zoukankan      html  css  js  c++  java
  • App forensics

    A friend of mine claimed that someone stole her personal data via hacking certain App. She installed that App several months ago and registered an account. The user information including name,phone number,birth date,address and e-mail address etc. Recently she got lots of spam e-mails, and guess what???  She saw her personal data in those e-mails. What an coincidence~

    She asked me to conduct an forensic on that App to see if it is secure or not. I took a look at that App "X". "X" is the leading chain seafood restaurant company. Pretty good user interface and fancy advertisements. To my surprise "X" use HTTP protocol rather than HTTPs. Let me show you what I got as below. As you see the username and password in plain text format. That's too ridiculous~

    Furthermore I could hijack the user token in order to gain access to other user's personal data. Let's say an user Sherry logged in that App "X". "X" collected the device_uuid. It's exactly IMEI. Most Apps do the same thing to collect the unique data of device for sales and advertising purposes. Also you could see the user_access_token as below.

     Another use Judy loggined in to the App "X". Of course she got a different user_access_token.

    Sherry could conduct an MITM attack toward Judy to hijack Judy's user_access_token. Once done all Sherry needed to do was to replace the user_access_token. As you could see that Judy's personal data showed up as below.

    "X" should use HTTPs and "Certificate Pinning" for securing the channel in a hostile environment where actors could be malicious.  "X" should encrypt those confidential data when transfering between devices and servers. Also those confidential data stored in the xml/plist/database on the device should be encrypted. "X" should take its responsibility and spare no effores to keep user's data safe and sound. If some App you use may not protect your privacy well enough, my suggestion is uninstalling that App immediately.

  • 相关阅读:
    移动端网页头部meta
    fastclick使用方法
    淘宝店铺
    Yii框架下使用redis做缓存,读写分离
    计算一个页面中的数据库查询次数和用时
    数据库优化设计
    工作中使用频率比较高的常规验证器
    框架结构
    smarty
    PDO
  • 原文地址:https://www.cnblogs.com/pieces0310/p/6683445.html
Copyright © 2011-2022 走看看