All your family secrets belong to us - Worrisome Security Issues in Tracker Apps

Video thumbnail (Frame 0) Video thumbnail (Frame 3766) Video thumbnail (Frame 9370) Video thumbnail (Frame 15698) Video thumbnail (Frame 16506) Video thumbnail (Frame 18087) Video thumbnail (Frame 20367) Video thumbnail (Frame 22572) Video thumbnail (Frame 23659) Video thumbnail (Frame 26536) Video thumbnail (Frame 27503) Video thumbnail (Frame 28473) Video thumbnail (Frame 31410) Video thumbnail (Frame 32208) Video thumbnail (Frame 33347) Video thumbnail (Frame 34370) Video thumbnail (Frame 35577) Video thumbnail (Frame 37440) Video thumbnail (Frame 38257) Video thumbnail (Frame 41238) Video thumbnail (Frame 42270) Video thumbnail (Frame 43839) Video thumbnail (Frame 45018) Video thumbnail (Frame 46497) Video thumbnail (Frame 47331) Video thumbnail (Frame 50535) Video thumbnail (Frame 51750) Video thumbnail (Frame 52937) Video thumbnail (Frame 53842) Video thumbnail (Frame 54863) Video thumbnail (Frame 61894) Video thumbnail (Frame 62862)
Video in TIB AV-Portal: All your family secrets belong to us - Worrisome Security Issues in Tracker Apps

Formal Metadata

All your family secrets belong to us - Worrisome Security Issues in Tracker Apps
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Google Play Store provides thousands of applications for monitoring your children/family members. Since these apps deal with highly sensitive information, they immediately raise questions on privacy and security. Who else can track the users? Is this data properly protected? To answer these questions, we analyzed a selection of the most popular tracking apps from the Google Play Store. Many apps and services suffer from grave security issues. Some apps use self-made algorithms instead of proper cryptography for data storage and transmission. Others do not even attempt to protect their communication at all and make use of the unprotected http protocol, or even give an attacker full access to a vulnerable backend system. Hard coded database credentials in apps allowed access to all stored user locations. We would be able to extract hundreds of thousands of tracking profiles, even in real time. In others, this wasn't even necessary, because the user authentication could be bypassed altogether. Flaws in server API allowed us to extract all user credentials (1.7m plain text passwords), further we saw full communication histories containing messages, pictures and location data. In total, the state of tracker apps is worrisome, effectively leading to users unknowingly installing espionage software on their devices.
Point (geometry) Android (robot) Trail Dynamical system Group action Code Multiplication sign Mobile Web Source code Student's t-test Hacker (term) Cuboid Internet der Dinge Software testing Information security Vulnerability (computing) Mobile Web Focus (optics) Software engineering Binary code Projective plane Mathematical analysis Bit Cartesian coordinate system Word Order (biology) Universe (mathematics) Resultant Reverse engineering
Android (robot) State observer Sensitivity analysis Web crawler Multiplication sign 1 (number) Real-time operating system Client (computing) Perspective (visual) Front and back ends Different (Kate Ryan album) Videoconferencing Process (computing) Information security Fiber (mathematics) Vulnerability (computing) Trail Data storage device Fitness function Bit Instance (computer science) Category of being Message passing Googol Process (computing) Vector space Telecommunication Order (biology) System identification Smartphone Freeware Resultant Point (geometry) Web page Trail Slide rule Mobile app Server (computing) Implementation Statistics Freeware Pay television Parity (mathematics) Spyware Mass Goodness of fit Googol Authorization Traffic reporting Authentication Installation art Mobile app Time zone Dependent and independent variables Information Server (computing) Projective plane Total S.A. Cartesian coordinate system System call Digital video recorder Word Uniform resource locator Integrated development environment Personal digital assistant Blog Game theory Family Communications protocol
Boolean algebra Android (robot) Pay television Electronic data processing Pay television Key (cryptography) Computer file Code Instance (computer science) Client (computing) Cartesian coordinate system Automatic differentiation Root Personal digital assistant Flag Game theory Proxy server
Personal identification number State observer Addition Pay television Server (computing) Mobile app Computer file Inheritance (object-oriented programming) System administrator Computer-generated imagery Set (mathematics) Bit Complete metric space Cartesian coordinate system Message passing Mechanism design Personal digital assistant Cuboid Right angle Musical ensemble Proxy server Information security
Slide rule Mobile app Implementation Proxy server INTEGRAL Multiplication sign Information and communications technology Authentication Password Drop (liquid) Login Usability Word Mathematics Cryptography Encryption Authorization Flag Process (computing) Proxy server Vulnerability (computing) Personal identification number Touchscreen Software developer Information and communications technology Login Client (computing) Instance (computer science) Cartesian coordinate system Word Process (computing) Personal digital assistant Password Telecommunication Reading (process)
Implementation Randomization Key (cryptography) Code Multiplication sign Set (mathematics) Parameter (computer programming) Scattering Connected space Exclusive or Cryptography Different (Kate Ryan album) Password Procedural programming Position operator Metropolitan area network Reverse engineering
