Characterizing Improper Input Validation Vulnerabilities of Mobile Crowdsourcing Services

TL;DR

This study systematically analyzes improper input validation vulnerabilities in mobile crowdsourcing services, revealing widespread security flaws that enable large-scale data poisoning attacks across multiple domains.

Contribution

It introduces a novel end-to-end framework for assessing IIV vulnerabilities in MCS apps and provides the first comprehensive analysis across diverse services and domains.

Findings

Most studied services (8/10) have severe IIV vulnerabilities.

7400 spoofed API requests successfully faked sensitive data.

Proposed mitigation strategies can significantly reduce attack surface.

Abstract

Mobile crowdsourcing services (MCS), enable fast and economical data acquisition at scale and find applications in a variety of domains. Prior work has shown that Foursquare and Waze (a location-based and a navigation MCS) are vulnerable to different kinds of data poisoning attacks. Such attacks can be upsetting and even dangerous especially when they are used to inject improper inputs to mislead users. However, to date, there is no comprehensive study on the extent of improper input validation (IIV) vulnerabilities and the feasibility of their exploits in MCSs across domains. In this work, we leverage the fact that MCS interface with their participants through mobile apps to design tools and new methodologies embodied in an end-to-end feedback-driven analysis framework which we use to study 10 popular and previously unexplored services in five different domains. Using our framework we send tens of thousands of API requests with automatically generated input values to characterize their IIV attack surface. Alarmingly, we found that most of them (8/10) suffer from grave IIV vulnerabilities which allow an adversary to launch data poisoning attacks at scale: 7400 spoofed API requests were successful in faking online posts for robberies, gunshots, and other dangerous incidents, faking fitness activities with supernatural speeds and distances among many others. Lastly, we discuss easy to implement and deploy mitigation strategies which can greatly reduce the IIV attack surface and argue for their use as a necessary complementary measure working toward trustworthy mobile crowdsourcing services.