This week in my network security class, we reviewed the SQL Injection attack among many others. I enjoy many mobile applications which are mainly games. These games usually are massive multiplayer online games and have teams. These teams are tailored to the content of the game. For example, a game that features space battles will have a multiplayer feature called a fleet or alliance.
With the fleet or alliance, there are benefits such as in game rewards and a chat or messaging feature. Some games will display page after page of teams while other games will display a group of featured teams. Still, other games allow the user to search for teams by name. This last method allows you to find your friends or family that might be playing the game more easily. Besides, playing the game with your friends or family is more fun because you feel more connected.
Recently, I downloaded a mobile app that was recommended by the Google play store. The app has some of my favorite fictional characters so I decided to download an install it. The app would not run unless I granted permissions to contacts, social media networks and photos. With access to this information, the app saves my profile to a social media web server and is able to tailor advertisements based on the app I am using. This is an example of data mining.
The story does not end there. I decided that the risk for me was acceptable. I granted permissions and let the app execute. I played the game for many weeks then an update was released that added an alliance feature. I decided to see what this feature was all about and tapped on the icon or link that took me to the alliance module. I was disappointed because there were only five featured alliances to choose from. Then I got an idea.
I learned in my coursework that most of these apps use a database structure to run the application. I also learned that databases use a language called Structured Query Language or SQL. Back to the app with the alliances, I decided to type a SQL statement in the search field. I knew that I was in a database that probably had thousands of alliances and I wanted to see them because the choices presented to me were not that appealing.
I was able to display hundreds of teams. I was shocked because a user should not be able to use SQL commands on the front end of this application. I might add that the application also allows for the purchase of in-game products using real money. I decided to do the right thing and use the bug reporting module to advise the developers of this flaw.
Ideas started flowing through my mind about what the consequences might be about admitting that I attempted to exploit SQL commands. I thought for sure that I would be banned from the game or something maybe worse, like a lawsuit or criminal charges. Thankfully, none of that happened but I did get an e-mail from the software company that, in essence, debriefed me on the whole incident.
The e-mail advised me not to leak the vulnerability to anyone and by reading the e-mail, I accepted this condition. There was not even a, "Thank you for catching this." The e-mail ended by saying that the matter was closed and advised against further communication on the matter. Maybe I hurt someone's feelings?
In summary, the mobile app market is exploding with thousands of new ones everyday. Is security considered in the development of these apps? How secure is my data? These are the questions I ask myself each time I get content from one of the providers. I think all mobile device users should think about this because a person with the right skills but the wrong motive might make life tough later on.
With the fleet or alliance, there are benefits such as in game rewards and a chat or messaging feature. Some games will display page after page of teams while other games will display a group of featured teams. Still, other games allow the user to search for teams by name. This last method allows you to find your friends or family that might be playing the game more easily. Besides, playing the game with your friends or family is more fun because you feel more connected.
Recently, I downloaded a mobile app that was recommended by the Google play store. The app has some of my favorite fictional characters so I decided to download an install it. The app would not run unless I granted permissions to contacts, social media networks and photos. With access to this information, the app saves my profile to a social media web server and is able to tailor advertisements based on the app I am using. This is an example of data mining.
The story does not end there. I decided that the risk for me was acceptable. I granted permissions and let the app execute. I played the game for many weeks then an update was released that added an alliance feature. I decided to see what this feature was all about and tapped on the icon or link that took me to the alliance module. I was disappointed because there were only five featured alliances to choose from. Then I got an idea.
I learned in my coursework that most of these apps use a database structure to run the application. I also learned that databases use a language called Structured Query Language or SQL. Back to the app with the alliances, I decided to type a SQL statement in the search field. I knew that I was in a database that probably had thousands of alliances and I wanted to see them because the choices presented to me were not that appealing.
I was able to display hundreds of teams. I was shocked because a user should not be able to use SQL commands on the front end of this application. I might add that the application also allows for the purchase of in-game products using real money. I decided to do the right thing and use the bug reporting module to advise the developers of this flaw.
Ideas started flowing through my mind about what the consequences might be about admitting that I attempted to exploit SQL commands. I thought for sure that I would be banned from the game or something maybe worse, like a lawsuit or criminal charges. Thankfully, none of that happened but I did get an e-mail from the software company that, in essence, debriefed me on the whole incident.
The e-mail advised me not to leak the vulnerability to anyone and by reading the e-mail, I accepted this condition. There was not even a, "Thank you for catching this." The e-mail ended by saying that the matter was closed and advised against further communication on the matter. Maybe I hurt someone's feelings?
In summary, the mobile app market is exploding with thousands of new ones everyday. Is security considered in the development of these apps? How secure is my data? These are the questions I ask myself each time I get content from one of the providers. I think all mobile device users should think about this because a person with the right skills but the wrong motive might make life tough later on.
Comments
Post a Comment