FaceApp: What our security report shows

Posted by The Pradeo Lab on July 25, 2019

FaceApp is currently highly questioned in the press. A lot of articles and some American politicians relate that the Russian mobile application collects and exfiltrates its users’ personal data, without specifying which. Real threat or fake news? The FaceApp security analysis performed by the Pradeo Security engine clarifies things. Here is a part of it.

 


faceapp_security_report


 

App ID

Name: FaceApp

Package: io.faceapp

Version: 3.4.9.1

 

Personal data processed by FaceApp

Pictures taken via the camera in the app -> Sent to FaceApp servers

Pictures selected in the gallery -> Sent to FaceApp servers

Gallery -> Used locally, not sent to the network

 

Device data processed by FaceApp

Device identifier -> Sent to Google-owned analytics servers

OS Version -> Sent to Google-owned analytics servers

Device manufacturer -> Sent to Google-owned analytics servers

Device name and model -> Sent to Google-owned analytics servers

 

Vulnerabilities

The application doesn’t embed any code vulnerability.

To conclude, pictures are the only sensitive data processed by FaceApp. Indeed, the application sends selected pics towards its servers, but unlike some claims posted on social media, the app doesn’t leak the gallery, and therefore, doesn’t exceed its permissions.

When it comes to unraveling the real threats from false alerts, accuracy is key. Pradeo provides companies with solutions to access applications’ security report, and clearly see in a few seconds whether they represent a real threat, or not.

To learn more about Pradeo Security global application database and mobile application testing solution, contact us.

 

Discover Pradeo Security solution suite:

 

Topics: Mobile Application Security, Expertise