Android (robot) Trail Mobile app Code Transport Layer Security Authentication Device driver Parameter (computer programming) Login Public key certificate Front and back ends Cryptography Encryption Implementation Authentication Public key certificate Validity (statistics) Server (computing) Software developer Transport Layer Security Information and communications technology Data storage device Database Instance (computer science) Cartesian coordinate system Connected space Uniform resource locator Personal digital assistant Password Telecommunication Pattern language Object (grammar)
Trail Email Mobile app Information Code Data storage device Numbering scheme Database Real-time operating system Database Bit Numbering scheme Uniform resource locator Query language Address space
Classical physics Injektivität Email Game controller Mobile app Code Statement (computer science) Sampling (statistics) Statement (computer science) Instance (computer science) Address space Vulnerability (computing)
Authentication Server (computing) Process (computing) Server (computing) Authorization Client (computing) Vulnerability (computing)
Default (computer science) Demo (music) Computer configuration Demo (music) Videoconferencing Website Cartesian coordinate system Front and back ends Vulnerability (computing) Usability Default (computer science)
Trail Uniform resource locator Randomization Information Profil (magazine) Multiplication sign Diagram Connected space
Trail Multiplication sign Demo (music) Website Flow separation Address space Form (programming)
Authentication Trail Addition Mobile app Code Digitizing Authentication Mereology Student's t-test Cartesian coordinate system Login Number Message passing Process (computing) Profil (magazine) Telecommunication Encryption Message passing Reverse engineering
Message passing Server (computing) Authentication Mereology Message passing Timestamp Exploit (computer security) Number
Injektivität Type theory Mobile app Uniform resource locator Injektivität Trail Multiplication sign Number Front and back ends
Authentication Addition Complex (psychology) Functional (mathematics) Demo (music) Computer-generated imagery Bit Data storage device Instance (computer science) Medical imaging Personal digital assistant Point cloud Physical system Point cloud
User interface Injektivität Medical imaging Data storage device Sheaf (mathematics) Point cloud Parameter (computer programming) Web browser Physical system Software bug
Medical imaging Information Sheaf (mathematics) Point cloud
Injektivität Pairwise comparison Server (computing) Mobile app Email Injektivität Server (computing) Multiplication sign Complex (psychology) Data storage device Password Information privacy Cartesian coordinate system Number Front and back ends Medical imaging Process (computing) Password Process (computing) Procedural programming Address space
Authentication Server (computing) Mobile app Software developer Mobile Web Data storage device Mathematical analysis Real-time operating system Database Web 2.0 Crash (computing) Process (computing) Googol Point cloud
Authentication Email Server (computing) Email Mobile app Correspondence (mathematics) Authentication Data storage device Database Login Process (computing) Personal digital assistant Query language Table (information) Address space
Dependent and independent variables Uniform resource locator Email Mobile app Server (computing) Table (information) Software developer Formal verification Database Cartesian coordinate system Address space
Android (robot) Multiplication sign Client (computing) Front and back ends Software bug Facebook Encryption Videoconferencing Information Process (computing) Information security Vulnerability (computing) Family Email Real number Software developer Constructor (object-oriented programming) Data storage device Electronic mailing list Portable communications device Type theory Googol Process (computing) Telecommunication Right angle Cycle (graph theory) Information security Reverse engineering Server (computing) Mobile app Freeware Table (information) Mobile Web Password Drop (liquid) Login Rule of inference 2 (number) Googol Authorization Directed set Statement (computer science) Booting Traffic reporting Address space Software development kit Authentication Mobile Web Rule of inference Mobile app Default (computer science) Dependent and independent variables Demo (music) Information Server (computing) Client (computing) Database Cartesian coordinate system Number Uniform resource locator Personal digital assistant Password Statement (computer science) Gastropod shell Table (information) Address space
Word Open set Digital object identifier
[Applause] yeah thank you for a short introduction I'm Siegfried and this is my colleague Stefan and today we will talk about our tracking application investigation we are both from Germany from a research institute called fron / s IT it's located in Darmstadt close to Frankfurt few words about - ourselves so I'm secret I'm leading a research group at this Research Institute called secure software engineering and our main focus is on static and dynamic code analysis so writing new analysis in order to find vulnerabilities in binaries as well as soft source code I'm also a founder of the team called team sick which I would say in a second and a founder of coding spec which is a reverse engineering tool for Android so Stefan would you like to say a few words about yourself hello my name is Stefan I belong to the test lab mobile security group I'm also developing static and dynamic analysis tools and in my spare time I'm digging around bit with IOT stuff and together with Siegfried I'm a co-founder of our hacking team thank you so we talked about this team 6 so what we presented that is not the results of both of us it's basically the results of our team which is called team sick so what is it a few words about it it's a research it's a hacking group so we meet once a week in our spare time so the tip Cup the team consists of researchers from its Research Institute as well as students around our universities around the University and so we usually look into different interesting projects then we try to find some vulnerabilities and that's basically the goal to learn from each other so the credits definitely go to those brilliant students and researchers mentioned below two of them are actually here in the audience good so before we start with the talk I'm a short beer announcement since your body already know from Germany and actually from Munich or close to Munich we thought it might be yet another cool idea to bring or import some boxes of beer since this is our third first Def Con talk we imported two boxes of beer this year so after the talk feel free to come and grab a cold beer there are 40 points for you guys thank you so let's get
started short agenda for today I will start with a little bit of motivation and then do a little background information and then we dig into our results of our security findings first topic is client-side authorization I will explain what I mean by that then we will talk about the client-side vulnerabilities and then we talk about server-side vulnerabilities in the end a few words about responsive disclosure because this was funny this year and a summary in the end good motivation so when I started when we started putting the slides together I said how can I motivate tracker application so while you first of all think about surveillance so looked a bit up online and I found a cool blog post about a CIA Museum and while for instance in the 60s already there were some radio receivers inside a pipe so very small stuff which was very interesting to see in the 60s again like camera inside a pack of cigarettes to hide and to to audio record a video record at the environment and in the 70s like a microphone fit already into a dragonfly in order to to spy on people so I guess you already get it this was the past so how is it right now I guess we all have it in our pocket it's the smartphone well because there are lot of sensors in it like GPS and this kind of stuff so you get a lot of information from people this is the reason why there's already spy ver and wrapped abusing this this stuff and and extracting all the information and use it for whatever reason what we also ask ourself or we ask are there any benign reasons or are there any good reasons to use such kind of apps or surveillance apps or tracking applications and then we found three different topics which was interesting so first of all families so there are apps out there were adults wanna know where the child's are so they want to know if they are whatever safe in the environment based and location information there are couples which was interesting like track my boyfriend track my girlfriend apps I don't know why they do this so they mutually agree on installing the application and whatever to check if they are not cheating on each other I don't know but there are many of them out there and friends as well so you want to know where your body is in order to meet or whatever so there are benign reasons the question is how do you differentiate between the good and a bad now right because from an implementation perspective both are implemented in the same way so for this we looked up on google play and we found this kind of apps so we thought there might be a definition what are good apps and what are bad apps so I found well one of them is the Android security report stated it that commercial spider is any application that transmits sensitive information off the device without user consent and does not display a persistent notification that this is happening so this means if you want to install a benign tracking application and if you want to upload it to the Play Store you need to show the monitor person notifications like whatever right now I'm accessing your location information whatever and I'm sending it to your mom some kind of this if this is the case then this is a legitimate app and if not and it's considered a spy ever and it shouldn't be in the Play Store this is at least what we found good so so we've only focused in this talk or in our project on those legitimate apps and we ask ourselves the question because they're collecting a lot of data how well is that the collected data protected on the client side or on the server side for that well
we looked up Google Play Store we typed in tracking application track my friend tracked my girlfriend and then we found 19 different apps why is this an odd number well we just found out a few of them the first hints and at some point we stopped and then what we found so many vulnerabilities that at some point we got bored and this is the why there are 19 this is no special reason for a 19 so we looked at we at least get those that have the most installations based on the Google Playstore statistics and another point is we only look for free applications so I know that there are a lot of commercials fiber applications out there those were not the target in this project only there are ones where you can download for free and you get for free and you can use for free so as a spoiler we found 37 different vulnerabilities in total a very very sensitive ones and well in this talk will show a few of them or at least a few categories of them good before we yeah two takeaways of this talk so what will you learn today I have to tell you that if you expect any sophisticated exploit in this talk unfortunately have to disappoint you so it was in this project very very easy to get access to all this highly sensitive data and even to do mass surveillance in real time and we usually play this game of can we upgrade the applications which but you have to pay for premium features can be upgraded for free and yeah we will also say a few words about that and yes it was possible that again this year good then I will come to the background information just very very small background information very easy setup that we are all at the same page so how does this work so usually you have this application and you have an observer in a monitored person and both install this application and then there is some kind of pairing process where they know okay I belong to this guy or whatever I can monitor this person and on a monitored side while it collects all these sensitive information like location and zone and sends it to the backend and in the backend side basically the observer holds the information saying hey right now I want to know where my kitties or whatever so on this this means under on the backend side there are information like location information call history text messages whatsapp messages whatever and apart a couple of application also had the kulfi of installing a messenger into these tracking applications of this means that you can chat with your girlfriend or whatever so you also can send pictures and videos and this is important for the remaining talk so in all these data are stored in the backend so what are the attack vectors here well as I said the usual game can be upgrade premium features for free so we will say a few words about that then obviously the two communication channels can we do a man-in-the-middle and how was it implemented how was the protocol implemented we will say a few words about that and then our last an attack vector is the back end basically good so in the following we will talk about all of those three stages now first client-side authorization so before I do this I start with we all know this but just to get clear what how what it means to do to access the sensitive data so you have an observer and you would like to access sensitive data or data from the backend so there are usually two steps involved first authentication including identification and then authorization that your authorized that check is on the back end that which checks if you're allowed to access this data we all know this but I'm just saying and then what we saw is usually so there was most of the time this kind of authentication process many times broken many times there was none but at least it was it there and then there was something we found a client-side authorization and I will explain this in a second so I will show you four different examples what we found out which was not okay good the first one
yeah as I said the usual game of premium features so this kind of applications contain some features which are disabled by default and if you pay forever five dollars or something like this then you get super cool premium features one of them is for instance and removing advertisement that you have read get your not seen advertisement anymore very easy so we asked ourselves how was this implemented to for instance get rid of the advertisement and then we looked into the code and we found the following
sher preferences get boolean l ads for instance then there was a check if removed so if this flag is set to true and if yes then they basically this disable this few on the client side for those of you who don't know the code here or what it what the share preferences is in Android share preferences is a file that comes with the application it's an xml-based XML based file and it has a key value pair so in this case this L adds for instance was set to false if you set it to true then you basically can get rid of the advertisement the question is for those who don't know it can how can we manipulate this file while there are basically two ways first one if you have a rooted device it's very easy to change this value on an unrooted devised you and the application allows you to back up so you back up the application including this file then you can't then you do you modify the file and then you restore it this is all known and well known from other from the past then when
we looked into this share preferences file we found some other cool settings there so one of them was SMS full so SMS full is like in from the money to a person all the text message or basically can be can be accessed by the observer so the full text message because they want to know if the girlfriend or boyfriend is cheating or whatever so they want to exactly know what's going on and as I already mentioned so if you set this one die from false to true oh yeah sorry I forgot to say so what does this fool mean this fool means if you did not pay you only get the first X characters of the text message and if you pay then you get the complete text message as an observer well if you set it to true already learn this right now then you get the full text message but the question was how was this implemented it was implement such a white so the observer basically said hey please give me all text messages from this guy or from a kid or from a girlfriend and then a server says yeah okay sure um you get the complete text message text my one two three like the complete one and then at the client-side there was a check like okay so if you did not pay I only show the first few the characters and if this is not the case I basically see the complete text message and this laughs this was a little bit funny to see and you shouldn't do this because I mean come on so yeah good
