Multiple Android applications have been observed not invalidating or revalidating session cookies during app data transfer from one device to another.
The technique would enable attackers with a highly privileged device migration tool to move applications to a new Android device, causing migration issues, according to a new advisory by CloudSEK researchers.
“This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords,” the company wrote.
CloudSEK explained that in specific applications such as WhatsApp, the actors could also bypass the 2FA mechanism. The security experts validated the claims by conducting an experiment using two Realme devices.
“This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on WhatsApp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.”
In the advisory, CloudSEK said it reported the vulnerability to Meta, which considered it a social engineering scenario and disregarded it as a security issue. Meta has not immediately replied to Infosecurity’s comment request on the matter.
“[We] tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login,” clarified CloudSEK.
Other popular apps that failed to invalidate session cookies include Canva, Snapchat, Telegram, LinkedIn, Discord and Booking.com.
“To mitigate this threat, it is essential to secure your phone with a password,” CloudSEK warned. “If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access and to revoke permissions when the task is complete.”
The advisory comes weeks after Google unveiled a new policy for Android apps to mandate the addition of deletion option for both user accounts and the data associated with them.