DEV Community: Till Kottmann

Debugging in prod: Maximizing user attack surface

Till Kottmann — Sun, 29 Dec 2019 00:00:00 +0000

Note: This is a super quick write-up and probably still full of typos and stylistic errors, which you’re free to point out in the comment section.

One thing that’s really cool about the Android developer ecosystem, is the massive amount of tools and libraries to simplify and help during development. There is an entire subgenre of various remote debugging tools, with cool tools such as Stetho or Debug Drawer. One such tool is Android-Debug-Database from Mindorks, it’s a neat little utility that allows you to view and edit your apps preferences and dbs from a web browser during development.

Android Debug Database in action.

The key phrase here is, of course, in development , which makes sense to everyone (and is also explained in the integration guide of the library), right? Well, no. During todays Shodan safari I randomly stumbled into a phone running this, openly available for anyone to play around with (Brazilian ISPs having all ports open per default be thanked). On closer inspection it turns out there are thousands of devices indexed on Shodan running debug db.

This is bad.

I took a look at some of these to figure out some notable apps, here are two of them:

Cinemark Brazil - 1M+ downloads
No Last Seen for WhatsApp - 50K+ downloads (yes, this allows reading all contacts and messages in the db)

Some of these apps include logs of sensor and location data.

I downloaded Cinemark to verify this for myself, and I was indeed able to read and edit the app’s db and prefs by opening the app and going to localhost:8080. This is especially ironic considering the app also uses the ThreatMetrix sdk, which is some Enterprise Risk management (read: corporate spyware) sdk which supposedly also prevents cybersecurity threats.

The damning thing here is that we have to consider that most ISPs won’t allow access to their clients on port 8080 (at least not without UpNp), but this will always work inside networks, thus opening up another huge security threat with public WiFis. This also makes me wonder how many other apps are out there, shipping this to all their users and opening them up for attacks by literally anyone. Another terrible thing is that this library allows editing of the data in the db and the prefs, so the actual possible ways to exploit this outside data exfiltration reach far as well.

A quick look at "ad free" mobile monetization platforms

Till Kottmann — Mon, 09 Sep 2019 00:00:00 +0000

If you’re a mobile developer you’ve most probably received your share of E-Mails from monetization platforms, all of them making at least one incredible claim. Some of them are especially interesting as they claim the ability to monetize your app (and earn up to $$$ per month) without having to use any ads. I hope that most of you will just ignore these E-Mails, but I for once decided to dig a little deeper into the world of “ad free” monetization. It goes without saying that the majority of the Services I’ll be looking at today are shady in some way and you should generally avoid them.

This sounds pretty promising (until you actually do the math).

Luminati

Luminati is the company operating the popular Proxy VPN service Hola VPN, which surprisingly is free. When you look a bit into how Hola works,you’ll soon find out that their VPN actually uses the internet connection from their users to proxy their traffic. As a user of Hola other Hola users access the Internet through your connection, as well as paying customers of Luminati. Their large collection of origin IPs allows easy scraping of websites without having to see any Captchas or being rate limited. The Luminati SDK allows your users to become part of the Luminati network and in return get additional features in your app.

Well I don't see anything wrong with this?

Conclusion: With Luminati you are literally selling your users internet connection.

MobKnow / MobiBurn

MobKnow and MobiBurn are very similar in that they just straight up tell you they are collecting user data. MobKnow isn’t very specific regarding what the data will be used for, MobiBurn on the other side will boast about how they help building audience data for marketing purposes. On top of that it’s also not very clear how real either of these solutions actually are, none of the partners linked on the MobiBurn site seem to actually use their SDK.

MobiBurn shall not be the solution either!

Conclusion: Do you really wanna directly sell the data of your users? Oh, and risk the chance of these SDKs actually being malware?

Huq

Huq is similar to MobKnow in that it collects user data and they sell it off to investors, governments and researchers. Huq focuses on geo and behavior data to find out what consumers are doing in the real world. As all of the other providers on this list they talk big about privacy and how much they love it, we all know this is a lie and the only reason it’s there is to comfort themselves and developers thinking about integrating their SDK. Hey, at least they seem to actually exist!

It's sellout time baby

Conclusion: Hell yes, let’s sell out to make some big data company very rich and governments very happy!

Tutela

Tutela collects network and device data from around the world to gather data about network coverage and speed out in the world. This data is then used by telecom companies to improve their network service where demand exists. I didn’t expect myself to say this today, but Tutela actually seems relatively okay. I wouldn’t use it personally, but out of the bunch it seems like the least intrusive solution which might actually be used for good.

