[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] =?utf-8?q?360_security_android_app_snoops_data_to_China_Unic?=
From: "=?utf-8?B?c2VjbGlzdHNAZW1haWwudGc=?=" <seclists () email ! tg>
Date: 2017-04-30 19:57:20
Message-ID: 20170504204320.DD98E6970 () ack ! nmap ! org
[Download RAW message or body]
[Attachment #2 (text/plain)]
I reinstalled the 360 security app on my phone to check the network connections it used & found \
via the Network Connections app that it did indeed use an insecure HTTP connection to exchange \
data with IP address 52.85.77.42 which is assigned to Amazon \
network(https://www.whois.com/whois/52.85.77.42). Attached is a screenshot from the network \
connections app showing this connection. From the 360 security app privacy policy \
page(http://www.360securityapps.com/m/en-us/about/privacy) it can be seen that it uploads \
sensitive information about installed programs to a cloud security center. So, I am guessing \
that the above IP address corresponds to an Amazon cloud storage server. So, there is still a \
security hole in this App, where it may be transmitting sensitive system information via an \
unencrypted HTTP connection.
Thanks.
----- Reply message -----
From: "Daniel Wood" <daniel.wood@owasp.org>
To: <seclists@email.tg>
Cc: <fulldisclosure@seclists.org>
Subject: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP
Date: Sun, Apr 30, 2017 6:26 AM
Can't you just run the app in an Android emulator and shark it?
Sent from my iPhone
> On Apr 30, 2017, at 06:02, seclists@email.tg wrote:
>
> I have a further update on the issue. After uninstalling the 360 security android app, I \
> found after repeated checks of Network Info on my phone via the Ping & DNS app that even then \
> the HTTP connection to IP address 123.125.114.8 still frequently showed up. So, I monitored \
> the network connections on my phone via the Network Connections app \
> (https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) and found that \
> this time the HTTP connection to IP address 123.125.114.8 was being established by the ES \
> File Explorer app (https://play.google.com/store/apps/details?id=com.estrongs.android.pop \
> (https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). So, it is possible \
> that the insecure HTTP connection to the above IP address that I observed when both the 360 \
> security and ES File Explorer app were installed on my phone was in fact because of the ES \
> File Explorer app or the other possibility is that both the apps have the same problem. I \
> haven't had a cha nce to re-install the 360 security app without the ES File Explorer to \
> check that and I don't intend to re-install the 360 security app on my phone, since it \
> anyways used to raise the temperature on my phone suspiciously. So, I will report this as an \
> issue for the ES File Explorer app in a separate email.
> Thanks.
> Hi,
>
> I found the following review posted about the 360 security android app:
>
> https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRa \
> SVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c \
> (https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTR \
> aSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c)
> "Snoops data to China Unicom via insecure HTTP link! Found while checking Network info on my \
> device with this app installed that it had established an insecure HTTP connection to an IP \
> address(123.125.114.8) on Chinese state owned China Unicom network (China Unicom owns a stake \
> in app developer via Qihoo 360). Also, when installed, found my phone temperature rising \
> frequently indicating covert data transfer from my phone. I've now uninstalled this Chinese \
> spying app & advice the same to anyone using the app. Resp to comment: updated above info \
> with IP addr. 360 Mobile Security Limited April 26, 2017 Hi, sorry for the inconvenience. \
> It will be helpful for us to solve the problem, if you can give us more information and \
> details . Attaching some screenshots would be helpful. Please contact us by email: \
> jenny@mobimagic.com (mailto:jenny@mobimagic.com). Many thanks."
> I observed the same behavior when I had this app installed on my smartphone. I checked the \
> Network Info on my phone when this app was installed, using the Ping & DNS \
> app(https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping \
> (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) and found the \
> insecure HTTP connection to the above IP address. After I uninstalled the app, the HTTP \
> connection to the above IP address was gone, as well. On checking the WHOIS \
> info(https://www.whois.com/whois/123.125.114.8 (https://www.whois.com/whois/123.125.114.8)) \
> for this IP address it can be seen that it is indeed on the Chinese state-owned China Unicom \
> network. I had App usage tracking permission on Android enabled for this app, to facilitate \
> phone temperature reduction, when I observed the above.
> Can other security researchers please check and comment on this security hole?
>
> Thanks.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
["=?utf-8?B?U2NyZWVuc2hvdF8yMDE3MDQzMC0xMjI2NDYucG5n?=" (image/png)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic