Security Week 06: advertising trackers in mobile applications
But no. For example, the Facebook social network receives notifications from the Amazon Ring application about the opening of the application, about user actions, as well as data that identifies the owner. These include the smartphone model, language settings, screen resolution, device identifier. Facebook will process all this data even if you do not have a social network account. This in itself is an interesting problem: if you have a Facebook account, then you have at least minimal control over the data that is directly associated with it. If there is no account, then there is no control, but the social network still knows something about you. Although not all data sets sent to advertisers contain unique identifiers (such as first and last names) user identifiers, this is often not required. The combination of data from different applications identifies us better than passports and informs advertisers about such traits and habits that we ourselves may not suspect.
Data analysis was performed using a standard tool – an open software package mitmproxy. The smartphone uses mitmproxy to transfer all data, and to decrypt https traffic, a root certificate is installed on the device. Another necessary action in such cases is to prohibit the transfer of data from all applications except the one under investigation. Traffic restriction was implemented using the application AFWall +requiring superuser rights on the smartphone. However, even such a connection was not enough: the Amazon Ring application uses its own certificates to communicate with ad networks, ignoring those that are installed on the system. The report noted that this approach in the usual situation protects user traffic even on a partially compromised smartphone, but significantly complicates the “legitimate” traffic studies. Using the framework Frida managed to modify the running application so that it uses a certificate from mitmproxy.
In addition to Facebook, the Amazon Ring app sends data to Branch.io, AppsFlyer, and Mixpanel ad aggregators. Appsflyer – in particular, receives information about the carrier used, several user identifiers, as well as the presence of an advertising tracker for this company, if it was previously preinstalled on the device. Most interestingly, AppsFlyer also receives information from the physical sensors of the smartphone: magnetometer, accelerometer and gyroscope. The MixPanel network receives, according to EFF, the maximum of private information: full name, email, address, device profile, application settings with the parameters of the installed cameras, and more.
Amazon Ring spokesman commented on the study in the expected way: that’s fine! Data transfer to a third party is used to collect statistics with the aim of further improving the application, measuring the effectiveness of marketing campaigns. Services to which data is transferred are contractually obligated to use information only as they are allowed by the application developer, and not in any other way. And what does the developer allow them to do? The Electronic Frontier Foundation complains that Amazon Ring not only collects information about the user, but also does not really notify him about it. The business of many modern giants of the IT industry is built on the collection and processing of consumer data, and today the practice of transmitting user information is generally accepted. Amazon Ring here is no different from other applications that we install ourselves or that the phone manufacturer downloaded before sending the device to retail. Only a revision of ethical standards (and not user agreements), generally accepted practices for protecting user information can change this situation. At least in the case of the most sensitive scenarios for the user – when it comes to a bank account, passwords or home video surveillance system.
What else happened:
New study about leaks of data from the cache of Intel processors (released before the fourth quarter of 2019) through third-party channels. The authors of the scientific work managed to circumvent the patches used by Intel to deal with previously discovered vulnerabilities. The CacheOut attack not only bypasses the forced flush of the cache, but also allows you to select with a certain degree of accuracy what information can be extracted. The vulnerability could theoretically be used to implement the “escape from a virtual machine” scenario, although Intel data practical operation is unlikely. Vulnerability will be closed by microcode update in supported processors.
Adobe closes Several vulnerabilities in the e-commerce platform Magento. Among them is a critical problem that allows SQL injection and arbitrary code execution. Unpatched systems based on Magento are regularly attacked in order to steal data from the site or intercept payment details from users in real time.
Closed banal vulnerability in the service for web conferencing Zoom. By default, access to the conference call is not password protected, and for connection you need to know only an identifier of 9–11 digits. Researchers at Check Point Software generated a thousand random identifiers, after which they began to substitute them into service requests. The vulnerability lies in the fact that the Zoom server immediately after the connection request reports whether the identifier is correct or not (4% of random IDs “approached”). If the identifier is correct, you can get information about the meeting (names of organizers and participants, date and time) and connect to it. The problem was solved by limiting the number of requests, using default passwords, and limiting the information given by the server in response to a client’s request (legitimate subscribers still don’t really need it).
Google and Mozilla brush add-on stores for Chrome and Firefox browsers. All paid add-ons have been removed from Chrome either temporarily or permanently – at least until the problem with fraudulent extensions extorting money from users has been resolved. Extensions that load executable code from external sources have been removed from the Firefox add-ons catalog. The distribution included B2B components for conference calls, one banking service and an extension for a multi-user browser game.
