lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACGny3hv435+gTAvnNv+x7ULi1nXrycHUzUy-hfBOnENZ_kXBA@mail.gmail.com>
Date: Sun, 07 May 2017 10:41:42 +0000
From: Craig Young <vuln-report@...ur3.us>
To: "seclists@...il.tg" <seclists@...il.tg>,
 Daniel Wood <daniel.wood@...sp.org>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] 360 security android app snoops data to China Unicom
 network via insecure HTTP

I would advise running a packet capture to see what data is sent.
https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture
will let you do this from your device without root.

-Craig

On Thu, May 4, 2017, 5:10 PM seclists@...il.tg <seclists@...il.tg> wrote:

> I reinstalled the 360 security app on my phone to check the network
> connections it used & found via the Network Connections app that it did
> indeed use an insecure HTTP connection to exchange data with IP address
> 52.85.77.42 which is assigned to Amazon network(
> https://www.whois.com/whois/52.85.77.42). Attached is a screenshot from
> the network connections app showing this connection. From the 360 security
> app privacy policy page(
> http://www.360securityapps.com/m/en-us/about/privacy) it can be seen that
> it uploads sensitive information about installed programs to a cloud
> security center. So, I am guessing that the above IP address corresponds to
> an Amazon cloud storage server. So, there is still a security hole in this
> App, where it may be transmitting sensitive system information via an
> unencrypted HTTP connection.
>
> Thanks.
>
> ----- Reply message -----
> From: "Daniel Wood" <daniel.wood@...sp.org>
> To: <seclists@...il.tg>
> Cc: <fulldisclosure@...lists.org>
> Subject: [FD] 360 security android app snoops data to China Unicom network
> via insecure HTTP
> Date: Sun, Apr 30, 2017 6:26 AM
>
> Can't you just run the app in an Android emulator and shark it?
>
> Sent from my iPhone
>
> > On Apr 30, 2017, at 06:02, seclists@...il.tg wrote:
> >
> > I have a further update on the issue. After uninstalling the 360
> security android app, I found after repeated checks of Network Info on my
> phone via the Ping & DNS app that even then the HTTP connection to IP
> address 123.125.114.8 still frequently showed up. So, I monitored the
> network connections on my phone via the Network Connections app (
> https://play.google.com/store/apps/details?id=com.antispycell.connmonitor)
> and found that this time the HTTP connection to IP address 123.125.114.8
> was being established by the ES File Explorer app (
> https://play.google.com/store/apps/details?id=com.estrongs.android.pop (
> https://play.google.com/store/apps/details?id=com.estrongs.android.pop)).
> So, it is possible that the insecure HTTP connection to the above IP
> address that I observed when both the 360 security and ES File Explorer app
> were installed on my phone was in fact because of the ES File Explorer app
> or the other possibility is that both the apps have the same problem. I
> haven't had a cha
> > nce to re-install the 360 security app without the ES File Explorer to
> check that and I don't intend to re-install the 360 security app on my
> phone, since it anyways used to raise the temperature on my phone
> suspiciously. So, I will report this as an issue for the ES File Explorer
> app in a separate email.
> >
> > Thanks.
> > Hi,
> >
> > I found the following review posted about the 360 security android app:
> >
> >
> https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c
> (
> https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c
> )
> > "Snoops data to China Unicom via insecure HTTP link! Found while
> checking Network info on my device with this app installed that it had
> established an insecure HTTP connection to an IP address(123.125.114.8) on
> Chinese state owned China Unicom network (China Unicom owns a stake in app
> developer via Qihoo 360). Also, when installed, found my phone temperature
> rising frequently indicating covert data transfer from my phone. I've now
> uninstalled this Chinese spying app & advice the same to anyone using the
> app. Resp to comment: updated above info with IP addr.
> > 360 Mobile Security Limited April 26, 2017  Hi, sorry for the
> inconvenience. It will be helpful for us to solve the problem, if you can
> give us more information and details . Attaching some screenshots would be
> helpful. Please contact us by email: jenny@...imagic.com (mailto:
> jenny@...imagic.com). Many thanks."
> >
> > I observed the same behavior when I had this app installed on my
> smartphone. I checked the Network Info on my phone when this app was
> installed, using the Ping & DNS app(
> https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping
> (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping))
> and found the insecure HTTP connection to the above IP address. After I
> uninstalled the app, the HTTP connection to the above IP address was gone,
> as well. On checking the WHOIS info(
> https://www.whois.com/whois/123.125.114.8 (
> https://www.whois.com/whois/123.125.114.8)) for this IP address it can be
> seen that it is indeed on the Chinese state-owned China Unicom network. I
> had App usage tracking permission on Android enabled for this app, to
> facilitate phone temperature reduction, when I observed the above.
> >
> > Can other security researchers please check and comment on this security
> hole?
> >
> > Thanks.
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists