leaking ads is user data truly secure? · session id: #rsac roman unuchek leaking ads –is user...
TRANSCRIPT
SESSION ID:
#RSAC
Roman Unuchek
LEAKING ADS – IS USER DATA TRULY SECURE?
ASEC-T08
Security ResearcherKaspersky Lab
# RSAC
FINDINGS
2
4 million apks exposing data
Device information, user information, GPS coordinates
Advertising SDK’s
# RSAC
THE BEGINNING
3
List of installed apps
GCM ID
Personal information (DOB, name, gender..)
App usage
GPS coordinates
# RSAC
THE BEGINNING
4
Device information
Personal information (age, gender)
GPS coordinates
# RSAC
My own Device
5
Device information
Network information
Token for push messages
GPS coordinates
# RSAC
SDKs
6
# RSAC
SDKs
7
25% 20%10%
3rd party code in APPs
# RSAC
DATA
8
Since 2014, more than 4 years!
13,622,391 APK files
131,203,322 unique urls
14,906,467 PCAP files
# RSAC
DATA
9
GET POST
# RSAC
TOP URLs
10
mopub.com
rayjump.com
9apps.com
advertise.1mobile.comapplovin.comtapas.net
appsgeyser.comappioapp.comtaobao.com
duapps.com
apps.ad-x.co.uk
typany.com
mobpowertech.comapi.zephyr-digital.comsalmonads.comlds.lenovomm.comafric.wocao.in
config.cloudzad.comm.mobogenie.com
cabinet.taximaxim.ru
# RSAC
mopub.com
11
&dn=samsung,GT-I9300,m0xx [device info]
&w=320&h=480 [device info]
&mcc=624&mnc=1 [network info]
&bundle=com.some.app [app name]
&q=gender:m,age:27 [personal info]
&ll=47.6144939,-122.1964071 [coordinates]
Mitigation: do not provide user data to 3rd parties
# RSAC
mopub.com
12
# RSAC
rayjump.com
13
&platform=1&os_version=4.1.2 [device info]
&model=GT-I9300&brand=Samsung [device info]
&screen_size=320x480 [device info]
&mnc=1&mcc=250&network_type=1 [network info]
&package_name=com.some.app [app name]
Mitigation: limit permissions
# RSAC
rayjump.com
14
# RSAC
tapas.net
15
&model=GT-I9300&vendor=Samsung [device info]
&op=2501 [network info]
&pkg=com.some.app [app name]
&ll=47.6144939,-122.1964071 [coordinates]
Mitigation: limit permissions
# RSAC
tapas.net
16
# RSAC
appsgeyser.com
17
&dpi=160&screenresolution=320x480 [device info]
&androidversion=16&istablet=false [device info]
&manufacturer=samsung&devicename=m0 [device info]
&connectiontype=EDGE&operator=MTC [network info]
&aid=83acb4abaf9ac91e [android id]
&tlat=0.0&tlon=0.0 [coordinates]
# RSAC
appsgeyser.com
18
# RSAC
GET
19
GET
# RSAC
GET
20
POST
# RSAC
ushareit.com
21
cmd_type_install_app
[device info], [android id], [imei], [imsi]
# RSAC
ushareit.com
22
# RSAC
nexage.com
23
Device information
Network information
GPS coordinates
Mitigation: limit permissions
Camera
NFC
Bluetooth
Microphone
Location
# RSAC
nexage.com
24
[Kids][Income][Education][Ethnicity]
[Politics]
# RSAC
nexage.com
25
# RSAC
Device information
GPS coordinates
Personal information (DOB, name, gender, email, etc)
App usage
Mitigation: update SDK’s
quantumgraph.com
26
# RSAC
quantumgraph.com
27
# RSAC
other
28
# RSAC
CLOUDS
29
# RSAC
CLOUDS
30
http://ir-2016137559.cn-north-1.elb.amazonaws.com.cn/api/v3/up.php?appid=106a4e0b2f&asver=16&aver=4.1.2&brand=samsung&ch=xiaomi&co=US&imei=369214967775679 [imei]&lang=en&model=GT-I9300&net=gprs&packageName=com.some.app&ph=+5047394794295 [phone number]&ppi=320x480
# RSAC
LEAKED DATA
31
IMEI, IMSI, android_id
Device information
Location
Personal information
Phone number
Email address
# RSAC
Why is it wrong?
32
Data can be intercepted
Data can be modified
Bypassing Android permission system
# RSAC
User
33
Control app permissions
Use VPN
Check apps
# RSAC
Developer
34
Do not use HTTP
Encrypt all data
[RSA]
# RSAC
Developer
35
Do not use HTTP
Encrypt all data
Update 3rd party SDKs
Test app for HTTP requests before publishing
# RSAC
Developer
36
isCleartextTrafficPermitted
>= Android 6
>= Android 8 in WebView
>= Android 9 - False by default
# RSAC
HTTP vs HTTPS in Apps
37
0
20
40
60
80
100
120
Mar
-14
Ap
r-1
4
May
-14
Jun
-14
Jul-
14
Au
g-1
4
Sep
-14
Oct
-14
No
v-1
4
Dec
-14
Jan
-15
Feb
-15
Mar
-15
Ap
r-1
5
May
-15
Jun
-15
Jul-
15
Au
g-1
5
Sep
-15
Oct
-15
No
v-1
5
Dec
-15
Jan
-16
Feb
-16
Mar
-16
Ap
r-1
6
May
-16
Jun
-16
Jul-
16
Au
g-1
6
Sep
-16
Oct
-16
No
v-1
6
Dec
-16
Jan
-17
Feb
-17
Mar
-17
Ap
r-1
7
May
-17
Jun
-17
Jul-
17
Au
g-1
7
Sep
-17
Oct
-17
No
v-1
7
Dec
-17
Jan
-18
# RSAC
FINDINGS
38
90% of APPs are still using HTTP
Exposing device information, user information, GPS coordinates
Due to 3rd party SDK’s
SESSION ID:
#RSAC
Roman Unuchek
THANK YOU!QUESTIONS?
ASEC-T08
Security ResearcherKaspersky Lab