Lately in the news, we’ve read a lot about popular apps performing malicious and intrusive behaviors. The fact is that as users, we only see a tiny part of the actions performed by mobile apps, the rest of them being silently executed. Comparable to an iceberg, 90% of an app’s actions are hidden and consequently, hard to control.
To provide a proper service, an app needs to access some data such as the user’s location, its list of contacts, its photo gallery… Once collected, those data are either placed in some local files, sent over the network to a distant server, or both. When users allow an app to access a particular data or content, they assume the app will only use it to execute properly. However, apps often go further than that and it has become difficult to define where the line is between convenience and data leakage.
Our behavioral analysis engine scans thousands of mobile apps every day and the results are unequivocal: most apps overly process the data they collect, sometimes raising ethical questions.
As the Uber app has recently made the headlines, we decided to publish the key elements detected by our engine on this application. Here are the main outcomes:
- The app sends user information and phone data to 9 known distant servers (analytics, payment, ads...)
- The app sends user’s contacts information over the network (name and phone number)
- The app features 3 OWASP vulnerabilities
- The app checks if the device is rooted to run specific commands
DETECTED BEHAVIORS
The app checks if the device is rooted to run specific command
The app generates a public encryption key (to encrypt content, or to verify the signature of messages
it receives and the identity of the sender)
The app generates a private encryption key (to sign content, or decrypt messages it receives)
The app plays an audio or video record
The app changes the camera settings
DATA SENDING
This table shows an extract of what data is sent to which distant server.
|
DESTINATIONS |
DATA SENT |
|
https://www.paypalobjects.com (Paypal library) https://logs.juspay.in (Payment tracking) https://settings.crashlytics.com (Crash report monitoring) https://api.paypal.com (Paypal API) https://paypal.112.2o7.net (Paypal third-party server) https://api-m.paypal.com (Paypal API) |
User data Contacts information (name, phone number…) User location
Phone data Device identifier :IMEI, Hardware serial number Mobile network information: Service provider name, network type (3G, 4G, UMTS…) Network information: MAC address, Wi-Fi connection state Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number
|
|
https://googleads.g.doubleclick.net (Google Ads server) |
User data Contacts information (name, phone number…) User location
Phone data Device identifier :IMEI, Hardware serial number Mobile network information: Service provider name, network type (3G, 4G, UMTS…) Network information: MAC address, Wi-Fi connection state Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number
App data App's preferences File coming from app static data (data compiled in the app)
|
|
https://csi.gstatic.com (Delivers static content for Google) https://www.google.com (Google) |
User data Contacts information (name, phone number…) User location
Phone data Device identifier :IMEI, Hardware serial number Mobile network information: Service provider name, network type (3G, 4G, UMTS…) Network information: MAC address, Wi-Fi connection state Device information: Manufacturer, commercial name -e.g.:Nexus 4), Battery level, Maximum level of battery, Operating System version number.
App data Cache file
|
OWASP VULNERABILITIES DETECTED
LOG: The app writes data in log files. A third-party app may execute a command that allows it to read the logs that might contain potentially sensitive data.
IMPLICIT-INTENT: A malicious activity or service can intercept an implicit intent and be started instead of the intended activity or service. This could result in the interception of data or in a denial of service.
X.509TRUSTMANAGER: Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making the app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.
Application analyzed:
Uber - Android version 4.173.3
sha1: 0526cee8bce8fd86fe0f880882244bf830f4392c
Package: com.ubercab
Discover PRADEO SECURITY behavioral analysis engine
