Your Apps Are Spying On You: How to Keep your Privacy on Mobile Devices
On Friday, October 24th, 2014, I had the honor and privilege of speaking at the 4th Annual NJ Cyber Security Conference at Brookdale Community College. The overall theme of the conference was "Internet of Things (IoT)". My presentation was about mobile apps and how the permissions requested could be allowing more access than you realize. Below is a copy of the slides I used for my presentation and the transcript.
Below is a transcript of the presentation:
Below is a transcript of the presentation:
Good afternoon! How is everyone today? Great! So I would like to take a quick poll. How many people have one of these? (hold up phone) Now, I am holding up an Android smartphone, but I am not differentiating on the type of phone, but who has a smartphone? Looks like most everyone. Mobile devices help keep our lives organized and provide a huge convenience for us all. But with all that we put on our devices, are your Apps spying on you? Today we will take a look.
First off, the question on everyone’s mind; who is this guy? My name is Kirk Hayes. I am a Christian, Husband, Father to two amazing and beautiful children, a geek, and a hacker. For my day job, I am a FSO and ISSM for a small defense contractor, though I recently accepted a job offer and will be working as a senior penetration tester in the near future. As you can tell from the picture of me with my two kids, I love ice cream, and so do they! They like to wear it a little more than I do though. I have a little blog at offenseismyprimarydefense.blogspot.com, a github account where I host some tools that I have written at github.com/l0gan (that is l zero gan), and you can follow me on Twitter @kirkphayes. I have been in the IT field for the past 9 years, but my career took a turn about a year and a half ago.
I took part in a competition through CyberAces. Now, CyberAces, for those that do not know, is an organization the helps train, test, and place top talent in cyber security. The competition I was in took in over 800 participants in New Jersey, narrowed the field to 80, pitted us against each other in a hacker death match called NetWars, out of which 12 were invited to the CyberAces Academy at Brookdale. Through that program, I was able to refine my skills and ultimately get a job that I am excited to start in a few short weeks. But back to what is CyberAces. CyberAces helps people learn different areas of cyber security through a few training modules online. Each year, there is a competition that allows individuals to compete in a series of online tests and culminating in an onsite Netwars competition which is a hands on cyber security training and assessment “game”. This competition helps pull out the best of the group. These people can win different prizes and awards and through the National Cyber Security Career Fair, there is an opportunity for organizations to find top talent that otherwise might go unnoticed. You can visit cyberaces.org to learn more and I would highly recommend you head there if you are interested in cyber security from any vantage point, which let’s be honest, if you are here, there must be some interest right?
Okay, so now that my intro is done, what will we talk about today? First, we will discuss briefly different devices that are out there. We will look at what type of information is stored on these devices, look at the way that iOS and Android deal with permissions when it comes to applications, look at some examples of apps that may be spying on you, and what you can do to protect yourself.
So there are many different devices out there. Some of the most popular are Android, which is what I use for all my devices, and iOS, which I use strictly for analysis purposes. There are also the Windows Phone devices, Blackberry Classic and Blackberry 10 devices, as well as a bunch of others, like FirefoxOS and Amazon Fire devices. These devices may be tablets or phones but they all have a similar use to them. The apps for the platform are what keep people using them day to day.
No matter what type of device you have, there is a ton of information on them. Can anyone think of any information you store on your devices? Some information that is potentially sensitive in nature are contacts, email, calendar, notes. My cousin actually keeps her passwords in a notes file in her iCloud account. Anyone do anything like that? Even information on our health, our location, and even what WiFi access points we have connected to is stored on the device. Not only that, but all your text messages, documents, browser information and your keystrokes. Yeah, when you type in a word that is not in the built-in dictionary, those are stored on your device. Anyone see that on iOS 8 there was a problem where your password was kept in that file? On Twitter, someone who goes by the name raptor, tweeted something I think sums up apps and what happens when you install one. “Installing an app is effectively equivalent to giving the author of that app a shell account on your most personal machine.”
So to understand how apps are spying on us, we need to understand how the operating system handles app permissions. In iOS, Apps must prompt the user for consent on a handful of permissions. These include location, notifications, contacts, calendar, reminders, photos and healthkit. All other permissions are allowed as long as the app is using Apple APIs. The way Apple keeps malicious apps off of their devices is by making all apps go through a vetting process to make sure they are complying with Apple regulations. Now, this doesn’t mean that there are no malicious apps on the Apple App Store, it just means they have to be malicious in a way that Apple approves of.Beyond the permissions that Apple forces the app to gain consent for, there are a number of other permissions that the apps get access to without prompting the user. These include the iOS Unique ID (or UDID), which with iOS 8 there is a randomization that occurs to help keep you from being tracked as you are walking around. The WiFi connection information, minus the password, is accessible. So is the last number you called, your YouTube history, different settings in MobileSafari, including your favorites and history, and internet access. Now if you remember, there is a file that contains a list of words that you have typed that were not in the autocorrect dictionary. This file is also accessible by apps without prompting, and remember, iOS 8 was storing passwords in this file. Oops!
We will move over to Android now. With Android, it is an all or nothing approach. They present you with all the permissions an app requests when installing the app. You can choose to install the app, granting those permissions, or not install the app. Recently, Google tried to simplify the permissions and grouped them into categories, which once you have granted access to the app category, the app can update and add permissions within that category without prompting the user. This is the case for all the categories beside the Other category. Android allows for apps to use functionality from other apps or the system by using something they call intents. This functionality has actually just been added to iOS with iOS 8. Apps do not go through the same type of vetting process on Android as they do for Apple. The apps are allowed in the store, and the Google Bouncer will get rid of apps that do not follow their guidelines or are malicious.This is a list of some of the more sensitive permissions in Android. Yes, there are a lot of permissions here, but I highlighted some of the more sensitive ones, such as Read your contact card, read and modify your contacts, read your calendar, and email the guests without your knowledge. Precise location using GPS and wireless networks, read your SMS or text messages, even sending SMS messages or placing calls. All these permissions have items that could potentially leak information about you that you do not want someone to have access to.
