Security Analysis of UniNow App
University of Würzburg, Bachelor Thesis, (June 2021)Abstract
We performed a security analysis of the UniNow application, focusing on private user data. The application was chosen for its high popularity and amount of sensitive information
handled through its new contact tracing functionality. This functionality is used by many universities for mandatory contact tracing against COVID-19. Our analysis concerned the
Android mobile application and all web services. After mapping the attack surface using many tools to automate the process, we tested the potential issues in order of impact.
We reveal multiple security issues with low to critical severity. Most of these vulnerabilities threatened private user data directly. In particular, we found multiple disclosed
secret keys that were used to encrypt user data on the client side, among others. Furthermore, we show how an in-app browser as well as an open redirect vulnerability were
easing phishing attacks, and how university access tokens were shared with UniNow. Our more severe findings include how sensitive data was sent automatically to Google servers
through backup files, how strict SSL certificate checking was disabled deliberately for many university endpoints, how JavaScript could be injected into the email viewer, and how appointment invitations could be brute forced to get sensitive information about past and
future appointments. The two critical security issues concern how user accounts could be taken over by using an account identifier, and how an internal service was accessible
by anyone, allowing to change university configurations and potentially make user devices sent their user’s university credentials to the attacker.
We performed a responsible disclosure, which serves as a reference to UniNow, enabling them to fix the discovered issues. Our work tangibly improves the security of student data handled by the company.