Obviously the exact same claims as always

Conclusion: Best out of the bunch, I still wouldn’t use it though

Conclusion

Monetizing your app with (moderate) ads and iap is still the best way to monetize your mobile apps while still considering your users privacy and trust. You’re also not going to get rich using any of these platforms, they all pay relatively low rates and probably earn much more with the data collected. All in all software monetization is often shady as a whole, stay safe and keep your users safe!

Thanks for the great cover image to HrX.

PSA: Avoid shady Android launcher apps

Till Kottmann — Mon, 27 May 2019 00:00:00 +0000

There are a lot of really weird and shady apps on the Play Store, yet they keep getting tons of downloads. That’s actually the only reason they still exist, it’s still incredibly easy to just throw a bunch of keywords in your app descriptions and make a whole lot of revenue. Today we’re going to dig into one of the main categories of these apps, Launchers. It’s usually not hard to tell if one of them isn’t really trustworthy, common red flags are:

Keyword filled app names like ‘S Launcher - S10/S9/S8 Launcher, S10 theme, cool’ (yes, this app exists)
Built in theme/wallpaper store as a major selling point
Live/video/3D wallpapers as a major selling point
Battery/RAM boosters (these are a red flag regardless of what they come with)

Also look at the reviews, especially those with lower ratings, this kind of publishers tend to have paid positive reviews.

Yes, this app is just as shady as it looks, but somehow it has over 100.000 downloads.

How do they all look the same?

A lot of these apps all come from exactly the same developer group. They have multiple developer accounts to create tons of listings for the same app with minor look changes. This allows them to cover a massive amount of keywords and get millions of installs while staying mostly under the radar. Every now and then Google’s algorithm will bless one of them by featuring them on the Play Store homescreen for some users.

It's almost as if this was the same app (it is).

Why do these apps exist?

The first and foremost reason these work at all is because there are people that download them. Not everyone understands technology or apps well enough, to realize which apps are safe to use and which are not. It’s definitely not a bad idea to check the installed apps on the phones of your less tech savy relatives and friends (only with their consent of course), to make sure they haven’t fallen for any of these.

Almost all of these apps contain ads, usually from multiple SDKs, which generates not insignificant revenue through all the installs they get over all listings. A lot of them additionally upload analytics and other userdata to their own servers, which makes it quite likely they’re additionally selling this or using it for research.

Recently some of them have even gone as far as to start offering their prime offering not as an overpriced one time payment, but as a monthly subscription.

The 'Model X Launcher' premium offering is a bargain at only $36/year.

Who makes these?

I have no idea who has this little moral integrity to do something like this, but one of the developers I could trace most of the apps in this recent wave of launchers back to is KK Mobile. Their website is also part of the APIs these apps are using, which are obviously all based on completely unencrypted HTTP. Other API calls (also HTTP) mostly happen directly to these two IPs: 121.40.46.187, 47.74.185.216. A quick look on shodan is enough to know that these haven’t been patched in ages and are vulnerable to a whole list of CVEs. So to repeat this again, avoid this kind of launchers (or any other app category obviously) at all cost, there are always better alternatives available.

This post is based on this twitter thread.

Why do people still trust Cheetah Mobile in 2018?

Till Kottmann — Mon, 26 Nov 2018 00:00:00 +0000

It’s pretty safe to assume that almost everyone has used a Cheetah Mobile app before, prime examples include Clean Master or CM Launcher 3D. Even if you have never heard of them, dozens of other apps and games like TikTok (formerly Musical.ly) are at least indirectly connected to, funded or owned by Cheetah Mobile. After all, they’re the 4th largest publisher on Google Play Store and the Apple App Store after Google, Facebook and Apple. We’ll get to that later. If you are still using any of their apps, it’s time to stop doing so right now. Let me tell you why.

A huge web of trash

First of all, let’s clear something up. Cheetah Mobile isn’t an Android app company, they are an AI/big data company and on their LinkedIn company page they even dream about robots and changing the future.

“So why do they make utility apps in the first place?”, you might ask. The answer to that is quite simple. They want your data and they happen to have found a weak spot. For some reason a lot of Android users download boosters, launchers, and battery savers without thinking twice, assuming that it is normal for these kinds of apps to request every permission Android offers. Speed booster apps really weren’t even a thing before Clean Master came around, and nowadays the Play Store is literally plagued by them. If you take a closer look at them and the names behind them you will soon find yourself entangled in a web of tiny companies which all received mysterious funding from Cheetah Mobile (or other shady companies like DU Apps). If you go a step further and actually take the apps apart you’ll find libraries provided by Cheetah Mobile pretty much every time.

