app that the police and municipalities offered at major events such as Koningsdag, the wandelvierdaagse and Gay Pride, vulnerability, discovered a beveiligingsonderzoeker. It turns out possible to the location of the user to intercept and the contents of the app to manipulate.
The app communicates unprotected with two different servers, where the data in plain text to be sent, discovered Mark Cake of QSec, the iOS version is examined. It goes to the app that visitors of major events such as Koningsdag can install, where they with the ‘druktemeter can see how busy it is in the city. The app was last used during the Relief of leiden, where the city of the end of the siege of the Spaniards celebrated.
The application is unencrypted, the location of a user to send as he operate the application, discovered a Cake. This would someone with access to the network location of users can be intercepted. When the app is running in the background, the location is also sent to the hustle and bustle of the event to determine, but that stream is on iOS or encrypted. How that is in the Android version, has Cake not examined.
Also retrieves the app via an unencrypted connection information of a server that is used for the display of information on the ‘current’page. A malicious attacker could, so to manipulate, all he would also have access to the network should have. The data are also not directly to the police have been sent, but through a supplier.
Adrian Proos of the National Police says that the police are not responsible for the content of the app. “The app is via our developer account in question was published, but the municipality and the organisers of the event who are responsible for the content of the app,” said Proos.
The police, the app will also not more to use. “It was a pilot project, but of course, it is actually not our core business,” said Proos. He further emphasizes that the data that when the police arrives anonymised, and that more smartphone apps are susceptible to man-in-the-middle attack. “If I have a news app on an open wi-fi network, use, can those pages be manipulated,” said Proos. That last claim of Proos is not easily verifiable, but sounds obvious, because a lot of apps using http instead of secure https.
A year and a half ago came to the police app also already discredited. The druktemeter in the app would be too much data, which the mobile network is overloaded can hit, reported the NOS at the time. KPN said even the access to the emergency number 112 than not to guarantee. It was the druktemeter at the coronation of king Willem-Alexander of the app removed.
Comments
(33)