Facebook Messenger (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)

This application is available for Android. This app is designed to instantly reach the people by texting them. The latest build was released on January 24th, 2017 (updated released on February 1st, 2017).

This release transfers data items are protected by SSL Pinning that means a weakness if you have a rooted device only. However, the application has an issue with protecting media data items related to friend profile’s pictures (avatars). Since the first time the app runs, until all media data items will be download eventually, all media data items transferred in plaintext (without protection/encryption)

Findings Summary

Our examination revealed total 27 items, where were 10 DAR items and 17 DIT items found. Among DAR items were found 0 worst items, 10 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 15 good items, and 1 best item.

In this case, ‘1 best item’ is not really best one but two duplicated items, one of them is assigned to 6 points (Good Protection Level) and the second one is assigned to 3 points (Obesity Protected Level). During many tests, the second item was found and means the cached activity that happens once (usually when the app starts the first time) and ends when all profile pictures related to the Facebook Contacts will be downloaded. Normally, these pictures (media data) transferred securely and not available to intercept (MITM) if the device is not rooted.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Facebook Messenger (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)”

Facebook Messenger 102.0 (iOS / App Store) on Jan 26, 2017 (upd. on Feb 3th – ver 103.0)

This application is available for iOS. This app is designed to instantly reach the people by texting them. The latest build was released on Jan 24th, 2017 (updated released on February 1st, 2017).

This release transfers data items are protected by SSL Pinning that means a weakness if you have a jailbroken device only. However, the application has an issue with protecting media data items related to friend profile’s pictures (avatars). Since the first time the app runs, until all media data items will be download eventually, all media data items transferred in plaintext (without protection/encryption)

Findings Summary

Our examination revealed total 28 items, where were 11 DAR items and 17 DIT items found. Among DAR items were found 0 worst items, 9 bad items, 2 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 16 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Facebook Messenger 102.0 (iOS / App Store) on Jan 26, 2017 (upd. on Feb 3th – ver 103.0)”

Facebook (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)

This application is available for Android. This app is designed to keep up with friends is the faster way by using the popular social network. The latest build was released on January 26th, 2017 (updated released on February 1st, 2017).

This release transfers data items are protected by SSL Pinning that means a weakness if you have a rooted device only. The data items are part of menu settings are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. These data items include

  • Media Data related to the ‘Account Information’ Group
  • Stream, Contact Profile, Contact GEO, Tracked Data ‘n’ Favorites related to the ‘Address Book ‘n’ Contact Information’ Group
  • Device Data related to the ‘Analytics ‘n’ Ads Information’ Group
  • Credentials (IDs), Credentials (Passwords), Credentials (Tokens) related to the ‘Credentials Information’ Group
  • Device Details, Network Details, Environment related to the ‘Device Information’ Group
  • Calendar Events, Calendar Details related to the ‘Events Information’ Group
  • GEO Data, Location History, Place Details, Address Data related to the ‘Location ‘n’ Maps Information’ Group
  • Contact Profile, Media Data related to the ‘Media Information’ Group
  • Personalization related to the ‘Personal ‘n’ Private Information’ Group
  • Stream, Messages, Preview, Access Permissions, Media Data, Bookmark Data related to the ‘Social Information’ Group

Findings Summary

Our examination revealed total 58 items, where were 23 DAR items and 35 DIT items found. Among DAR items were found 0 worst items, 23 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 35 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Facebook (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)”

Facebook 77.0 (iOS / App Store) on Jan 26, 2017 (upd. on Feb 3th – ver 78.0)

This application is available for iOS. This app is designed to keep up with friends is the faster way by using the popular social network. The latest build was released on Jan 26th, 2017 (updated released on February 2nd, 2017).

This release transfers data items are protected by SSL Pinning that means a weakness if you have a jailbroken device only. The data items are part of menu settings are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. These data items include

  • Media Data related to the ‘Account Information’ Group
  • Stream, Contact Profile, Contact GEO, Tracked Data ‘n’ Favorites related to the ‘Address Book ‘n’ Contact Information’ Group
  • Device Data related to the ‘Analytics ‘n’ Ads Information’ Group
  • Credentials (IDs), Credentials (Passwords), Credentials (Tokens) related to the ‘Credentials Information’ Group
  • Device Details, Network Details, Environment related to the ‘Device Information’ Group
  • Calendar Events, Calendar Details related to the ‘Events Information’ Group
  • GEO Data, Location History, Place Details, Address Data related to the ‘Location ‘n’ Maps Information’ Group
  • Contact Profile, Media Data related to the ‘Media Information’ Group
  • Personalization related to the ‘Personal ‘n’ Private Information’ Group
  • Stream, Messages, Preview, Access Permissions, Media Data, Bookmark Data related to the ‘Social Information’ Group

Findings Summary

Our examination revealed total 59 items, where were 24 DAR items and 35 DIT items found. Among DAR items were found 0 worst items, 22 bad items, 1 good item, and 1 best item. Among DIT items were found 0 worst items, 8 bad items, 27 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Facebook 77.0 (iOS / App Store) on Jan 26, 2017 (upd. on Feb 3th – ver 78.0)”

Instagram (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)

This application is available for Android here. This app was designed to share your photos and videos, and keep up with your friends and interests. The latest build was released on January 24, 2017 related to v10.5  (updated released on February 1st, 2017).

