College Kids; Be Wary Of New Apps — They’re Probably Leaking Your Data
Anyone can make an app — what a time to be alive. But should you blindly download and use an app just because you saw a flyer on campus? If it’s a new Flappy Bird clone or a simple utility, sure — there’s most likely no risk to you. But if it’s an app trying to be the next Facebook, you should be hesitant and assess the possible risks. It’s simple; apps which deal with your online identities have the potential to leak your identity to malicious people or groups.
TechCrunch recently brought awareness to the increasing amounts of university-targeted security attacks with their article:
Right now, there’s an influx of apps being developed towards the college student demographic. Some of these apps are even made by college students themselves — possibly someone who just started their first CS class and has aspirations to become an app millionaire. With apps like Tinder and Yik Yak on the rise, everyone is trying to cash in on the millennial generation. The problem is that this generation is quite impulsive when it comes to downloading new apps. Just because anyone can make an app, doesn’t mean they know how to implement proper security measures to protect users’ privacy from the start. Everyone wants to get their app out ASAP and be first to market, but what sets apart the successes from the failures are the apps that take the time to correctly architecture and secure everything instead of rushing a super vulnerable product and patch after exploits have been publicly reported.
I’ve downloaded a few of the trending apps among college students, and I’ve found at least one privacy issue in each of them. Keep in mind, all someone needs to view the sensitive data exposed by these apps is a web debugging proxy. Also, I know obtaining this data is probably against these apps’ Terms Of Service, but I don’t care if I get banned from an app that disregards its users’ privacy. Below you will find my discoveries using Charles for the following apps: Bash, Roundhere, Sobrr, Huckle, GetReal, and Ripple.
First up is Bash, who is an example of an app made for college students, by college students. Bash “makes it simple and fast to arrange activities with friends”. The app launched with a listing of a few public events at UC Berkeley during its first week of classes. There was one flaw in their API response that exposed the phone number and email address of a user who commented on a public event. Since the app mainly focuses on events with your friends, this doesn’t seem like a problem, since you probably already know your friend’s phone number, however these events were public and people you don’t even know could see your information without being your friend. In the image above, you can see a comment from a person named Nikita. I don’t know Nikita, but I can get his phone number, email address, and use his Facebook Access Token to retrieve all the FB-related data he granted the Bash app from the permissions it requested. For a malicious user, this could be a data gold mine. But that’s not my intent, so I’m just bringing awareness to the issue.
Roundhere “bundles nearby people and their posts into convenient ‘streams’ which are tied to a location”. Essentially, users can post text and photos, and people nearby will see them, similar to Yik Yak. You can post anonymously on Roundhere, except you technically aren’t actually anonymous. If you post an anonymous post, users can send you a request to reveal your identity, but the thing is, you don’t actually have to send that request to know the author of the “anonymous” post. After analyzing the network response of the feed, you can see that the author of the anonymous post is included. “Chris” posted under the assumption that no one would know it was him who posted it, but anyone monitoring the API responses can see it was him, and even get his Facebook ID if he signed up on Roundhere using Facebook, thus getting his full identity.
Sobrr allows you to “friend, message, and post spontaneously by having all contents expire in 24 hours”. Basically, it’s a Tinder-like card feed of posts from users. I live in Berkeley, and I once saw a frat party requiring you to have the Sobrr app installed in order to gain entrance. They must have added a lot of users that night, but the problem with Sobrr, is that it exposes what appears to be the user’s exact location. Somewhat ironic is that Tinder used to do the same thing. After analyzing the network response of the “People Nearby” feature, you can see that the latitude and longitude of the users are included.
Huckle “creates group chats for you based on things like your school, location, mood, and more”. Huckle also sends the client a lot of unnecessary data, including sensitive things like phone number and email. I actually met with one of their founders in person about a month ago and told them about their security issues, and it seems like they fixed the issues for the most part, but there are still cases where the unhashed phone number is still visible on certain people’s profiles.
GetReal lets you “see who’s around and meet in-person”. The app shows you nearby people and lets you invite them to a suggested meeting place. In the app, you can see how long it would take to get to the person, however, if you look at the network response, you can see their exact position because the latitude and longitude are included.
Ripple lets you ask questions and create polls to people around you. I saw one of my friend’s friend promoting it at UC Berkeley, so I thought I would cover it. Ripple also exposes user information such as email address and phone number. There’s a privacy setting in the app to show or hide your email to people viewing your profile, however this is only an in-app graphical form of privacy and doesn’t stop people looking at the network response from seeing their email.