So with a basic knowledge of how iOS and Android handle app permissions, we will now play a little game. I call it; guess the app that is spying on you. First up, can anyone tell me what app is represented by this icon? This is Facebook Messenger. The list of permissions here is for the Android version of the app, but many of the same permissions were requested in iOS as well. This caused a huge public outcry on why Facebook wanted so much access on our devices, and that caused them to issue a statement on why each permission was requested. Now I am not going to go through their reasoning, but I think that anyone that thinks through can understand why they need access to what they request access to. The reason Facebook wants to read your contacts is to make sure as many people you know are all friends of yours on facebook and to allow you to message them. It wants to include your location in every message you send in the app, and not allow you to permanently change that, so the location items make sense. SMS. Why does Facebook Messenger want access to the SMS features? Well Facebook Messenger wants to replace your stock SMS/MMS app and handle ALL of your messaging, which is why it wants to use your phone. And what messaging app would be complete without being able to access your files and camera so you can send that selfie that everyone wants to see. So is Facebook Messenger Spying on you?
How about app number 2. Anyone know what app this icon is for? Even if you don’t know the exact name of the app, you can probably tell this is a flashlight app. This is Brightest Flashlight Free, one of the top 3 flashlight apps. Again, I am listing the permissions requested from the app on the Google Play Store, but there are the same permissions needed on the iOS version. So can anyone tell me why a flashlight app wants access to my location or my wifi connections? I get that a flashlight needs access to the camera, that is how it turns on the flash, but location? Turns out, this app is ad supported, thus the Free in the name of the app. The location is sent to the ad networks which then send you ads tailored to your location. Again, nothing necessarily malicious in why it needs that access, though I would rather find an app that does not need my location or other information.
So the final app of our game. Anyone recognize this one? I actually didn’t think anyone would recognize it, but this is Money Manager Expense and Budget. There are a bunch of permissions that this app wants access to including knowing what apps you are running, handling SMS, what WiFi you have connected to and some others. I am not sure why a money management app is doing with SMS access, but that just smells fishy. We will get to that more in a little bit.
So we recognize that apps are potentially grabbing sensitive information on our devices, so what can we do about it? First, and foremost, only install apps from a trusted marketplace. Do not install an Android app from a sketchy site you found because you don’t want to pay the 99 cents to purchase it. Installing from the Apple App Store or the Google Play Store will really help keep the malicious apps off your device. Keep in mind that when I say malicious, I mean known malware. The apps you will find are less likely to be malware and more likely to be selling information to advertisers than anything else. Secondly, check the permissions an app is requesting. Determine whether those permissions make sense for what the app is doing. If you suspect anything, do not install the app. And if you must have the app, and still are suspect of the app, perform some basic app analysis.
I am going to give you all a little bonus here. A quick intro to app analysis. There are three primary ways that I use to analyze what an app is doing. First, I do a static code analysis. On Android, this is easy and you can decompile the APK file and take a look at the Android Manifest file, which gives you information about the permissions, and view the Java Source Code. Some sensitive code to look for when doing this on Android is on the slide, but keep an eye on the TelephonyManager items. I did a quick source code analysis on our app number 3, Money Manager, and found some interesting things.You will notice that getCellLocation is listed, also some sms information, even using an Intent to dial a phone number, even some Korean characters. The permissions were strange enough, the code would make me stay away from this app.
The second way to analyze an app would not help much in the case of apps spying on you, but can help with other items. Basically you pull out the file system where the app is on your device, look at the files, make changes, and copy back to the device. On my github account, I have a tool called BackHack that will allow you to do this easily on Android and I have instructions for using the tool and performing this analysis on Android and iOS on my blog. Something that I have used this for is to turn off ads and even some location tracking. At least for those apps, some of my data is a little safer.Finally, Network analysis. Running your apps through a proxy like Burp, will let you see what type of information is being sent and received through your network connection. This is similar to how Web App Penetration Testers test web apps, but just with a mobile device. And it is not just apps. Xiaomi was suspected of secretly stealing uses information and sending back to a server in Beijing. So using network analysis can allow you to see all types of fun information that is being stolen from your device.
So as we have seen, we have many devices, that contain sensitive information, and each time we install an app, we give a little of that information away. By looking at what permissions these apps require, we can determine if the use of these permissions or malicious or if it lines up with what the app needs to do. Lastly we took a quick look at how to perform analysis on apps that we might suspect there is something going on.
Now before we wrap up and I take questions, I wanted to let you know that if you are interested in mobile device security, I am mentoring a SANS SEC575: Mobile Device Security and Ethical Hacking course starting March 10th. The course lasts 10 weeks and is 1 evening a week for about 2 hours. The class is being hosted here at Brookdale and you can sign up at the link on the screen. Make sure to use the discount code RefMen14 for a 15% discount. This course is designed for anyone that is interested in mobile device security. There are parts for policy makers, for penetration testers and for those interested in forensics of mobile devices.
Thank you so much for spending the past hour or so with me. I truly hope you learned something and keep an eye out for apps that may be spying on you. If there are any questions, I would be happy to take those now, or we can talk during a break.