Beware of using previous releases, because all your media data is transferred ‘as is’ without protection and rest data items are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. Have a look

The current release protects the network data items except for media data. The media data is still transferring ‘as is’ without protection. However, the rest data items are protected by SSL Pinning that means a weakness if you have a rooted device only.

Findings Summary

Our examination revealed total 42 items, where were 14 DAR items and 28 DIT items found. Among DAR items were found 0 worst items, 14 bad items, 0 good items, and 0 best items. Among DIT items were found 6 worst items, 0 bad items, 22 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Instagram (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)”

Instagram 10.4.1 (iOS/ App Store) on Jan 26, 2017 (upd. on Feb 3th, ver 10.6)

This application is available for iOS here. This app was designed to share your photos and videos, and keep up with your friends and interests. The latest build was released on Jan 30th, 2017.

This release transfers all your media data ‘as is’ without protection and rest data is still vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted.

Findings Summary

Our examination revealed total 40 items, where were 12 DAR items and 28 DIT items found. Among DAR items were found 0 worst items, 5 bad items, 7 good items, and 0 best items. Among DIT items were found 6 worst items, 22 bad items, 0 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Instagram 10.4.1 (iOS/ App Store) on Jan 26, 2017 (upd. on Feb 3th, ver 10.6)”

Instagram (Android / Google Play) on Jan 18, 2017 (upd. on Jan 19th for v10.5)

This application is available for Android here. This app was designed to share your photos and videos, and keep up with your friends and interests. The latest build was released on January 17, 2017 and results are updated on Jan 19th for the last released v10.5 (according to this alternative apk downloader site)

Beware of using previous releases, because all your media data is transferred ‘as is’ without protection and rest data items are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. Have a look

The current release protects the network data items except for media data. The media data is still transferring ‘as is’ without protection. However, the rest data items are protected by SSL Pinning that means a weakness if you have a rooted device only.

Findings Summary

Our examination revealed total 42 items, where were 14 DAR items and 28 DIT items found. Among DAR items were found 0 worst items, 14 bad items, 0 good items, and 0 best items. Among DIT items were found 6 worst items, 0 bad items, 22 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Instagram (Android / Google Play) on Jan 18, 2017 (upd. on Jan 19th for v10.5)”

Instagram 10.4 (iOS / App Store) on Jan 18, 2017 (upd. on Jan 19th for v10.4.1)

This application is available for iOS here. This app was designed to share your photos and videos, and keep up with your friends and interests. The latest build was released on Jan 17, 2017 and results are updated on Jan 19th for the last released v10.4.1.

Beware of using previous releases, because all your media data is transferred ‘as is’ without protection and rest data items are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. Have a look.

The current release protects the network data items, however the items are still vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted.

Why is it still bad? Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016

Findings Summary

Our examination revealed total 40 items, where were 12 DAR items and 28 DIT items found. Among DAR items were found 0 worst items, 5 bad items, 7 good items, and 0 best items. Among DIT items were found 0 worst items, 28 bad items, 0 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Instagram 10.4 (iOS / App Store) on Jan 18, 2017 (upd. on Jan 19th for v10.4.1)”

CWE Details

According to the CWE (Common Weakness Enumeration) list, there are three vulnerability IDs referred to improper protection mechanisms we use in our researches:

  • Sensitive data leakage [CWE-200]
  • Unsafe sensitive data storage [CWE-312]
  • Unsafe sensitive data transmission [CWE-319]

Sensitive data leakage [CWE-200]

Sensitive data leakage can be either inadvertent or side channel. Legitimate applications usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to third parties: Location, Owner ID info: name, number, device ID, Authentication credentials, Authorization tokens

Unsafe sensitive data storage [CWE-312]

Mobile applications often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off the file system. It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky.

Unsafe sensitive data transmission [CWE-319]

It is important that sensitive data be encrypted in transmission lest it be eavesdropped by attackers. Mobile devices are especially susceptible because they use wireless communications exclusively and often public Wi-Fi, which is known to be insecure. SSL is one of the best ways to secure sensitive data in transit. If the app implements SSL, it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP. Another way SSL could be compromised is if the app does not fail on invalid certificates. This would enable that a man-in-the-middle attack.

Instagram (Android / Google Play) on Jan 15, 2017

This application is available for Android here. This app was designed to share your photos and videos, and keep up with your friends and interests. The latest build was released on December 21, 2016.

This release transfers all your media data ‘as is’ without protection and rest data is still vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted.

The new Instagram application is available and has the issues fixed. The media data is still transferring ‘as is’ without protection, however the rest data items are protected by SSL Pinning that means a weakness if you have a rooted device only. Have a look

Findings Summary

Our examination revealed total 42 items, where were 14 DAR items and 28 DIT items found. Among DAR items were found 0 worst items, 14 bad items, 0 good items, and 0 best items. Among DIT items were found 6 worst items, 0 bad items, 22 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Instagram (Android / Google Play) on Jan 15, 2017”