Sensitive data manipulation and tracing on Android – Privacy – SpotifApp

Users’ privacy is a hot topic nowadays, with billions of applications available with an easy tap – The same tap we used to quickly give on those “I agree” checkboxes (which sometimes are totally missing – which is so bad), without actually reading a line of what we are about to “give an ok”, but it’s fine.

We all know that almost 99% of the applications available, on our daily builds, uses different analytics SDK (most used are from Google and Fabric). What is less known, or probably it is known but we don’t really care much, is that our personal data – such as location, MAC address, network providers and much more – is constantly sent over the internet. Well, we don’t care that much as far as we know that a big company (like Google) knows where we live and where we go during the day.

Why?

Explaining in short words why different companies want to know where I live it’s hard. We know that Google stores our data for different purposes, like showing good advertisements at the right time, like suggesting to us where to go this evening or what to eat tomorrow for breakfast, everything is pretty cool.

During the evolution of Android OS, restrictions, permissions management and a lot of security measures got introduced to prevent applications from abusing and collecting data without the users being aware – and you would say, really? how was the situation before that “measurement”? – Totally crazy if you imagine that with just a couple of lines of code you could retrieve anyone’s coordinates and send them anywhere.

Nowadays, Android applications, must receive an “ok” from the user to access the location services (for example), but no one actually know how that information is used by the different applications. Here comes what I named SpotifApp (the domain was free and sound pretty cool at me).

SpotifApp is a toolchain that I’ve personally developed, which is based on my reverse engineering work on the latest BoomBeach from Supercell. The project is written in Python and uses Frida framework to generate a complete report about the application (that will be extended during the development).

The idea came after AccuWeather trend news, which was sending users position to a third party company without them actually knowing (they state). (Position was sent by external SDK which got removed after the thing came to light).

The idea which I hope to extend is building a little app which people can download for free to request through a little backend to analyze their apps. The toolchain is almost ready to support automated jobs, however all the reports must be reviewed in order to detect suspicious activity.

The project is intended to “unmask” but also to make big companies aware about 3rd parties SDK doing “bad things” that we don’t like.

To prove the “power” of all that you read till now, me and a good friend take the right to build some reports targeting top 5 weather applications downloaded in Italy (we used weather applications because we were sure about location data manipulation).

The reports listed below can be “pretty printed” using jsoneditoronline.

METEO – Previsioni by iLMeteo

By a first quick analysis, there is nothing wrong (feel free to leave a comment and highlight weird things).

Report
3B Meteo – Previsioni Meteo

This is the kind of things that make me say – Good job!. The report of 3B meteo application highlights that Android APIs to retrieve users location and network operator name are used by cuebiqsdk from cuebiq.com and later sent to their servers. This is exactly the reason I developed these set of tools. Not as a matter of “sueing” some big companies (which probably aren’t aware of that activities – or maybe they are), just use a different application to get your weather condition!

Here is most of the relevant part of the report:

java.lang.Exception\n\tat android.location.LocationManager.requestLocationUpdates(Native Method)\n\tat android.location.LocationManager.requestSingleUpdate(LocationManager.java:716)\n\tat android.location.LocationManager.requestSingleUpdate(Native Method)\n\tat com.cuebiq.cuebiqsdk.model.manager.LocationManagerHelper.getLocation(Unknown Source)\n\tat com.cuebiq.cuebiqsdk.model.processor.LocationProcessor.gather(Unknown Source)\n\tat com.cuebiq.cuebiqsdk.model.CollectorRequest.collect(Unknown Source)\n\tat com.cuebiq.cuebiqsdk.receiver.CoverageReceiver$1.handleMessage(Unknown Source)\n\tat android.os.Handler.dispatchMessage(Handler.java:98)\n\tat android.os.Looper.loop(Looper.java:154)\n\tat android.os.HandlerThread.run(HandlerThread.java:61)\n

java.lang.Exception\n\tat android.telephony.TelephonyManager.getNetworkOperatorName(Native Method)\n\tat com.cuebiq.cuebiqsdk.model.wrapper.Device.build(Unknown Source)\n\tat com.cuebiq.cuebiqsdk.receiver.CoverageReceiver$1.handleMessage(Unknown Source)\n\tat android.os.Handler.dispatchMessage(Handler.java:98)\n\tat android.os.Looper.loop(Looper.java:154)\n\tat android.os.HandlerThread.run(HandlerThread.java:61)\n

POST /bea/c/geolocation HTTP/1.1\r\nx-beintoo-auth: a3Bmeteo\r\nContent-Encoding: gzip\r\nContent-Type: application/json; charset=utf-8\r\nTransfer-Encoding: chunked\r\nHost: in.cuebiq.com\r\nConnection: Keep-Alive\r\nAccept-Encoding: gzip\r\nUser-Agent: okhttp/3.9.0\r\n\r\nb2\r\n\u001f‹\b\u0000\u0000\u0000\u0000\u0000\u0000\u00005Ë\nƒ0\u0014Dÿ%k\u0003y˜bÝÙ\u0007¥\u0014ê¢_p×\u0010ˆ‰h¬Hé¿7RÜ\rg83\u001f\u0002]Äñ\u001cÞ8‚ARÆqƌÀ0<p%%\u0001yê1b \u00191!\u0018‡•m\u0013æº\u0001Õ\nN%\u001c\u0015Í\u000b&hÃԑ\n•\u001f˜äLʼHŠnÕýR\u000f1̑”\u001d¸)m» !ÚàëçþÖk6…\u0010Iéý–9Kq±­Ü\u0002ëôÒà½õf\u0017¶æê¡qØþÑ÷\u0007vŒ¥(È\u0000\u0000\u0000\r\n0\r\n\r\n

Report
il meteo – previsioni del tempo
At the moment we didn’t notice anything suspicious from a first analysis.
Report
Feel free to reach me on Twitter to discuss!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.