قالب وردپرس درنا توس
Home / Tips and Tricks / Personal apps shared in the Fitbit Gallery aren’t checked for malicious code – Review Geek

Personal apps shared in the Fitbit Gallery aren’t checked for malicious code – Review Geek



The Fitbit Gallery offers approved Fitbit apps such as Spotify or Starbucks Card from a single source. While Fitbit manually scans all published Gallery apps for malware, “private” apps that can be shared are not treated equally. If someone emails you a download link for a Fitbit app, ignore it!

Fitbit allows developers to upload “private”

; apps to the gallery to aid testing. Unfortunately, anyone with a download link can install a private app. Bad actors can share a private download link to distribute data-gathering malware, a threat identified by Kevin Breen and published by BleepingComputer.

Kevin Breen, director of threat research at Immersive Labs, successfully uploaded a malicious private app to the gallery, using it to steal GPS location, heart rate, altitude and age data from test devices. On Android, the malicious app was also able to read all calendars connected to Fitbit. Thanks to the Fitbit Retrieval API, Breen was even able to configure the app so that network tools like routers and firewalls can be scanned and accessed.

Luckily, Kevin Breen submitted his research to Fitbit, which then added warnings about private app downloads. Fitbit also plans to turn off private app permissions by default so users can manually access their age, contacts, and other information. As always, Fitbit gallery apps scan for malicious code before posting to the public gallery page.

Source: Kevin Breen via BleepingComputer




Source link