| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 07 May 2017 10:41:42 +0000 From: Craig Young <vuln-report@...ur3.us> To: "seclists@...il.tg" <seclists@...il.tg>, Daniel Wood <daniel.wood@...sp.org> Cc: fulldisclosure@...lists.org Subject: Re: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP I would advise running a packet capture to see what data is sent. https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture will let you do this from your device without root. -Craig On Thu, May 4, 2017, 5:10 PM seclists@...il.tg <seclists@...il.tg> wrote: > I reinstalled the 360 security app on my phone to check the network > connections it used & found via the Network Connections app that it did > indeed use an insecure HTTP connection to exchange data with IP address > 52.85.77.42 which is assigned to Amazon network( > https://www.whois.com/whois/52.85.77.42). Attached is a screenshot from > the network connections app showing this connection. From the 360 security > app privacy policy page( > http://www.360securityapps.com/m/en-us/about/privacy) it can be seen that > it uploads sensitive information about installed programs to a cloud > security center. So, I am guessing that the above IP address corresponds to > an Amazon cloud storage server. So, there is still a security hole in this > App, where it may be transmitting sensitive system information via an > unencrypted HTTP connection. > > Thanks. > > ----- Reply message ----- > From: "Daniel Wood" <daniel.wood@...sp.org> > To: <seclists@...il.tg> > Cc: <fulldisclosure@...lists.org> > Subject: [FD] 360 security android app snoops data to China Unicom network > via insecure HTTP > Date: Sun, Apr 30, 2017 6:26 AM > > Can't you just run the app in an Android emulator and shark it? > > Sent from my iPhone > > > On Apr 30, 2017, at 06:02, seclists@...il.tg wrote: > > > > I have a further update on the issue. After uninstalling the 360 > security android app, I found after repeated checks of Network Info on my > phone via the Ping & DNS app that even then the HTTP connection to IP > address 123.125.114.8 still frequently showed up. So, I monitored the > network connections on my phone via the Network Connections app ( > https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) > and found that this time the HTTP connection to IP address 123.125.114.8 > was being established by the ES File Explorer app ( > https://play.google.com/store/apps/details?id=com.estrongs.android.pop ( > https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). > So, it is possible that the insecure HTTP connection to the above IP > address that I observed when both the 360 security and ES File Explorer app > were installed on my phone was in fact because of the ES File Explorer app > or the other possibility is that both the apps have the same problem. I > haven't had a cha > > nce to re-install the 360 security app without the ES File Explorer to > check that and I don't intend to re-install the 360 security app on my > phone, since it anyways used to raise the temperature on my phone > suspiciously. So, I will report this as an issue for the ES File Explorer > app in a separate email. > > > > Thanks. > > Hi, > > > > I found the following review posted about the 360 security android app: > > > > > https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c > ( > https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c > ) > > "Snoops data to China Unicom via insecure HTTP link! Found while > checking Network info on my device with this app installed that it had > established an insecure HTTP connection to an IP address(123.125.114.8) on > Chinese state owned China Unicom network (China Unicom owns a stake in app > developer via Qihoo 360). Also, when installed, found my phone temperature > rising frequently indicating covert data transfer from my phone. I've now > uninstalled this Chinese spying app & advice the same to anyone using the > app. Resp to comment: updated above info with IP addr. > > 360 Mobile Security Limited April 26, 2017 Hi, sorry for the > inconvenience. It will be helpful for us to solve the problem, if you can > give us more information and details . Attaching some screenshots would be > helpful. Please contact us by email: jenny@...imagic.com (mailto: > jenny@...imagic.com). Many thanks." > > > > I observed the same behavior when I had this app installed on my > smartphone. I checked the Network Info on my phone when this app was > installed, using the Ping & DNS app( > https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping > (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) > and found the insecure HTTP connection to the above IP address. After I > uninstalled the app, the HTTP connection to the above IP address was gone, > as well. On checking the WHOIS info( > https://www.whois.com/whois/123.125.114.8 ( > https://www.whois.com/whois/123.125.114.8)) for this IP address it can be > seen that it is indeed on the Chinese state-owned China Unicom network. I > had App usage tracking permission on Android enabled for this app, to > facilitate phone temperature reduction, when I observed the above. > > > > Can other security researchers please check and comment on this security > hole? > > > > Thanks. > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > https://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists