FaceApp is currently highly questioned in the press. A lot of articles and some American politicians relate that the Russian mobile application collects and exfiltrates its users’ personal data, without specifying which. Real threat or fake news? The FaceApp security analysis performed by the Pradeo Security engine clarifies things. Here is a part of it.
App ID
Name: FaceApp
Package: io.faceapp
Version: 3.4.9.1
Personal data processed by FaceApp
Pictures taken via the camera in the app -> Sent to FaceApp servers
Pictures selected in the gallery -> Sent to FaceApp servers
Gallery -> Used locally, not sent to the network
Device data processed by FaceApp
Device identifier -> Sent to Google-owned analytics servers
OS Version -> Sent to Google-owned analytics servers
Device manufacturer -> Sent to Google-owned analytics servers
Device name and model -> Sent to Google-owned analytics servers
Vulnerabilities
The application doesn’t embed any code vulnerability.
To conclude, pictures are the only sensitive data processed by FaceApp. Indeed, the application sends selected pics towards its servers, but unlike some claims posted on social media, the app doesn’t leak the gallery, and therefore, doesn’t exceed its permissions.
When it comes to unraveling the real threats from false alerts, accuracy is key. Pradeo provides companies with solutions to access applications’ security report, and clearly see in a few seconds whether they represent a real threat, or not.
To learn more about Pradeo Security global application database and mobile application testing solution, contact us.
Discover Pradeo Security solution suite: