It has been observed that several Android applications do not invalidate or revalidate session cookies during the transfer of application data from one device to another.
The technique would allow attackers with a highly privileged device migration tool to move apps to a new Android device, causing migration issues, according to a new advisory from CloudSEK researchers.
“This means that if someone can have physical access to your unlocked device for a while, they can copy your app data to their device and impersonate you and your accounts, using apps on your behalf without entering the log in. ID or passwords,” the company wrote.
CloudSEK explained that in specific applications such as WhatsApp, actors could also bypass the 2FA mechanism. Security experts validated the claims by conducting an experiment with two Realme devices.
“This issue happens when the secret keys used by WhatsApp are copied to the new phone. Therefore, from WhatsApp’s side, these two devices look the same, as they use the same credentials to authenticate us.”
In the notice, CloudSEK said it reported the vulnerability to Meta, which considered it a social engineering scenario and dismissed it as a security issue. Meta did not immediately respond Infosecurityrequest for comments on the matter.
“[We] He tried to replicate the same method with Instagram, considering both are owned and operated by Meta, but Instagram closed all accounts and requested a new login,” CloudSEK clarified.
Other popular apps that have failed to invalidate session cookies include Canva, Snapchat, Telegram, LinkedIn, Discord, and Booking.com.
Read more in Booking. Communications Focused Attacks: API Security Flaw Found on Booking.com Total Account Takeover Allowed
“To mitigate this threat, it is essential to protect your phone with a password,” CloudSEK warned. “If you cannot download an app yourself, please refrain from giving your device to someone else to download it on your behalf. It is important to carefully review the permissions an app requires before granting them access and to revoke permissions when the task has been completed.
The warning comes weeks after Google introduced a new policy for Android apps to force the addition of the deletion option for both user accounts and the data associated with them.
With the growing amount of personal data stored on our mobile devices, companies like Ikaroa are leading the way in providing solutions to ensure it is always secure, no matter what. However, when it comes to transferring devices, Android applications have been found to have gaps in the protection of user data during the transition.
This means that the data which is being transferred could be copied, changed, or even deleted without the user being aware. The issue stems from the lack of security protocols required by Android app developers to ensure data is secure when transferring from one device to another. As a result, any and all existing user data is vulnerable to malicious actors during the transfer process.
The danger posed by this gap in security is more than personal privacy concerns. Negligence in protecting user data could lead to costly breaches for businesses which rely on the secure transfer of personal data. This could be anything from banking information to health records.
The good news is that there are a few ways to mitigate this risk. Companies like Ikaroa are making sure they are staying ahead of the curve by offering solutions such as secure data storage, encryption of sensitive information, and strong authentication procedures. Organizations can also use secure file transfer solutions to transmit data safely, only when the person in possession of the device is verified.
The realization that the current state of data protection during the transfer of Android devices is lacking has sparked a much-needed discussion in the tech industry. It’s important that companies like Ikaroa are continually innovating solutions to address this risk and keeping our data safe and secure.