The technique we invented to uncover the active exploitation of side and covert channels continues to work. One such side channel comes from an obscure, purportedly-Panamanian company. A look at their code makes for an interesting case study in obfuscation (and provides a few examples of an app feeling far Read more…
Recently, Canada’s Citizen Lab released a detailed investigation of the mobile app provided by the Government of the People’s Republic of China that appears mandatory for all attendees of the upcoming Winter Olympic games. We took a look to see if there was anything else we could find (version 2.0.4, released January 2022), and noticed evidence of a side channel being exploited. In particular, we found that the MAC address of the mobile device is being sent to the domain “bigdata.beijing2022.cn”.
Huq Industries is a UK company that provides location-based services and mobility data, some of which is collected via an SDK that is integrated with various apps. From Huq’s marketing materials: “The most accurate grade of mobility data is derived from the mobile OS via (A-)GPS using a first-party specialised Read more…
Earlier, we wrote about some attacks that can be done in GAEN-based contact-tracing systems, which is the Google-Apple Exposure Notification system that is used by many countries and regions worldwide to do digitally-assisted contact tracing. Recently, we found that Google’s implementation of GAEN logs crucial pieces of information to the Read more…
Co-written with Paul-Olivier Dehaye and Bobby Richter There are billions of smartphones around the world and many are close to their owners at all times. For this reason, they have been recruited to help with contact tracing for the COVID-19 pandemic as they are able to record every proximate encounter Read more…
ACCC’s press release can be found on the ACCC website and a direct link to the published report can be found here. In October, as part of its Digital Platform Services Inquiry and ongoing efforts to protect consumers and promote competition, the Australian Competition and Consumer Commission (ACCC) published our Read more…
Over the past 9 months, our team, with our IDAC and ICSI partners, have been tracking an SDK published by analytics and marketing company, Aurora Mobile Limited, or JiGuang, and its use in Android apps. Aurora Mobile offers developers a variety of libraries that support common mobile app features, like Read more…
On April 3rd 2019, the World Health Organization (WHO) published a press release announcing the results of a coordinated effort led by the WHO Digital Health Technical Advisory Group to develop technical solutions that could trace the development of the COVID-19 infection, perform population screening, and more efficiently allocate limited Read more…
We discussed the rampant collection of IMEI earlier, and actually we found something even stranger about apps so casually sending the IMEI: we noticed that a few apps were sending the IMEI to 3rd parties but they didn’t have the permission they needed to access it! This is definitely not Read more…
The 2019 USENIX Security Symposium includes our study on the use of side and covert channels by apps in order to circumvent the permission system. In addition to our paper, we are writing a series of blog posts to explain our main findings. In this post, the first in the Read more…