WeChat – A good example of bad API security!

In last few days Muhammad Haris was looking into network traffic data of mobile applications for related research on mobile privacy and security. However, in the process, we figure out shocking vulnerability in very famous WeChat messenger application. First, for those of you who never heard of Wechat: it is a primary messenger app in the Asian region specifically China, used by half a billion of individuals. 

This app has one important feature named moments. By this feature users can share photos and status with their friends only.  For the sake of privacy, photos and status shared by your friends are only visible to you in your moment (not the default friends-of-friends like in Facebook wall). Similarly there is another feature of album; which lets you see all pictures and status shared by a particular friend. You can visit your friends’ album through their profile. Important point to note here is that official explanation by WeChat mentioned that things shared on moments (and album) are visible to your friends only.  However it seems like backend communicationa between the WeChat application and its server suffer from serious security flaws. Let me take you there step by step.

To capture mobile application data Haris used fiddler which is very nice proxy; should you wish to use fiddler to capture your mobile data you can follow this nice tutorial by Troy Hunt. 

If you visit WeChat moments in phone, all the pictures visible in your moments are being loaded over HTTP. Hence by just looking at the mobile traffic data from fiddler you can get all the moments' pictures.  Picture:1 shows Haris's WeChat moments, his friend has shared some photos of his hiking trip. 

Now in the picture:2 as we browse over moments, the highlighted packets are sent by WeChat server to the application in the phone. Notice that protocol used for these packets is HTTP, which means photo data is not sent over secured HTTPS channel. 

In picture:3 and picture:4 we see selected individual packets, you can see the same pictures of his friend which are in the moments here.

This simply means that if a WiFi provider collect the raw packets on the channel from mobile devices, they can easily get all the photos of your friends as soon as you visits moments on your WeChat. As a result on one hand personal photos (of you and your friends) can be leaked and on the other hand a malicious WiFi provider can also infer your social links by looking at the pictures. This just illustrates the point of how harmful a poorly implemented API (application programming interface) security can be!

In comparison with other OSNs, Instagram seems to be still suffering form similar security issues, but in case of WeChat there is no need to hijack any sessions, it's all open by default! Google offered full encryption as an option for Gmail in 2008, but two years later made it the default. Facebook switched it on by default in January 2011. 

Privacy-preserving Adsense Systems Using Delay Tolerant Networking

an undergrad student of mine did this work based on our research on MobiAd, which I found pretty impressive!



With the ever-increasing number of smart phones, a growing num- bers of people view advertisements on their phones and hence the smart phone advertising market has become rich and noticeable. To raise click-through rate and maximize profit, ad brokers ensure their ads are more personalized and targeted. Therefore, they col- lect personal information to build an accurate user profile. The use of sensitive and personal information may raise privacy concerns. In this paper we focus using Delay Tolerant Networking (DTN) to anonymize click reports, aiming to stop attackers tracking and identifying users based on behaviour and location. The results of our simulations prove that a few-hop DTN-based system can protect users’ identity and privacy while not heavily increasing their energy costs.

http://www.eecs.qmul.ac.uk/~hamed/papers/advdtn.pdf

Do-Not-Record-Me: Quantified Self and the Privacy Challenge

We are increasingly surrounded by recording and quantifying devices. Devices such as Google Glass can record images and sound from an individual, even of the owner of the device has no such intensions. Can we use a Privacy-Beacon to avoid this? something like, a local area broadcast, that forces, or at least politely asks the intruding device, to either not record an individual, or remove their data after recording has been done? In a short note, myself and Ian Brown think this is possible! here's a short note on this topic:

The increasing availability of personal activity monitors, tracking devices, wearable recording devices, and associated smartphone apps has given rise to a wave of Quantified Self individuals and applications. The data from these apps and sensors are usually collected by associated apps and uploaded to the software developers for feedback to individual and their selected partners. In this paper we highlight the privacy risks associated with this practice, demonstrating the ease with which an app provider can infer individuals co-location and joint activities without having access to specific location data. We highlight a number of potential solution to this challenge in order to minimise the privacy leakage from these applications.

http://www.eecs.qmul.ac.uk/~hamed/papers/qselfprivacy2014.pdf

The Rise of Panopticons: Examining Region-Specific Third-Party Web Tracking

Today’s web has a huge, diverse ecosystem of third party websites collecting information about users and providing them with content such as targeted advertisements. In this paper we study this ecosystem of third-party websites. We sample every continent, targeting the 500 most popular websites in the US, UK, Australia, China, Egypt, Iran and Syria. This allows us to contrast the commonplace, western-dominated views of the web with less studied countries. We find 2,097 third-party websites, reflecting the diversity of services and types of application/content they involve, e.g., advertisement, ad trackers, CDNs, news, sport, and pornography. We find those third-party websites offering ad tracking services to be the most prevalent. In addition to the usual suspects (e.g., DoubleClick and Google), we find a rich ecosystem of local third-party websites that are country and language dependent.

Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig, and Richard Mortier, “The Rise of Panopticons: Examining Region-Specific Third-Party Web Tracking”, In Sixth Workshop on Traffic Monitoring and Analysis (TMA), London, UK, April 2014.