Be careful with sessions: Garmin Connect App example
It’s not uncommon nowadays to see people with a smartwatch, be it Apple Watch or another brand such as Garmin. I think there are many advantages of using one; to me, it’s about keeping track of exercises in the gym as well as other parameters such as stress and sleep.
Many smartwatches record a wide range of data points: puls, movement, altitude and location. This amounts to large amount of data, which can be used to infer various things about the individual. Therefore, it’s important to keep this data safe.
In this post, I would like to share the security issue in the Android version of the Garmin Connect app and list several tips on how this can prevented when you work with sessions in your projects.
When developing an application that requires user authentication, most of the time one needs the state to persist so that users don’t need to enter the username or password each time they visit a new page. Sessions can help us to accomplish that. Using sessions is less secure than asking for credentials all the time, but it’s trade-off that most of us can accept.
Before we start: I have confirmed with Garmin that they have fixed the issue before publishing this post.
Early in April last year, I changed my password to Garmin Connect on their website. I was already logged in into the Android version of the Garmin Connect app with my old password and my expectation was that the app would ask me to re-authenticate at some point. But, it did not. I cannot tell how long the session would persist, but I could keep using the app for several weeks with the old session.
The problem with such a long session duration is that it gives users a false sense of security when they change their password. For example, imagine that the user had a weak password at some point and an adversary was able to login and obtain a new session. Even if the user would have changed the password later, an adversary would still have access to their health data.
If this problem would have occurred in, let’s say, the Neftlix app, I would not be as worried, but since Garmin Connect stores large amounts of health data, I felt like that the consequences of a potential breach could be huge.
After filing this security concern to Garmin, I proposed the following changes:
- Make sure that sessions are reset everywhere (especially in the android app) during a password reset (or at least offer the user the choice of selecting this option on the website)
- Time-limit the sessions on the mobile devices
- Enable two-factor auth for each account
To sum up, whenever you have to persist a state, make sure that sessions expire at some point and that users have the option to log out from all devices. It’s always a trade off between security and convenience, so when you decide the session length etc, you need to take into account the impact of a potential breach, etc. In some cases, you can require users to re-authenticate if the operation is highly sensitive.