Introduction The Calgary Police Service (CPS) released an application for Android devices on 23 June 2015 into the Google Play Store (Version 1.0.8). ZVXR Technologies conducted a time-limited, 5-minute security audit to evaluate the risk incurred by using this app. This report summarizes those risks.

What is the CPS Android App According to the developers, The Calgary Police Service strives to preserve the quality of life in our community by maintaining Calgary as a safe place to live, work and visit. Download our app to have easy access to everything you need from the Calgary Police Service right from your mobile device. In an emergency, always call 9-1-1. App features: Report a crime by linking to our Citizen On-line Police Report System to report thefts from a vehicle, property damage, lost or stolen items.

Submit a tip anonymously to Crime Stoppers to help fight crime in your community.

Station map to identify CPS locations near you.

Crime map enabling users to search 12 categories of crime in your community, including arson, assault, attempted murder, break and enter (2 types), vandalism, robbery, sexual offences, theft (3 types), and homicide.

Resource links for crime prevention, youth programs, domestic violence, victim resources and Calgary’s Wanted list.

Links to follow CPS social media and news feed to keep current with what’s happening in our city.

Contact info for community stations. Always call 9-1-1 in an emergency. The app also loads a newsfeed, retrieved from a City of Calgary controlled newsfeed website -- this is the source of the vulnerabililty.

Issues Before going into the issue, we will give a brief summary of the technology involved that gives rise to the primary vulnerability. If you are familiar with basic web security, please skip ahead. (And forgive us for the gross oversimplifications we are about to make.) SSL/TLS Generally speaking, the traffic that most people generate when browsing the web can be partitioned into two categories: insecure (HTTP) and secure (HTTPS) . HTTPS not only allows for the user to authenticate the website they are visiting, but also protects the confidentiality and integrity of the data being transmitted; HTTP, alone, does not. This is the reason that banks and email providers transmit over HTTPS, because otherwise it would be possible for an adversary to impersonate a website, observe the content of the traffic, or even manipulate the data being transmitted. Code Injection As mentioned earlier, the CPS app draws newsfeed content from a City of Calgary newsfeed, however, this is transmitted over plain HTTP. This alone may not necessarily give rise to a code-injection vulnerability, but it is compounded by the fact that the application does not verify, or sanitize, any of the insecure content delivered over HTTP. This leaves open the possibility, that an adversary to inject arbitrary code by breaching that channel, and execute code in the context of the application. For example, by exploiting this vulnerability an adversary could: change critical information displayed anywhere within the app,

swap the crimestoppers link with a similar, yet different link, so that the "tips" are delivered to the adversary,

exploit existing vulnerabilities in the web browser (saving the adversary the trouble of tricking the user into visiting a malicious site),

or maybe just have some lulz....

Mitigation The code injection vulnerability could be mitigated by simply ensuring all traffic is served over HTTPS. In practice, this may not be so simple, since they would have to coordinate with the City Of Calgary newsroom to get them to offer the newsfeed over a secure channel. Alternatively, if they had no control over the security of the content being received, they could sanitize the input by removing any possibly malicious content before rendering it within the app. With respect to the developer comments, the best they can do is to ensure that they are not using pol11890 (or a derivative) as a username on any of their systems. Simply stated, "security through obscurity" does not work.

Future Work We restricted ourselves to 5 minutes of time, a network-traffic sniffer, and the vi text editor. Because of this, we did not look beyond the superficial and it is possible that other vulnerabilities exist within the application. Furthermore, we only investigated the Android version, but there exists versions for other mobile devices (I.e. Apple, Blackberry) which ought to be examined. Future work, should reevaluate the entire application once an update beyond version 1.0.8 has been delivered.

Conclusion When developing any sort of software, it is easy to overlook things and introduce errors into the codebase; security is no different. As it stands, the Calgary Police Service Android App is not secure. Because the app may be used for sensitive purposes, it is recommended to discontinue usage until an update has been delivered and fully tested for security vulnerabilities. Users of the Apple iOS and Blackberry version should consider their version of the app insecure until explicitly proven otherwise.