M 211: Find a New App Vulnerability and Report it (Up to 50 pts extra)

What You Need for This Project

Perform a Security Audit

Choose any App you like. Check for any or all of these problems, or any other security problems you can think of:
  1. Failure to validate the integrity of the app's signature (vulnerability to added Trojan code) (Android only)
  2. Insecure network communications
  3. Insecure file storage
  4. Insecure logging

Find a Serious Problem

If the app doesn't have any big problems, it's not eligible for this project. You can still report your security audit as a Project M 210, however.

Create a Proof-of-Concept (PoC) and Vulnerabilty Report

Demonstrate the problem so that a busy, non-technical executive can easily understand it.

Here are recommended ways to do that:

Maintain Confidentiality

Don't publish your vuln on Facebook or Twitter or anywhere public yet!

In order to be polite, you must notify the company privately first. You will lose points if you don't give the company at least 30 days to fix it before going public.

In practice, there is very little chance that the company will pay any attention, but this step is important to protect the reputation of CCSF and our security program. If we are perceived as irresponsible, our program will suffer.

30 Pts: Turn in your PoC and Vulnerability Report

Send your PoC and Vulnerability Report by email to cnit.128sam@gmail.com with the subject line Project 3x from YOUR NAME

Include this information in your email:

After your instructor verifies that you have found a real problem, and made a clear PoC, you get 30 pts.

You may stop at this point, or proceed to the next steps.

10 Pts: Demonstrate the PoC to the Class

Prepare and deliver a brief demonstration of the vulnerability you found to the class.

Plan for 5-10 min.

10 Pts: Report the Vuln to the Company

In Google Play, the app should have an email address to report the vulnerability to. If it doesn't, research the company that made the vulnerable app and try to find someone who might care. In many cases there will be no official way to contact the security team at all, and all you can do is email security@company.com, or fill out a generic comment form, or something like that.

You can call the company on the phone and ask where to send the report, but a verbal vuln report on the phone doesn't count. You need to make a written report that can be verified, so if the company complains later that they were not notified we have a good response.

Send your report to someone at the company, and keep screen captures of your reporting including the date.

If you send an email and it is returned undelivered, you must try again. You haven't really reported it until you send something that seems to have arrived.

Send Proof of Report

Send one or more screen captures to cnit.128sam@gmail.com showing how you reported the vulnerability.

If you send proof of a satisfactory report, you get 10 more points.

Posted 2-22-17
Updated 1-25-2020