Voatz App Security Flaws
How Lookout Detects and Protects
For application developers, especially those developing apps that collect highly sensitive data tied to industries like finance, healthcare, and government, security must be baked in. Protection against threats like runtime hooking with frameworks like xPosed is a key component of ensuring their app is secure. They can do so by embedding the Lookout App Defense SDK for threat detection and wrapping the application with Lookout Anti-tampering solution, which is created in partnership with Promon. Promon Shield ensures that the code cannot be reverse engineered and prevents other processes from hooking into the application code at runtime.
Overview
Recently, news broke of multiple vulnerabilities in the Voatz mobile voting app, which was going to be used by both Oregon and West Virginia to allow voting by people who are physically unable to make it to the polls. The vulnerabilities, discovered by researchers at MIT, could allow hackers to see someone’s vote or even change their vote. Specifically, the researchers noted that malware with root access to a voter's mobile device could bypass the host protection provided by Zimperium’s zIAP SDK. According to the researchers, the SDK can be disabled via the xPosed Framework and four lines of code by using a hooking utility to alter the application's control flow. After that, an attacker with root access can commandeer the app to alter the interface and do things such as divert votes and leak ballots and personal data to an external server.
Lookout Analysis
Lookout Application Defense SDK and Lookout Mobile Endpoint Security (MES) will detect xPosed Framework. In order to provide full anti-tampering coverage, Lookout has partnered with Promon to provide an anti-tampering solution that protects apps against runtime hooking scenario as described by the MIT researchers. For an attack like this to be successful, xPosed framework requires the device to be rooted. Lookout SDK’s advanced device compromise module would uncover rooting techniques such as Magisk and Magisk Hide.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
