lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <B79D2305-9EDC-4F90-865D-AA5F4C118331@owasp.org>
Date: Sun, 30 Apr 2017 09:26:42 -0400
From: Daniel Wood <daniel.wood@...sp.org>
To: seclists@...il.tg
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] 360 security android app snoops data to China Unicom
	network via insecure HTTP

Can't you just run the app in an Android emulator and shark it?

Sent from my iPhone

> On Apr 30, 2017, at 06:02, seclists@...il.tg wrote:
> 
> I have a further update on the issue. After uninstalling the 360 security android app, I found after repeated checks of Network Info on my phone via the Ping & DNS app that even then the HTTP connection to IP address 123.125.114.8 still frequently showed up. So, I monitored the network connections on my phone via the Network Connections app (https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) and found that this time the HTTP connection to IP address 123.125.114.8 was being established by the ES File Explorer app (https://play.google.com/store/apps/details?id=com.estrongs.android.pop (https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). So, it is possible that the insecure HTTP connection to the above IP address that I observed when both the 360 security and ES File Explorer app were installed on my phone was in fact because of the ES File Explorer app or the other possibility is that both the apps have the same problem. I haven't had a c
 ha
> nce to re-install the 360 security app without the ES File Explorer to check that and I don't intend to re-install the 360 security app on my phone, since it anyways used to raise the temperature on my phone suspiciously. So, I will report this as an issue for the ES File Explorer app in a separate email.
> 
> Thanks.
> Hi,
> 
> I found the following review posted about the 360 security android app:
> 
> https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c (https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c)
> "Snoops data to China Unicom via insecure HTTP link! Found while checking Network info on my device with this app installed that it had established an insecure HTTP connection to an IP address(123.125.114.8) on Chinese state owned China Unicom network (China Unicom owns a stake in app developer via Qihoo 360). Also, when installed, found my phone temperature rising frequently indicating covert data transfer from my phone. I've now uninstalled this Chinese spying app & advice the same to anyone using the app. Resp to comment: updated above info with IP addr.  
> 360 Mobile Security Limited April 26, 2017  Hi, sorry for the inconvenience. It will be helpful for us to solve the problem, if you can give us more information and details . Attaching some screenshots would be helpful. Please contact us by email: jenny@...imagic.com (mailto:jenny@...imagic.com). Many thanks."
> 
> I observed the same behavior when I had this app installed on my smartphone. I checked the Network Info on my phone when this app was installed, using the Ping & DNS app(https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) and found the insecure HTTP connection to the above IP address. After I uninstalled the app, the HTTP connection to the above IP address was gone, as well. On checking the WHOIS info(https://www.whois.com/whois/123.125.114.8 (https://www.whois.com/whois/123.125.114.8)) for this IP address it can be seen that it is indeed on the Chinese state-owned China Unicom network. I had App usage tracking permission on Android enabled for this app, to facilitate phone temperature reduction, when I observed the above.
> 
> Can other security researchers please check and comment on this security hole?
> 
> Thanks.
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