Thursday 4 October 16:30 - 17:00, Green room
Siegfried Rasthofer (Fraunhofer SIT)
Stephan Huber (Fraunhofer SIT)
Steven Arzt (Fraunhofer SIT)
While tracking people has a long-standing history in espionage and blackmailing, it has recently also become popular for less shady reasons. Parents want to know exactly what their children are up to and couples want to check whether one of them is cheating. Whatever the reason was, users previously used explicit spying services that secretly provided backdoor-like functionality to the device that was to be tracked. Nowadays, users can instead install openly visible tracking apps to willingly share their data with others such as parents or spouses. We call these apps 'mutual-awareness-tracking apps'. In the end, however, both approaches deal with highly sensitive information, which immediately raises several questions about privacy and security. Who else can track me, where is the collected data stored, and how secure is that storage?
In this project, we analysed a selection of the most popular mutual-awareness-tracking apps from the Google Play Store together with the corresponding backend servers. Our investigation shows that many apps and services suffer grave security issues. Most apps failed to implement proper cryptography and relied on self-made algorithms instead. Others even used the unprotected HTTP protocol. In some apps, we could extract all user credentials as plaintext, and gained access to profile pics and other sensitive data from the backend due to flaws in the server's API.
In other apps, obtaining credentials wasn't even necessary, because the user authentication could be bypassed altogether. This allowed us to extract hundreds of thousands of tracking profiles. Yet other developers directly accessed their databases from the app using hard-coded credentials. While looking for tracker apps, we even found and reported two malware apps in the Google Play Store that were disguised as tracker apps.
In summary, one might ask 'who needs surveillance agency capabilities if everything is on the internet for free?'.
Siegfried is the Head of the Secure Software Engineering department at Fraunhofer SIT (Germany). His main research focus is on applied software security. He has a Ph.D., a Master's degree and a Bachelor's degree in computer science and IT-security. He is the founder of the CodeInspect reverse engineering tool and founder of TeamSIK.
During his research, Siegfried develops tools that combine static and dynamic code analysis for security purposes. Most of his research is published at top tier academic conferences and industry conferences like DEF CON, BlackHat, AVAR and Virus Bulletin.
Stephan is a security researcher at the Testlab mobile security group at the Fraunhofer Institute for Secure Information Technology (SIT). His main focus is Android application security testing and developing new static and dynamic analysis techniques for app security evaluation. He has found different vulnerabilities in well-known Android applications and the AOSP. He has delivered talks at conferences including DEF CON, HITB, AppSec and Virus Bulletin. In his spare time he enjoys teaching students Android hacking techniques.
Steven is currently a researcher at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt. He has a Ph.D., a Master's degree in computer science, and a Master's degree in IT security from Technische Universität Darmstadt.
Steven is one of the core maintainers of the Soot open-source compiler framework that is now used for static analysis and program instrumentation by various research groups around the world. He also actively maintains the FLOWDROID open-source static data flow tracker.
His main research interests centre on (mobile) security and static and dynamic program analysis applied to real-world security problems, an area in which he has published various research papers over the last years.
Brad Antoniewicz (Cisco Umbrella)
Michael Osterman (Osterman Research)
Norm Ritchie (Secure Domain Foundation)
Tom Bartel (Return Path Data Services)
Mark Kendrick (DomainTools)
Axelle Apvrille (Fortinet)