[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP
From: Daniel Wood <daniel.wood () owasp ! org>
Date: 2017-04-30 13:26:42
Message-ID: B79D2305-9EDC-4F90-865D-AA5F4C118331 () owasp ! org
[Download RAW message or body]
Can't you just run the app in an Android emulator and shark it?
Sent from my iPhone
> On Apr 30, 2017, at 06:02, seclists@email.tg wrote:
>
> I have a further update on the issue. After uninstalling the 360 security android app, I \
> found after repeated checks of Network Info on my phone via the Ping & DNS app that even then \
> the HTTP connection to IP address 123.125.114.8 still frequently showed up. So, I monitored \
> the network connections on my phone via the Network Connections app \
> (https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) and found that \
> this time the HTTP connection to IP address 123.125.114.8 was being established by the ES \
> File Explorer app (https://play.google.com/store/apps/details?id=com.estrongs.android.pop \
> (https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). So, it is possible \
> that the insecure HTTP connection to the above IP address that I observed when both the 360 \
> security and ES File Explorer app were installed on my phone was in fact because of the ES \
> File Explorer app or the other possibility is that both the apps have the same problem. I \
> haven't had a c
ha
> nce to re-install the 360 security app without the ES File Explorer to check that and I don't \
> intend to re-install the 360 security app on my phone, since it anyways used to raise the \
> temperature on my phone suspiciously. So, I will report this as an issue for the ES File \
> Explorer app in a separate email.
> Thanks.
> Hi,
>
> I found the following review posted about the 360 security android app:
>
> https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRa \
> SVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c \
> (https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTR \
> aSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c)
> "Snoops data to China Unicom via insecure HTTP link! Found while checking Network info on my \
> device with this app installed that it had established an insecure HTTP connection to an IP \
> address(123.125.114.8) on Chinese state owned China Unicom network (China Unicom owns a stake \
> in app developer via Qihoo 360). Also, when installed, found my phone temperature rising \
> frequently indicating covert data transfer from my phone. I've now uninstalled this Chinese \
> spying app & advice the same to anyone using the app. Resp to comment: updated above info \
> with IP addr. 360 Mobile Security Limited April 26, 2017 Hi, sorry for the inconvenience. \
> It will be helpful for us to solve the problem, if you can give us more information and \
> details . Attaching some screenshots would be helpful. Please contact us by email: \
> jenny@mobimagic.com (mailto:jenny@mobimagic.com). Many thanks."
> I observed the same behavior when I had this app installed on my smartphone. I checked the \
> Network Info on my phone when this app was installed, using the Ping & DNS \
> app(https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping \
> (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) and found the \
> insecure HTTP connection to the above IP address. After I uninstalled the app, the HTTP \
> connection to the above IP address was gone, as well. On checking the WHOIS \
> info(https://www.whois.com/whois/123.125.114.8 (https://www.whois.com/whois/123.125.114.8)) \
> for this IP address it can be seen that it is indeed on the Chinese state-owned China Unicom \
> network. I had App usage tracking permission on Android enabled for this app, to facilitate \
> phone temperature reduction, when I observed the above.
> Can other security researchers please check and comment on this security hole?
>
> Thanks.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic