Analysis of Camera App privacy data leakage

Analysis of Camera App privacy data leakage

0x00 Preface

Many popular Android applications have leaked private data. We found another popular Google Play app, "Camera Ultimate", not only optimized users' photos, but also inadvertently leaked private data, allows malicious users to access their cloud accounts and photos of Camera  without being authenticated.

Prior to this discovery, FireEye researchers discovered a large number of SSL protocol vulnerabilities in Camera applications and other applications. These vulnerabilities are exploited through man-in-the-middle attacks and pose a serious threat to user privacy.

Android app developers should adopt more appropriate security measures to provide users with a safer mobile phone experience.

0x01 overview and introduction

Camera is a popular photo shooting and editing application. It has millions of users worldwide. This application provides free cloud services for photo storage. To use these cloud features, you will create an Alibaba Cloud account that can be accessed through 

Cloud access is restricted by the user name and password. However, when the application is dizzy, it will leak private data in an unencrypted form, such as in the Android system log (logcat) and network communication process. This data can be stolen by reading logcat or capturing network communication applications. Malicious users in your Wi-Fi network can also steal this data through WiFi sniffing.

Leaked data can be used to download photos of all users, except those photos in users' privacy albums. A private album usually uses an additional password to protect important image data. This application does not operate these private images, and all images uploaded from devices are non-private by default.

0x02 technical details

We analyzed the latest versions of Camera (6.2) and earlier versions (6.1.2, 6.1.1 and 6.1), and then found Data leaks in all these versions.

The leaked data can be used to perform unauthorized access to users' photos through the following steps:

Create a logon session by using the leaked certificate. Then, the server obtains the Image keys and uses them to download images. Hijack logon sessions, use leaked tokens to download images, and use leaked Image keys to download images without authentication.

In addition, captured images in network communication can be extracted and viewed in poor ways.

Below are all the details.

0x03 create a logon session

The Camera application uses HTTPS to log on to the server, which means that sensitive login data cannot be obtained easily through network communication. During the login process, the application records the private data to logcat, which can be read by other applications running on the device at the same time.

Camera records the user's Email address, password hash value, and other related data. When these data leaks, they can be used to create a separate logon session. In response to the login request, the server returns a token, user ID, and other account information. This token and user ID can be used to obtain keys for all unencrypted images on the server. With these keys, all related images can be downloaded.

Displays the log information generated during the test:

Through Reverse Analysis of this application, we found its HTTPS login URL. The data in the preceding log information can be used to create a logon session in this HTTPS request. Shows the URL without parameters:

Any application that can read logcat can obtain the login data and create their own login sessions. Logcat can be read with the READ_LOGS permission, which is available for all applications running on Android4.0 and earlier versions. However, since Android4.1 (jelly bean), this permission will no longer be authorized to third-party applications.

Through the reverse application, we can also findThe password's hash value is the original password's dual MD5 and unsalted. Attackers can use dictionary attacks to obtain the original password, and use a rainbow table or brute force cracking to generate a string that matches the hash value. Password cracking is not required, as long as the hash value can be directly used to create a logon session. The hash value of the password and the stolen Email address can be used to log on to camera and the cloud (Management System ).

0x04 use the leaked tokens to hijack the session

In response to the application login request, the server returns a token, user ID, and other account information. Camera uses this token and user ID in the next request to verify itself.

The response to the server under our test account is as follows:

This token will not expire and will be fixed. It will remain valid even ifThe user has logged out.Because the session variable is deleted on the client rather than the server. Therefore, successful requests can be sent at any time by using this token.

Camera  exposes these tokens and user IDs, other applications, and device-related data to logcat and network communication. Any Android app that can read logcat, any network sniffer that runs on the device, or on the Wi-Fi network of the device can steal the data. These leaked data can be used to send unauthenticated requests to servers, or laugh at all non-private images on the cloud.

0x05 data leaked to logcat

Camera exposes data to logcat during logon and when users open cloud account-related activities.

The following are two examples of log information:

In the preceding information, uid and user Id are set to the same user Id. The token, user token, and localkey are set to the same token value.

0x06 data leaked to Network Communication

This application uses HTTPS to send a logon request, but the next request is sent through HTTP. An unencrypted authentication token and user ID are sent together. Unencrypted data can be easily read from network communication.

An HTTP request is as follows:

0x07 use the token and user ID to download the photo

Leaked tokens, user IDs, and other application-related data can be obtained by using any of the following requests:

These HTTP requests can be used to download photos in two ways:

FETCHING IMAGE KEYS

Any HTTP request mentioned above can be used to obtain the photo key from the server. The server responds to our test request as follows:

The secret can be extracted from the server response and then downloaded using the following HTTP request:

Bypassing login page of web cloud

HTTP requests used to obtain Image keys can also be used to bypass login . If you execute any of these requests, you will be logged on to the web service because these requests contain authentication tokens. The user is prompted to enter these URLS in a browser tab, and then directly log on to the home page of the cloud website.

0x08 use the leaked photo key to download the photo

The cloud album process of camera obtains recent photos (non-privacy photos) from the server to show the stored cloud photos to users. It records the received Server Response to logcat. This information is as follows:

The keys of these records can be stolen by applications that can read logcat. All keys are composed of a user ID and a unique photo ID. As mentioned above, these keys can be used in the following HTTP requests to download images:

This is a fixed link to the photo and will not expire. This link can be used to download photos without providing a certificate or a token.

0x09 extract photos from captured Communication

The images collected from network communication are unencrypted and can be easily seen.

0x0 a prevention

Security of cloud applications and Android applications needs to be improved to prevent more data leaks and unauthorized data access. The following are some ideas:

Do not record some private data in any product to the Android system log (logcat) by using the following methods to prevent session hijacking: not only encrypt the login process, we also need to encrypt private data such as tokens, userids, photo keys, and photo files to set the token expiration timestamp. When a logout request is sent, it is best to delete all session variables from the server. Do not accept the previously released tokens again. The server can change the token value in each request. In this way, attackers can be restricted from attacks. Token can be bound to an IP address, but it may not be convenient for users who use dynamic IP addresses. You must authenticate the fixed connection pointing to the photo, or make the link time-sensitive. 0x0b conclusion

Camera exposes a lot of unencrypted private data in network communication and Android system logs, which threatens users' privacy.

FireEye Mobile Threat Prevention Platform can detect Data leaks and vulnerabilities found in Android apps, and help users make better choices in sharing private data with apps.