User data saved by apps insufficiently secure
The Technical University of Darmstadt and the Fraunhofer Institute for Secure Information Technology (SIT) have examined cloud databases like Facebook Parse and Amazon AWS and found 56 Million unprotected data sets. The researchers found email addresses, passwords, health data and other sensitive information about app users, which can be easily manipulated or stolen. App developer use cloud databases to save user data, but apparently ignore the security recommendations of the cloud provider. The result: Many user accounts are threatened by identity theft and other internet crimes. “That’s why user should reflect carefully which data they manage through apps” says Prof. Eric Bodden, the leader of the research team.
The Fraunhofer Institute as well as the Technical University of Darmstadt is a member of the BMBF project ‘ZertApps’. Within this project a consortium develops lightweight certification measures with the intention to rule out weak spots such as those mentioned above. End users can then access information about the security level of their apps through a quality label. Further information regarding the weak spots you can find online at:
Bremen, 27. Mar. 2015:
TZI detected security holes in Siemens apps
Researchers of the TZI at the Universität Bremen detected security holes in the Android and iOS versions of the apps SPCAnywhere (remote control of alarm systems) and HomeControl for Room Automation. These holes concern the communication between the app and the alarm system; code injection attacks were also possible. Siemens has fixed the problems and published advisories
Bremen, 27. Nov. 2014:
On November 27th, the TZI presented the ZertApps project during a visit of a delegation of the Federal Office for Information Security (BSI). Intermediate results were discussed as well as an early demnostrator was presented, which automatically generates dataflow diagrams from Android apps. These diagrams allow a security expert to obtain a high-level overview of the app and to identify architectural security flaws.
Berlin, 17./18 Nov. 2014:
ZertApps is one of the chosen associated projects, which was presented in the IT-Security section at the SME innovative (KMU Innovativ) conference organized by the project promoter VDI/VDE. Furthermore a poster was exhibited and a demonstration was used to explain interested participants more about the so far gained results of ZertApps.
Bremen, 6. Nov. 2014:
The ZertApps project was presented during a visit of the Senator for Education and Science of the Land Bremen, Prof. Dr. Eva Quante-Brandt, at the TZI on November 6th. On this occasion, we discussed privacy risks of apps and presented an early ZertApps demonstrator.
Darmstadt, 23./24 Sep. 2014:
The six involved partners OTARIS Interactive Services GmbH, datenschutz cert GmbH, SIT – Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V., SAP AG, SecUSo – TU Darmstadt and TZI – Universität Bremen met with the participant the Federal Office for Information Security (BSI) for the a meeting within the consortium of the project ZertApps.
Hannover, 11. Mar. 2014:
Mehmet Kus (OTARIS Interactive Services GmbH) talked about IT-Security of mobile devices on the CeBIT fair 2014 in Hannover. Focus of the presentation was the associated project ZertApps and the process of certificating apps for more security and transparency of apps as well as for end users and app developer/provider.
Bremen, 27./28 Jan. 2014:
The six involved partners OTARIS Interactive Services GmbH, datenschutz cert GmbH, SIT – Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V., SAP AG, SecUSo – TU Darmstadt and TZI – Universität Bremen met with the participant of the promoter VDI/VDE and the Federal Office for Information Security (BSI) for the kick-off of the project ZertApps.
Duration: 01.01.2014 – 31.12.2015 Partner: OTARIS Interactive Services GmbH, datenschutz cert GmbH, SAP AG, Fraunhofer-Institut für Sichere Informationstechnologie SIT, TU Darmstadt Sponsor: BMBF