AndroBugs Update


protect your data: internet threats orbiting around a laptop
protect your data: cyber risks and threats that surround you

Results for typical applications on Android

(Disclaimer) This is SOLELY for defensive and informational purposes and research. Any and all results from pen testing apps is my right as these are installed on my phone and take my data illegally. Any and all damages from others for hacking are not my responsibility nor intention. 

As discussed in my last post I am using and testing various different methods to create what I call a SSC or a Secure Software Catalogue as is required by ITIL and in the Service Design portion of ITIL standards according to version 3. The software catalogue is a means in which to supply people in an organization with approved and (in my courses and trainings I give) for a secure IT Asset Management and Configuration. Why? Well according to my research many apps (actually most) spy on you and “take” data and samples of data that 99% of people do not realize. This “may” be correct for someone that gives you a free application but I believe most people don’t realize what they are doing and what they are actually paying with. There are no free applications (in my opinion) since you pay with your data and you are being analyzed each and everyday (often without your consent). 

Let’s take Google Android and the subsystem of applications that the store offers to its users, these applications contain components that allow google as well as the application creator to collect data on what you do, how you do it and even (suspected function that I still have to verify with facts) captures discussions that you have and are logged on your phone even in standby. One way we have verified this is to use multiple installs of Android in standard firmware and modified firmware. The modified firmware (OS) had a very small subset of google logic in it that also protected the phones users and added confidentiality as compared to fully stock firmware that contained all google apps and api’s. Some tests verified that discussions where listened into and interpreted by google because shortly after these discussions exact tailored emails and commercial materials were sent to the phones after the initial discussions. This is (IMHO) a violation of multiple rights on a global and national scale as this data is considered confidential at the very least and even up to top secret if android phones are used by Agency Personnel or DoD of any nation. I assume many people don’t understand this and what type of data collection and access to private information it involves. This is even scarier if you think about Nation States that may use these vulnerabilities in functions and redundant code to reverse engineer the OS functions and misuse these to spy on family members and innocent civilians. This fact is one of the main reasons for releasing the information. 

So based on all this and tests I wanted to see how many “standard” apps I could test and classify as “safe” in a normal use case. I believed that using a subset of applications that I “had” installed on my phone was a great start. So I downloaded and installed typical apps that almost everyone has:

WhatsApp, Google Drive, Dropbox, AV solutions, Bank Apps, RSA Secure ID (OTP / Tokens), Facebook, Google Apps, Music Apps, VPN software, Webex, Biometrics, etc. I found some really surprising results pretty much across the board.

I am adding a few reports in this post so that you can review them and then let me know what you think.

Please use this information for defense and for security awareness, don’t use it for hacking. I have thought very long and contacted multiple vendors (some never replied back) and I believe the risks are so high that not releasing the information would be irresponsible. I by no means have earned any money from this and am not profiting from this information besides doing the (unpaid) research to protect my data and information. I accept no responsibility what anyone does with this information and am not responsible for any damages or attacks that result from offensive use of my research. I am also not judging the companies that created the software nor am I saying anyone should attack them or the applications. 

Your 1D10T (Security Noob)

Some more reports:

















com.rachelssolutions.fdnyfireandemslocations_e165f2f44add95a21b8e327714d9c555548836257a6601765d03b6f646c6cbd935a24ffd001a8724d2e749beac3ed4af36a0549d5ddd112e6b9ccb333fdffec1 com.rsa.securidapp_31bef1d15709e861f1fa46a3066d40a116be62cb66d31ea0a9bd01be1ab92eb866aa7d3631e243a9a009dfe8b012339bb7b5784681abf07b44e4c950d469d98f