Let’s take a look at Boost Master for an example, at the right you can see the privacy policy linked in the listing and inside the app

A quick look on whois.com and crunchbase reveals that the domain is owned by Kika Tech, an “AI” company funded directly by Cheetah Mobile

I could now spend hours explaining why cleaner/booster apps are bad and you shouldn’t use them, but that’s a topic for another post and has also been covered before.

Cheetah Mobile sells your data and it’s not even a secret

“But guys, you still haven’t shown any proof that they are selling our data!” Cheetah Mobile’s official website should be good enough proof, right? Well, that’s exactly what I can provide.’

This official Cheetah Mobile website (https://data.cmcm.com) should probably be proof enough, right?

I first discovered Cheetah Data a few months ago, and while I wasn’t really surprised by it’s existence, it still was amazing to see how big of a deal this really is. I obviously had to go ahead and register for a limited, free account to check out what kind of data they actually collect. And boy, do they collect a lot! If you are a developer yourself you probably know Google Analytics and the kind of statistics it provides you with. Imagine this, but for all applications, including your competition. Updated every two days.

Cheetah Data essentially allows paying users to get full analytics and profiles of the users of any app

Yes. Cheetah Mobile apps not only collect statistics while you’re using them, they also analyse which apps you use, at what time, and for how long. The fact that all of this data is being sold openly makes me suspect that this is just the tip of the iceberg.

They aren’t even ashamed to tell us how they get their data

When I say Samsung and Microsoft are sellouts, I mean it

You might be wondering what this has to do with this post right here and you are right to ask so. Samsung’s Android software happens to have a storage cleaning tool, which you might consider a nice to have feature at first… until you look at it a little closer.

That’s interesting, to say the least (source: Reddit )

Clean Master, just like many apps, happens to be developed by Cheetah Mobile. The app on the Google Play Store has over 1,000,000,000 downloads and this number keeps rising. For every person that downloads them, Cheetah Mobile gets more and more data from users. It may be a risky bet, but I’m pretty convinced that almost everyone who uses an Android phone has at some point used an app that is at least indirectly connected to them.

Why would more than a billion people downloads this…

Oh, and if you ever happen to be wanting to install Clean Master on your Samsung Galaxy but don’t know how to do so, there is no need for you to worry. Samsung has you covered with an official guide on how to install said app.

I am not really sure if this guide is really helping anyone at all

Now, what does Microsoft have to do with all this? To show you this we’ll need to take a closer look at the Play Store description of CM Launcher 3D to uncover this:

Wait… They actually did that?

Oh, by the way

Even if you have never used any shady utility apps before you’ve most probably downloaded at least one of the viral games of the past years like Piano Tiles, chances are that game has been created by Cheetah Games or another company magically funded by CM. Other apps and companies Cheetah Mobile owns you might not have realized include TikTok (formerly Musically) and Live.me, a live-streaming service.

Musical.ly and Cheetah Mobile merged last year. Social networks are known for pulling every little piece of data from their users. After this merger, Cheetah Mobile developed their own app, TikTok. Musical.ly happened to be shut down and switched over to TikTok. Musical.ly even shut down their live streaming service live.ly and encouraged users to switch over to Cheetah Mobile’s LiveMe.

At this point it should be clear that they do everything in their power to collect data in every field out there, so it would only make sense to also have a browser on the app palette, wouldn’t it? Presenting you “CM Browser”, made to send your juicy browser history and usage data over to your new favorite multimillion-dollar company, ready to be shared with God and the world.

And of course they label it as a secure browser, with your privacy in mind (duh)

TL;DR:

CM solely makes apps to mine data. They sell that data. There is basically nothing they are not collecting. If you have one of their apps installed, anyone can go ahead and analyze how you are using your device and what you’re doing with it. You become part of a big data pool.

If any of your friends are using Cheetah Mobile software make sure to tell them about this and link them here. You’re also free to quote this post if you are reporting about this issue as well. If you have found other scummy apps/developers or just want to know if an app you are using is tracking you, contact me on Twitter.

I’d also like to thank Christopher Kardas, co-founder of Melon Pancakes (the publication this article got published in) who wrote this story together with me as well as and Max Weinbach for their feedback and input during the writing of this post. They were a big help when it came to publishing, unveiling and spreading this story!