Not All Mobile Applications Are As Good As They Might Seem

Hi there,
We in ASAP Lab maintain, secure 1000+ CS-Cart and Multi-Vendor projects. And as part of services, we perform security testing to detect common vulnerabilities and threats and as a separate service with profound investigations, SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) penetration testing.
Based on numerous cases about mobile applications and their security, and alas insecurity, we wrote an article about frequent problems with applications based on the admin API (if you used the admin API for your app as well, here comes bad news).
Well, yes, through the admin API you can both create an application and get access to the admin panel… and generally do anything with the store at the administrator level. Unfortunately, there is little information about the storefront API, but a curious mind can find the storefront_rest_api add-on, which has a well-documented code. By the way, CS-Cart and PWAjet applications work exactly on its basis.
Not all mobile applications are as good as they might seem

(spoiler for geeks) If you have knowledge of reverse engineering, Smali and Java. Well, yes, you can simply proxy traffic through the same OWASP® Zed Attack Proxy (ZAP) and get an authorization token transmitted in almost every request.

[spoiler]

[attachment=15512:Screenshot_11.png]

[attachment=15513:Screenshot_12.png]

[/spoiler]

For those who think “I have a small store. Who needs me”, “Profit and recognition is more important. I’ll spend it on advertising and SEO for now”, and “We have been working for a long time and have never encountered cyberattacks” we wrote a post with recommendations to the CS-Cart marketplace blog. Believe me, our monitoring system registers up to 10,000 cyberattacks and attempts to “hack” and repel DDoS attacks of various levels each day. Just think about these figures and start preventive works. Right now.

----

We do information security testing as part of the Information Security Audit (CS-Cart marketplace). Based on the results of our monitoring system operation and requests from clients, we found critical vulnerabilities in Viva Shop, CS-Commerce add-on (fixed together with the team, patch is ready and sent out) and in Alex Branding add-ons (one was already with the patch, and for the second they made a patch), Cart-Power are also in list, as a Simtech Development. Not to mention how many curious things were found in custom modifications and add-ons 😀 All allow security flaws, it's normal, it is important to fix them in time and quickly, and we know how to find vulnerabilities in information security and how to fix them B)

Screenshot_11.png

Screenshot_12.png

Ahh, forgot to point out general recommendation in case your mobile app use admin API

1. You should update your admin API key and, unfortunately, break your mobile app
2. Delist your apps from App Store and Google Play Store (one easy request and hacker will log in to your admin panel)
3. Then, contact your developers, so they change the logic of the app :(