so next stage the second stage of this kind of of box were so as I said there are basically these two roles you have a parent which has the admin role and then you have your kid which has less privileges and if you're an admin you can create a new admin or whatever any small and you can monitor basically your kid and the question was okay how do these apps differentiate between an admin or a parent and a child a children so and the question was yeah there's a shared preferences file and there is a set called is parent and if this guy is set to true then your parent and then your admin so this means if you are the kid and you change your chef preferences file to true then you're an admin and can spy back to your parents if you want [Music] good next stage another example of this kind of guess you already get this thing so there was the application that contained additional security protection mechanisms which want to open the application and you can enter a pin and then it asks you for the pin and if you enter the correct pin then you own then you can access the application of the data in the application so this is a good security feature the question again was how was this implemented and I guess
you already get this kind of kind now there was a flag in the share preferences file this time PFLAG so it's not so directly pointing to remove to lock screen or something and if you set this to false then you do not see any lock screen at all even if you edit a pin or something you can directly access the data there yeah and last but not least and obviously the same also work for log-in so honestly so there is an ease login and if you were locked in before so they store basically the username and password and if you set this guy to true it automatically locks you in even without typing the username and password again share preferences I mean so the last
slide here in this case is please do not use share preference for authorization checks so for those of you who are about Contras so please look into share preference this is always fun and you find a lot of stuff and for the develop these don't use this again we talked about this two years ago and last year about share preferences and there are for sure more apps that don't underst or developers that don't understand this so please don't do this again good so this was it from my side I will now hand over to Stephan who will continue with the remaining slides okay thank you thank you I will explain the rest of our findings and vulnerability small first the client-side and communication vulnerabilities and for the people who are not aware about the concept a few words about man-in-the-middle attacks the basic idea is just to get as an attacker between the communication so between the user and the backend and try to if drop or even manipulate the communication if for instance the app communicates in plaintext this would be very easy for an attacker we can because it can read everything change data and so on another case would if the app has implementation flaws like it uses a broken encryption or has errors so that the attackers easily can can bypass the encryption and the last step so this would be the only reliable protection against man-in-the-middle attacker to implement secure correct and confidential integrity protected authenticated communication so our first step as I mentioned men in the middle attack we had an application where it was required to sign in and we wanted to know how secure is this login process so as a user you have to enter your credentials as an attack of your
observed them the first thing you can see it's HTTP connection so it's plaintext so man in the middle attack err would be able to read the plaintext credentials but as you can see in the scatter request there are not our credentials so we replied a few times so to get or to see some pattern and as you can see we have different parameter names and different parameter positions but we have always two same parameter values so this this looks interesting and we dig now and to do the code to find more about the implementation the first thing we saw was a hard-coded
encryption key reverse engineering then decide with whom we saw okay the user data or the username is exhort with this key base64 encoded and there was a predefined set of random values one of them was randomly picked and combined with the username this is the same procedure for the password so this means if we now can as a man-in-the-middle attack or observe the traffic we just simply take the value decoded it's alright and we get there densha's in plain text the other
parameters we saw so were garbage so even we had two additional parameters that are also randomly selected from a predefined set and but they had no no value and this this is some kind of beautification we don't know why this was done by the developer but it's the wrong way so as I said if you were able
to eavesdrop this data you can decrypt it get the login data and authenticate how to do it rightly in Android so
