[German]In support of his re-election, US President Donald has had an app called 'Official Trump 2020' developed. However, this app has massive security gaps and is vulnerable.
Advertising
I received the information about security researchers working for Website Planet. The security researchers around Noam Rotem and Ran Locar took a closer look at the app and recently discovered a security hole in the mobile campaign app of US President Donald Trump.
The purpose of the app
The app "Official Trump 2020" was developed for President Trump's re-election campaign and is available for download on iOS and Android. Interested parties can use this app to display information about the current US president.
The app discloses Keys
While analyzing the app, the security team found the keys to various parts of the app, including its Twitter API, in the APK file. The 'Official Trump 2020' app contains the following sensitive information in the file:
- Twitter application keys and secrets
- Google Apps Key
- Google Maps Key
- Branch.io (mobile analytics) Keys
(API keys in plain text in the APK, click to enlarge)
The app's code revealed these private keys and other secret information, similar to usernames and passwords that gave access to various parts of the app, such as the Twitter API. Those who had these keys could, for example, access the relevant online accounts (e.g. Twitter) and pretend to be an app in order to post information under that account.
Advertising
The security researchers write that during the analysis of the app, no attempt was made to access user accounts via these vulnerabilities. An initial analysis concluded that, despite the disclosed keys, two additional (unknown) keys were required to compromise user accounts. The disclosure of the keys was alarming enough to contact the app's developers. This kind of information disclosure could have been prevented by using certain security practices.
However, security researchers believe that malicious attackers could still use the keys to impersonate the app. If so, hackers could potentially use the branch.io keys to access user and usage data for the application.
Informing the Trump Team
Once the security researchers discovered the vulnerabilities and understood the potential implications, they immediately notified the Trump campaign team. At the very least, the InfoSec officer responded within hours, asking for details about the vulnerability. With the information provided by the security researchers, the vulnerabilities were eliminated within a few days. The report of the security researchers can be viewed on the Planet website here.
Website Planet is the leading authority on web designers, developers, digital marketers and entrepreneurs with an online presence. The operators offer useful tools and resources for everyone, from beginners to seasoned professionals. These include security team assignments to detect vulnerabilities and data leaks. The people used to work under the name vpnMentor and were referenced in various blog posts.
