Hacking Yahoo Fantasy Football

Each week's Mobile Threat Monday examines one or two Android apps that leak your private data to third parties without your being aware of it, or act as malware and behave in unauthorized ways on your device. This week, we switch gears to look at how hackers can take advantage of legitimate apps and developer mistakes.
"Developers aren't thinking beyond the device" and taking into account how mobile apps interact with the back-end systems, Dan Kuykendall, CTO and co-CEO of NTObjectives, said in his presentation at last week's AppSec USA conference in New York City. He described how he was able to take advantage of programming and design flaws in Yahoo's Fantasy Football app to manipulate the team rosters for other players in his league. He was also able to impersonate other players on the league's message board.
While the presentation focused on the fantasy football app, Kuykendall was quick to note that the issues weren't unique to Yahoo. When developers "trust the device" and assume all transactions coming from the app must have been initiated by the user, that opens up a lot of potential holes where the bad guys can abuse that trust, Kuykendall said. He described previously identified authentication issues in apps such as My Backup Pro and Words With Friends where users could bypass authentication and user verification steps. The AP Mobile, a news app, had a SQL injection flaw that could be used to overwrite news headlines on user devices.
If someone stole the physical device or the user's session cookie, it would be easy to impersonate the user.
In his case, all Kuykendall had to do was intercept the session ID identifying the user to the back-end server. Kuykendall found that Yahoo didn't expire session IDs, so once he grabbed this token from other players, he could submit fraudulent transactions on their behalf.
"I was them [other players] as far as the back-end servers were concerned," Kuykendall said.
Kuykendall was able to sniff mobile traffic and collect session IDs for other players in the league during the fantasy football draft because the players all connected to his wireless network. There are plenty of tools available that make eavesdropping on mobile traffic fairly "trivial," he said.
What End Users Can Do
As non-developers, we have to trust that the company releasing the app considered the security implications and built in those safeguards. We can tell companies we care about security and privacy by letting companies know that is a priority.
Mobile devices are no longer just for Web browsing, making phone calls, and checking email. The apps provide a very rich user experience where we can compare prices across stores, watch movies and video clips, check our bank balance, and keep up with our obsessions. That said, we should think about how much data we are entering in these apps in the first place, and consider how this data is being transmitted. Kuykendall didn't look at ways to harvest user data or infect mobile devices in his research. Rather, he focused on ways he could impersonate the users to access back-end servers.
Trusting the device is a very common design flaw, and as users, one way we can protect ourselves is to really be careful about where our devices are connecting. Don't hop on any random wireless hotspots with your mobile device and be careful about where you are when using your apps. Researchers have shown how easy it is to set up a "Wi-Fi pineapple" to intercept mobile traffic in malls and crowded areas. Checking your fantasy football team when on the go is one thing, but maybe you can hold off on what you are doing with your banking app, for example.
The issues Kuykendall described weren't specific to the app but how the apps communicated with the servers. It may be worth taking the time to evaluate the benefits of having an app versus not having it. In the end, you may decide to go ahead and install the app, but at least you thought about the risks.