Key Findings from Researchers
- A cellular management app from Mexican telecommunications giant MiTelcel consistently fetches images and JSON files for the splash configuration over cleartext HTTP. This vulnerability allows attackers to eavesdrop on the cleartext traffic and potentially inject their own malicious images that will be displayed on the app’s “Home” page.
- The MiTelcel app also sends POST requests to five different third party servers with personal info of the user including their email and phone number, although the app store’s description stated no personal info was shared with any third-parties at the time of analysis.
- SAT Móvil, another app developed by the government of Mexico, uses cleartext HTTP for the “Chat” page that is responsible for communicating highly sensitive personal info including citizen ID numbers and passwords, allowing eavesdroppers to read these as they are transmitted over the network.
- A Salvadoran cryptocurrency app ChivoWallet checks with Microsoft CodePush servers each time it is opened to see if there is a new update available to fetch, granting the developers the ability to update its functionality on demand outside the trusted app store update mechanisms.
- Three of the four telecommunication apps that researchers analyzed send SMS messages that include external links that are vulnerable to SSL strip attacks. These attacks allow an attacker to downgrade connections from HTTPS to cleartext HTTP in order to eavesdrop on the info exchanged and potentially inject their own malicious responses.
Collaborating with SocialTIC , a nonprofit organization focused on digital rights in Mexico City, researchers selected a set of widely used regional mobile apps to investigate their security and privacy to determine if millions of people in Latin America were subject to consistent threat opportunities from malicious actors.
The apps they chose to evaluate fall into three categories: telco apps; government apps; and marketplace apps. We selected four of the biggest cellular management apps used throughout Latin America; four apps developed by governments in the region; and the largest e-commerce app. These apps were picked because they are relied on for vital services including managing personal cell plans, contacting emergency services, transferring funds, and more. Therefore, users in the region are in many ways obligated and incentivized to have these applications installed on their devices, which could leave them open to security threats or privacy leaks.
- Telco apps: MiTelcel, MiClaro, MiMovistar, MiTigo
- Government-developed apps: IMSS Digital, SAT Móvil, MiPolicia, Chivo Wallet
- Marketplace apps: Mercado Libre
Researchers assessed each app against three main threat classes, explained below, and notified app developers of serious security flaws through vulnerability disclosures if identified. We also created a public reverse-engineering repo built as a jump point for any digital rights or curious mobile user to inspect any APK of interest.
Two popular apps, each downloaded over one million times in the Google Play Store, MiTelcel and SAT Móvil, use cleartext HTTP traffic consistently. This leaves users vulnerable to attackers potentially sitting upstream who can eavesdrop on the user’s connection and inject their own replies back to the user of the app. Researchers submitted two vulnerability disclosures to the official developers of both applications detailing the problem. As of December 2023, both MiTelcel and SAT Móvil still have the same cleartext security issue in the latest versions of the apps.
Additionally, researchers found MiTelcel leaked users’ private information (phone number and email) to five different third-party background services, even though at the time of our analysis it states in the Google Play Store data-safety section that there is “No data shared with third parties.” The app’s disclosure has now been updated to reflect that personal info is transmitted by the app to third-parties.
Three of the four telco services analyzed send SMS messages directly to the user after the SIM is activated that include external links vulnerable to SSL-strip attacks where a malicious actor could downgrade the entirety of the connection (created when the link is clicked on) from HTTPS to HTTP. Researchers also found a government-developed application that includes external update functionality that checks if there is a new app version available to be downloaded through Microsoft CodePush servers each time it is opened.
The full report linked below discusses each of the security and privacy issues found during the analysis in detail along with the methodology.
Threat Classes + Tools Used
Using both static and dynamic analysis, which includes inspecting the decompiled source code and hooking functions being called by the app in real-time, researchers assessed each app in otheir list against three main threat classes:
- Weak network security: using cleartext traffic or weak encryption schemes or implementations;
- External update: including the ability to update the app’s functionality outside the trusted app store-update mechanisms
Researchers used a variety of open source tools for our analysis. We relied on standard static analysis tools including apktool, jadx, and Ghidra to decompile the APKs and analyze the decompiled code; as well as mitmproxy and Frida for dynamic analysis. Mitmproxy allowed researchers to decrypt the secured application traffic leaving the device to inspect its contents. Frida allows dynamic injection of code into the applications to test behaviors, such as which files are being accessed and functions are being called in real-time.
Researchers encourage any digital rights defenders or curious Android users interested in analyzing a specific APK to use their Github repo with instructions that detail the tools and steps used to set up our dynamic analysis environment. Using these tools and steps will allow them to actively view the decrypted network traffic being sent by the app in real-time, files being accessed by the app, and more using open source tools. There are also scripts included in the repo to facilitate static analysis and parse through apps’ manifest files to collect information on the permissions, background services, and network configuration used by apps. One hurdle to setting up the dynamic analysis environment is the need for a rooted Android device to test with and install system certificates on. The repo includes instructions on how to root a physical Pixel 5 device, but alternatively the analyst can use an emulator tool such as Genymotion to spin up a virtual rooted device to test with.
This project showed that even major commercial applications in Latin America, such as cell-management apps and government-developed apps—with millions of downloads each—still have the potential to put their users at risk with demonstrable security and privacy issues.
Furthermore, since the tested apps are installed on millions of devices, the vulnerabilities create a huge threat surface for a resourced cyber attacker or domestic security agency undertaking network surveillance. It is in the best interest of all app users to have more individuals conducting dynamic and static analysis on these commercial apps to ensure they are secure to use.
The full detailed technical report includes more information on what live security and privacy issues were found in the set of apps, how they were found, and researchers’ motivation for this project.
Open Technology Fund (OTF)’s Information Controls Fellowship Program (ICFP) supports examination into how governments in countries, regions, or areas of OTF’s core focus are restricting the free flow of information, impeding access to the open Internet, and implementing censorship mechanisms, thereby threatening the ability of global citizens to exercise basic human rights and democracy. The program supports fellows to work within host organizations that are established centers of expertise by offering competitively paid fellowships for three, six, nine, or twelve months in duration.