ESPN App Flagged For Security Hole


The ESPN ScoreCenter app, a popular mobile application on the Apple iOS platform, had contained weaknesses that could be used by an attacker to gain account credentials or cause other problems, according to a security firm that analyzed the application.

The mobile application, currently ranked the No. 1 free sports app in the Apple iTunes store, was failing to protect user login credentials, according to San Jose, Calif.-based Zscaler. The security firm said it also found a cross-site scripting vulnerability, a common Web application flaw.

An ESPN spokesperson said the issues were resolved after being notified by Zscaler.

"These are just really simple coding errors. A lot of this stuff is Security 101," Michael Sutton, Zscaler's vice president of security research, told CRN. "Everyone is worried about malware and malicious applications, but the real threat is the app that is poorly coded and we are blindly trusting it while it's placing our privacy at risk."

[Related: Symantec Critical Of Google Play For Malicious Pornographic Android Apps
]

Software security experts have long been warning about the threat posed by potential vulnerabilities in mobile applications in which flaws and security weaknesses can result in data leakage and privacy concerns. Apple doesn't release information about how it vets mobile apps submitted for its iTunes store.

Google, meanwhile, said in November that it would scan apps for malware before approving them for its Google Play store. Recently, researchers at Symantec were critical of several pornographic Android apps that made it onto the Google Play store, which appeared to be adware, the security firm said. A Google spokesperson said it removes apps from Google Play that violate its policies.

The two mobile platform giants are not doing enough to protect device owners, yet people place a lot of trust in the official stores, Sutton said. Zscaler indicated in its recent quarterly threat report that 10 percent of the apps it analyzed on the iOS platform were sending authentication credentials insecurely.

"We have an ecosystem that should result in far more secure apps because we have a gatekeeper that owns the store and blesses them before they appear," Sutton said. "It's disappointing that they are missing incredibly easy to find vulnerabilities."

Despite the attention placed on the potential of smartphone malware, mobile application privacy is a growing concern. To pay for development costs, application developers collect user data and provide it to marketers and advertisers, but experts say some apps overstep their bounds.

Zscaler uses its freely available Application Profiler ZAP tool to capture and scan mobile application network traffic. The tool can check if account credentials are being sent in clear text, indicate whether device data is leaking and whether any personally identifiable information is being exposed or sent to third-party advertisers.

PUBLISHED JAN. 18, 2013