For many students, final year projects are a valuable opportunity to combine the theory they have learned with practice, some of which is still unknown. For Marc Klein, a student on the Cyber Security & Privacy (B.Sc.) course, his practical project at SRC Security Research & Consulting GmbH was an impressive example of how important security analyses of apps are. By testing a health app, he uncovered security vulnerabilities that could put the sensitive data of tens of thousands of users at risk – with potentially serious consequences.
The task: focus on mobile security
The project began with a clear task: to investigate a health app that communicates with a blood pressure monitor via Bluetooth. The aim was to identify potential vulnerabilities using reverse engineering techniques. Both static and dynamic analysis methods were used to comprehensively assess the security of the app.
Marc’s training initially focused on the basics of mobile security with an emphasis on Android applications. Freely available tools such as the Mobile Security Framework (MobSF) and MITMProxy played a central role in this. SRC ensured that he had access to an optimal test environment, which laid the foundation for his later findings.
The discovery: A critical security leak
The investigation of the second app, “ViHealth”, revealed a serious vulnerability: the app did not sufficiently check authenticity, which meant that all user accounts could theoretically be accessed – both read and write. Sensitive health data of around 92,000 European users was therefore vulnerable.
What could an attacker have done with this data? The possibilities range from identity theft and targeted phishing attacks to manipulative changes to the stored health data – with potentially life-threatening consequences if users rely on this information.
The vulnerability lay in the way the app generated signatures for API requests. Instead of an additional check on the server, the signature was only calculated on the client side. Using a bash script, this could be generated for each user ID, allowing access to external data records. Marc used tools such as JADX to analyze the decompiled source code and reconstruct the logic behind the signature generation. This discovery illustrates how problematic insecure client-side authentication procedures are.
The consequences: Cooperation with the BSI
After identifying the vulnerability, SRC worked with Marc to initiate the Coordinated Vulnerability Disclosure (CVD) process. The manufacturer of the app, Viatom, was contacted but did not respond in time. SRC therefore contacted the German Federal Office for Information Security (BSI), which took over communication with the manufacturer and set a 90-day deadline to close the vulnerability.
During this process, his work once again proved its worth, as in addition to documenting the vulnerability, he also provided a risk assessment according to the Common Vulnerability Scoring System (CVSS). With a score of 8.6, the vulnerability was classified as critical and the gap was finally closed thanks to the cooperation. For Marc, this was a moment he hadn’t expected at the start of the project: analyzing a “small app” and being offered the prospect of being inducted into the BSI’s Hall of Fame at the end.
Lessons learned: What this final year project illustrates
This project impressively demonstrates how serious vulnerabilities in everyday applications can be. Especially in the health care sector, where sensitive data is processed, security testing is indispensable. The work also underlines the importance of carrying out security analyses systematically and methodically.
It also makes it clear that end users are often unable to recognize the risks behind seemingly harmless apps. Apps that process health data should be scrutinized particularly critically. The responsibility here lies equally with the developers and the institutions that monitor security standards.
Conclusion: safety analyses are a necessity
SRC’s commitment to promoting young talent like Marc is paying off. The combination of in-depth training, practical challenges and cooperation with institutions such as the BSI makes projects like this possible. It shows that security audits are not an option, but a necessity – especially in areas that involve sensitive data. This practical project is an example of how important it is to develop apps that are not only functional, but also secure. The benefits for users stand and fall with the integrity and security of the applications.
