Security Week 06: advertising trackers in mobile applications

The Amazon Ring smart doorbell mobile application sends detailed user information to three companies at once, collecting information for subsequent advertising targeting, as well as to the Facebook social network. These are the results of a study conducted by the Electronic Frontiers Foundation ( news , original article ). The results of the EFF analysis cannot be called a shocking discovery: the majority of mobile applications supply data to ad networks in one way or another. Of interest is the method of decrypting the data, as well as the type of application under study. Unlike any other scenarios, here we are talking about working with a personal surveillance camera. Such interaction, in theory, should occur with a maximum level of privacy.

But no. For example, the Facebook social network receives notifications from the Amazon Ring application about the opening of the application, about user actions, as well as data that can identify the owner. These include the smartphone model, language settings, screen resolution, device identifier. Facebook will process all this data even if you do not have a social network account. This in itself is an interesting problem: if you have a Facebook account, then you have at least minimal control over the data that is directly associated with it. If there is no account, then there is no control, but the social network still knows something about you. Although not all data sets sent to advertisers have unique identifiers (such as first and last names) user identifiers, this is often not required.The combination of data from different applications identifies us better than passports and informs advertisers about such traits and habits that we ourselves may not suspect.

Data analysis was performed using a standard tool - the open mitmproxy software package . The smartphone uses mitmproxy to transfer all data, and to decrypt https traffic, a root certificate is installed on the device. Another necessary action in such cases is to prohibit the transfer of data from all applications except the one under investigation. Traffic restriction was implemented using the AFWall + applicationrequiring superuser rights on the smartphone. However, even such a combination was not enough: the Amazon Ring application uses its own certificates to communicate with ad networks, ignoring those that are installed on the system. The report noted that this approach in the usual situation protects user traffic even on a partially compromised smartphone, but significantly complicates the "legitimate" traffic studies. Using the Frida framework, it was possible to modify the running application so that it uses a certificate from mitmproxy.

In addition to Facebook, the Amazon Ring app sends data to Branch.io, AppsFlyer, and Mixpanel ad aggregators. Appsflyer - in particular, receives information about the service provider used, several user identifiers, as well as the presence of an advertising tracker for this company, if it was previously preinstalled on the device. Most interestingly, AppsFlyer also receives information from the physical sensors of the smartphone: magnetometer, accelerometer and gyroscope. The MixPanel network receives, according to EFF, the maximum of private information: full name, email, address, device profile, application settings with the parameters of the installed cameras and more.

Amazon Ring spokesman commented on the study in the expected way: that's fine! Data transfer to a third party is used to collect statistics with the aim of further improving the application, measuring the effectiveness of marketing campaigns. Services to which data is transferred are contractually obligated to use the information only as they are allowed by the application developer, and not in any other way. And what does the developer allow them to do? The Electronic Frontier Foundation complains that Amazon Ring not only collects information about the user, but also does not really notify him about it. The business of many modern giants of the IT industry is built on the collection and processing of consumer data, and today the practice of transmitting user information is generally accepted. Amazon Ring is no different than other apps,which we install ourselves or which the phone manufacturer downloaded before sending the device at retail. Only a revision of ethical standards (and not user agreements), generally accepted practices for protecting user information can change this situation. At least in the case of the most sensitive scenarios for the user - when it comes to a bank account, passwords or home video surveillance system.

What else happened:
A new study on leaks of data from the cache of Intel processors (released before the fourth quarter of 2019) through third-party channels. The authors of the scientific work managed to circumvent the patches used by Intel to deal with previously discovered vulnerabilities. The CacheOut attack not only bypasses forced cache flushing, but also allows you to select with a certain degree of accuracy what information can be extracted. The vulnerability could theoretically be used to implement the “escape from a virtual machine” scenario, although according to Intel, practical exploitation is unlikely. Vulnerability will be closed by microcode update in supported processors.

Adobe closesSeveral vulnerabilities in the e-commerce platform Magento. Among them is a critical problem that allows SQL injection and arbitrary code execution. Unpatched Magento-based systems are regularly attacked in order to steal data from the site or intercept payment details from users in real time.

Closedbanal vulnerability in the service for web conferencing Zoom. By default, access to the conference call is not password protected, and for connection you need to know only an identifier of 9–11 digits. Researchers at Check Point Software generated a thousand random identifiers, after which they began to substitute them into service requests. The vulnerability lies in the fact that the Zoom server immediately after the connection request reports whether the identifier is correct or not (4% of random IDs "approached"). If the identifier is correct, you can get information about the meeting (names of organizers and participants, date and time) and connect to it. The problem was solved by limiting the number of requests, using default passwords, and limiting the information given by the server in response to a client’s request (legitimate subscribers still don’t really need it).

Google and Mozillaclean add-on stores for Chrome and Firefox browsers. From Chrome, either temporarily or permanently removed all paid add-ons - at least until the problem with fraudulent extensions extorting money from users is resolved. Extensions that load executable code from external sources have been removed from the Firefox add-ons catalog. The distribution included B2B components for conference calls, one banking service and an extension for a multi-user browser game.

Source: https://habr.com/ru/post/undefined/