Security Analysis of Tartu Smart Bike Share Android Application

Abstract

In June 2019, Tartu City Transport launched a smart bike share system, which allows the residents of Tartu to rent bikes for small commutes around the city. A month after the system first launched a privacy exposure was discovered and personal data of the users was leaked. It was not publicly disclosed where the fault had resided, but it was confirmed to have been fixed shortly after the developers were notified. The aim of this research was to analyze the security of the Tartu Smart Bike Share Android app and its communication with the web service. During the course of the research, several security and privacy issues were found, one of which allows any registered user to query information about the location of a bike and its current user. The thesis provides a general description of the system and its underlying architecture, outlines how and which aspects of the app functionality were analyzed and what results were found. Suggestions for improving the security and privacy aspects of the system are also provided.