secure communication is not so hard you just have to do an HTTP connection use TLS 1.2 or then later 1.3 you just need a valid server certificate to get it for free for instance from let's encrypt and on the Android side doing HTTP is very easy define a new H a new URL object open a connection yeah and and that's all then it's done okay so the next thing we saw problems with authentication a secret already mentioned the apps are transferring all the the tracking and location data to some kind of back-end in most cases this back-end hosts the database and if you want to connect to a database for instance in Android you have to instantiate the database driver and then you have to establish a connection now what we saw in the application is a typical pattern how you should not do it in an application at first they establish the connection so you need the UL you need a login name and you need a password and the problem is now the password is stored in the application this means everybody who has access to the application or to this code can simply extract the password so when the username has to L and has complete access to the backend storage for all the data's restored we had a few apps
you see a simplified database scheme so this back-end stores the email address and name and especially also the location information and in our findings we in common had eight at 60,000 different tracking apps our locations and even if you make regular a request or query you also can observe or track the people in real-time because the app regularly sends updated daters to this database that's not all of
course so when we looked also in the code a bit step further we thought okay
SQL so they were SQL you should in the right values prepared statements you can see okay they already define a prepared statement and now we would expect some some method which will set the values in this statement but what we see was they override the prepared statement with a concatenated statement and as a user you can for instance control the email address and this sample what you see here is a classic SQL injection vulnerability so the app is broken already by design but we stumbled above this additionally so I don't want to be
amplified but this is really stupid code
okay now there are more exciting things let's get to the servers which are hosting all the daters secret already introduced vfn we need an authentication process and authorization process and we try to analyze and find if there are problems design flaws or rather vulnerabilities to bypass or break these processes so we have
different let's say stages of vulnerabilities and findings in some five and I will now explain the different findings on the server-side so
the first thing is not really a vulnerability it's more let's say a feature or as usability thing the application after the installation has by design or by default an option which says all located and tracked data are sent to the backend and everybody has access this means they are freely accessible so this is kind of let's say a design flaw better option would be some opt-in where a default is not everybody can access it and if the user agrees he can activate that everybody can access this data how look this data or how can you access it it's very easy you just need to know the website and the username of the person you want to track or want to listen and
for this we have a prepared a short demo video so if you go to the website you
just as I said you have to know the URL of the website then you have to enter a username for this we choose a random user name and call the user not user sexy if you open it you already see you get some some tracking on Google Maps now you can open details you see when the track was stored you also click on done and this track button you get the correct location when the track was stored the starting time you get some some kind of profile information the the altitude and so on here you see the ot2 diagram and now we also can track or reply the track of the person you can see okay he's entering his car you see his speed he's driving around because of the connection with with Google Maps you can also zoom in or looked anindita so we can see ok the
person is going to some some school he's driving around and so on it's also bit
curious this is in this track the person is going to a school at 1:00 p.m. it's he's moving between the school and the
ATM several times don't ask what she's doing or he's doing there and yeah at the end she's just going back to his home address ok as I said we this was just a feature
this was not really a buck but this is
not all we so stumble about a buck in this website
so this is not a feature this is a buck in form of an XSS
so next step authentication problems sometimes you have the impression your authentication what we took another
application if you look at the traffic of the application or reverse-engineer code you see some HTTP requests in there it's already mentioned nothing new plaintext communication then we have a user ID the user ID is the the idea of the user itself so that the person wants to monitor something this user ID was protected by Caesar encryption I don't know why it makes no really sense then we have the child ID this is the idea of the person you want to observe this is a simple ten digits large number and we have the current date this is the date when the last tracking of the person was stored and as you can see this is not a very complex request if you can also trial or guess the this child ID if the person you want to monitor if you enter this the host responds the whole track of the person we choose this tracking Tator and printed it into some Google Maps and here you see some tracking profile of one of our students and this is completely accessible without any authentication login process or whatever everybody who knows this well can track other persons ok secret already introduced some some additional features apps also have the possibility to send or track text messages and the question was can you also get this messages oh sorry
