As we covered in a previous blog post, an application vulnerability (Apache Struts CVE-2017-5638) was blamed for the latest massive Equifax breach. The breach captured major headlines around the world, made cyber security concerns – yet again – a popular discussion by normal folks (those not in the cyber security space), and resulted in several high-level executives departing the credit reporting bureau, including CEO Richard Smith, who had led the company for 12 years.
However, mostly lost in the news was that Equifax quietly removed its mobile app from official app stores on the same day the company disclosed the major breach. The Equifax Mobile App, which the company advertises as a tool to “Protect the power of your credit. Any time. Any Place.” mysteriously disappeared from both the Apple App Store and Google Play, leading to wild speculation as to whether or not the breach had also involved mobile apps.
It turns out, the app was not kicked out of the app stores for some sort of violation to policy, but rather, Equifax removed the app after security researcher Jerry Decime discovered and disclosed a major vulnerability. Although the Equifax app leveraged the secure HTTPS protocol to authenticate between the users’ devices and the company’s back end, once users had logged in, the app used unencrypted HTTP on many of the communications.
Following this lead, Appthority searched through our extensive database of apps in enterprise environments to find instances of the Equifax app and review the analysis results. The analysis confirmed that Equifax transmits sensitive data without encryption, meaning that not all traffic it transmitted between users’ devices and its own back ends were encrypted, potentially exposing the data to interception while in motion, as well as exposing users to man in the middle (MiTM) network attacks.
In a vacuum, this discovery, unfortunately, is not very shocking. As we recently blogged, less than 17 percent of apps on the Apple App Store are adhering to Apple’s App Transport Security (ATS) requirements, which would have addressed the encryption vulnerability found in the Equifax app. However, in context, it seems to point to a culture of lax security practices at the embattled corporation, ignoring application security best practices not only on the web application level (responsible for the major breach) but also at the mobile app level, putting their customers’ sensitive data at risk.
Perhaps even scarier than finding that one of the largest credit reporting bureaus failed at protecting customer data on many app fronts, is the fact that their app, like many others, was available to consumers (and our mobile employees) for download from app stores in the first place. Think about it, Equifax removed the app after being notified of the vulnerability by a researcher and NOT by Apple or Google. While Apple and Google do a great job of reviewing apps for malware and compliance to the store terms and conditions, neither is reviewing apps for vulnerabilities that put our data at risk. Even one of the most basic vulnerability checks, like verifying proper encryption of sensitive data, goes undetected.
This reality is one reason Appthority’s Mobile Threat Protection (MTP) solution is so popular with forward thinking enterprise cyber security teams. They see the gaps in app store vetting and the risk to both corporate and personal data that insecure apps on employee devices can bring.
Appthority believes that all apps should, at a minimum, encrypt all traffic, and better yet, implement certificate pinning to eliminate the risk of data being intercepted while in motion. Appthority customers can leverage our MTP solution to not just catch active MiTM attacks that try to syphon the abundant unencrypted sensitive data leaking from mobile devices, but also to proactively eliminate apps that don’t properly protect sensitive data from their environments so that they don’t even face the MiTM risk.
Unless you have a Mobile Threat Defense solution that alerts you to these risks, can you trust your (and your employees’) apps?