One of the most popular mobile applications for iOS devices is the ESPN ScoreCenter app. Unfortunately, it is also an application that is full of security vulnerabilities. While users love receiving live scores, news, videos and alerts to their iPhone and iPad devices, they could also be inviting mobile intruders.
The team at ZScaler recently performed a set of relatively simple tests on the ESPN ScoreCenter app, and they found several key vulnerabilities.
Here are the company’s testing results:
Vulnerability #1 – XSS
While we like to think of mobile apps as native to the mobile OS, ZSaler reveals that that is not necessarily the case. Mobile apps are actually displayed in a Webview control and mixed with native controls. According to ZScaler:
Using XSS attacks could allow hackers to steal a user’s authentication cookie.
Vulnerability #2 – Clear Text Authentication Credentials
Why in the world mobile credentials continue to be passed in clear text is beyond comprehension for most security experts, yet the ESPN ScoreCenter Mobile app chooses to pass information in such a manner. ZScaler notes that in web apps you can usually tell if something is being sent unencrypted. For example, HTTPS is not enabled. With mobile apps, end users are unfortunately blind to warning signs which would only serve to take up valuable screen real estates.
According to ZScaler:
“ESPN ScoreCenter’s flaw – sending your password in clear text. Therefore, anyone sniffing traffic on the network would be able to easily steal your username/password. More often than not, when I see this flaw, it occurs not during a regular login, but rather when you first set up your account and such is the case with ESPN SportsCenter. Once you’ve created an account, subsequent logins at the regular login page (/mobile/apps/reg/loginlanding) are sent via HTTPS. This is not the case however when an account is first created, with the username/password sent in clear text :
POST /mobile/apps/reg/createaccount HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10A551
Accept-Encoding: gzip, deflate
Overal,l the conclusion of the ESPN ScoreCenter tests found that the application is not safe for general use because of numerous easy to correct vulnerabilities in how the application handles mobile data.
Users interested in testing out their other apps for vulnerabilities can try out Zscaler’s free ZAP (Zscaler Application Profiler) service to inspect the application traffic. The application works for both iOS and Google Android based mobile applications.