if you look into the traffic again to get a message from the monitor person you have to make a simple and there's a API you have to make a simple post request you get a number how much SMS you want to have from this user and his user ID so after that you get a timestamp and the phone number and the message is the monitored person sent now what happens if you let the user ID empty you get all stored text messages from the server
yeah okay so as you see this is not no rocket science we have no real complex exploits you just have to know how to to use your browser and send a ul now we
get into exploiting we have your SQL injection very simple so again we have
another type of app and in this app it's also possible to track a person here you have to know that the mobile number of the person so this means the a back-end provides an API if you enter the mobile number you get there the longitude latitude the location times number of the person you want to monitor okay now a little spoiler we're talking about SQL injection so what do you think what happens if you do this yes you get all data phone number location data from the backend if you look at the history the first recording started in the you 2016 that's all simple SQL injection the next
one is a bit more on let's say complex SQL secret also mention additional features like messenger functions of people can for instance with your girlfriend you can exchange images as in unusual messenger this images are stored on a cloud system and of course there's one cloud for all images not every user has its own cloud and in this case the user needs to authenticate at the cloud back-end I also filter this means ok this user has authenticated the images belong to the user so he just gets the images of his girlfriend or not images of foreign people the question is now can we somehow bypass this authentication or were we able to compromise the cloud spoiler a little
demo so
if you take a look at this cloud it already provides some some simple web interface by the way we have to obfuscate the UL because this bug was still not fixed from the vendor so we provide the cloud storage provides us some kind of simple web interface but you see with une enter the UL and the browser we get no images because we are not authenticated and we are in this section SQL injection so let's try a simple SQL injection at a parameter that should be in the upper corner a bigger image of the injected of the SQL injection you can see it here and surprise surprise we get a preview of the images stored on the cloud system we can also open these
images and download and as you can can imagine if people are exchanging images and have the possibility to exchange images they also will exchange not just burgers or or selfies they will also exchange more private or sensitive
information let's say from the section of adult entertainment and so on so we also found a very sensitive data on the cloud and yes we I cannot say how much
data we did not count them or download them because of privacy reason and so on
and as I said the buck is still not fixed ok and so in this way we would be able
to dump all images so yeah thank you then the last step these were just images now we want to go to the crown jewels so can we get the credentials and one one of our application had a strange let's say installation process so the app we were able to recognize if it was already installed on the device so they had some special installation procedure this means when you install the app the first time it's generates some kind of device ID and stores this on the back end and you remove the application and reinstall it it requests to the server for the device ID and comparison is able to detect ok I already was installed on this device and if it realized that it already was installed on the device the server already sensed the username and the password and the email address back to the application so our first idea was ok the device ID how can we prove it but the problem is the the device ID is a long number it's very complex and then it's an inept a monistic number you can perhaps reproduce it but it's not the best way so our rather trick let's the idea empty does also not work so let's try an SQL injection here you see a little curl command which is doing the the request with the SQL injection and what we get was a stored user credentials the username user ID the password in plain text now you can imagine we can iterate over all values and all in all we were able to could extract over 1.7 million debtors passwords credentials everything in plaintext so if you think what the fuck
so then okay there's there's more surprise surprise a few words at first about
firebase who is not aware it firebase is a service from from Google supporting web for app developer they're providing service for crash analyzes analysis cloud messaging or storage in our place we focus on two services the one is a real-time database and the other thing is an authentication process or an API for this so just imagine this real time database like a classic database if you're not aware about this firebase service so we have another app they have
implemented an authentication process they hosted their own authentication server and as a user or as an attacker at first you have to send a login request for this you have to send the user email in our case as an attacker we will send the victims email on this back-end there's a there's a database a classic database with a public available table and this table stores the user email and the corresponding user ID and so if you are sending your post request the database is curing the database if he finds the corresponding email address he replies this user ID in the next step
the app now tries to access to this firebase database by sending the user and this query door corresponding user ID to get access to the stored data so we're clearing in this user ID in
this publicly available table and as a response we get the location tailor the
address date when the request was sent so this was the first thing and yes you can imagine guessing the email address you will get really easy access I'm
sorry I have found in this movie not a better facepalm but this is the first one so in the next step you see the app
or the database back and also replies the user credentials back to the app because the question is now why yeah this is an example how you should not do it the developer implemented a client-side verification this means they're expecting the credentials from the server and comparing it in the application and if it's correct they allow access so think you're aware of it it's not the correct way how to do this another thing is our Oh trick what do you think what happens if we remove the user ID of course we get all
stored status from this database containing location address daters user credentials security token whatever yeah
shit happens
it's sometimes easy to bash people so what's the problem here the first thing is they did not set any any authorization rules on the firebase this is always a common problem developer are not aware about this thing and they use some default configuration and then the the authorization is disabled further thing as I explained if you're doing authentication you don't do it on the client side you have to do this on the server side and especially if you if you want to work with firebase then use the SDK don't construct any strange code construct by yourself the SDK supports Google sign-in you can use custom email password sign in Facebook whatever they already implemented it in the correct way in this SDK it's also possible to use your own authentication back-end there's a good tutorial on the firebase side if you do this step by step you're on the right way but don't do anything with public available databases construction and other weird things okay a few experiences about our responsibility loader process of course we inform informed all vendors we gave them 90 days to fix them but nine days are not strict if the vendor says okay I need longer because of some development cycles or whatever we say it's ok as long as you fix it this time we got a few strange reaction the first one is as expected we will fix it thank you everybody is fine the second is yeah sometimes you have no reaction one reacted how much money do you want they stop we want to - if drop them but then we clarified now just won't give you the Darin report please fix it yeah the last thing it's not a bug it's a feature for this people are a manufacturer who do not react on our emails we try to involve Google Google has this app security improvement team and also security team we wrote an email to them send the advisories reports everything but we did not get any direct replay or any reaction last week we checked the store and twelve of the applications were removed so seven are still vulnerable I also did air the demo video you saw this back-end is still active and nobody is reacting so a short summary of our talk as always as you saw don't use plain text communication Mobile is a radio communication it's in most cases it's very easy to eavesdrop sniff from many Palladio daters SQL prepared statements it's nothing new each especially Android I provide a huge API of four SQL and prepared statements if you're doing app development don't don't just focus on the app if you use back and this is this is a bunch you you have to to consider also the security on on the backend side and very important also don't store any user secrets like passwords encryption keys whatever on the client side everybody who has access to the app and there are a lot of people who are like reverse engineering Android apps it's very easy to extract the information also a Sigfrid already explained the shared preference thing if you have anything any special feature you need a license google provides an API for this and also if you're working with firebase use read the firebase tutorials use the authentication and authorization api they provide here you see at the end again a list of the apps we analyzed so you can see the left column other apps with the client-side vulnerability the right side this were apps for the backend is involved were able to access look hater or even all stored data if you look at the table nearly all all apps especially in the back end were vulnerable against some some type of attack so this is the end
of the talk so thank you for your attention to two last words all our findings we wrote for also for the vendor we wrote advisories the advisories are accessible on the on the website fine on the findings and the last thing who wants to talk with us or discuss or has a question come to us grab a cool beer we also have a bottle opener so you don't have to be thirsty and thank you again [Applause]