This report is supplemented by a comic and informational resources designed to make our research more accessible. Have a look at them over at Net Alert.

Key Findings

  • South Korea is the first jurisdiction in the world that requires minors to have content filtering applications installed on their mobile phones. This report follows-up on previous security audits of child monitoring apps and reveals vulnerabilities in Clean Mobile Plus (U+ 자녀폰 지킴이) and KT Olleh Kidsafe (KT 자녀폰안심) published by major Korean telecoms (LGU+ and Korea Telecom).
  • Both apps were developed by PlantyNet, a Korean company specializing in content filtering. The two apps have nearly identical code and both included a critical security vulnerability that could allow unauthorized access to a server containing private user information.

Summary

In April 2015, the South Korean government introduced a mandate (the first of its kind in the world) that requires all South Korean telecommunications operators that enter into service contracts with children under the age of 19 to provide a means to block content deemed “harmful” on their mobile phones and ensure parents receive notifications whenever the blocking means becomes inoperative.[1]

Following the mandate, numerous applications emerged to fulfill the requirements. Currently there are at least 19 child monitoring applications available on Korean app stores.

The introduction of the mandate sparked debate between the government, who claimed the measure was to protect children from harmful content, and advocates, who saw the controls as an affront to privacy and personal freedoms.

One of the most popular child monitoring apps was Smart Sheriff, developed by the Korean Mobile Internet Business Association (MOIBA), a consortium of mobile telecommunications providers and phone manufacturers. Smart Sheriff allows parents to remotely block content and monitor and administer mobile applications used by their children. MOIBA received extensive funding from South Korea’s telecommunications regulatory body, the Korean Communications Commission (KCC), to develop the application.

In 2015, a security audit of Smart Sheriff  conducted by Citizen Lab and Cure53 identified 26 security vulnerabilities that could be used to collect sensitive information from users, take control of user accounts, and disrupt service operations. The results showed that Smart Sheriff was not designed with considerations for privacy or security. The results were provided to MOIBA in a responsible disclosure process.

Following the removal of Smart Sheriff from app markets MOIBA explained that it was no longer providing the app to avoid overlap with Korean telecommunication companies that had begun to provide free child monitoring apps. MOIBA announced that Smart Sheriff would no longer be available for new users beginning on November 1 2015.[2]

The child monitoring apps provided by Korean telecommunication companies include Clean Mobile Plus (U+ 자녀폰 지킴이) published by LGU+ and KT Olleh Kidsafe (KT 자녀폰안심) published by Korea Telecom (KT). Both of these applications were developed by PlantyNet, a Korean company that provides content filtering products. We conducted a security audit of these apps and found that they share a nearly identical code base and both had a critical security vulnerability that could allow unauthorized access to a server containing private user information.

Our analyses were done as independent researchers within a limited time frame and with no access to source code. We did not perform a complete audit of the apps and it is possible that there are other security and privacy issues that our research did not find.

Following our discovery of the critically vulnerable server we focused on reporting our findings to KT, LGU+, and PlantyNet in an effort to mitigate risks to users. None of these companies have disclosure policies and we experienced challenges establishing contact and having our report acknowledged and acted on by the companies.

After nearly two months of trying to get in contact with the vendors, PlantyNet acknowledged our disclosure. Following this acknowledgement, KT and LGU+ released new versions of the apps, but issues persisted particularly with Clean Mobile Plus. Follow-up requests for updates and to report issues to the vendors were not successful. These communication challenges led us to report our findings to the Korea Internet and Security Agency (KISA, a government agency responsible for public Internet security in Korea), which manages a bug bounty program to encourage security researchers in Korea to disclose vulnerability reports for products made by Korean companies.[3] KISA engaged with the vendors and further attention was paid to the issues we disclosed. In total, our disclosure effort took over a year from initial disclosure attempts to completion of the KISA reporting process. Despite the updates made to the apps we are not confident that the vendors have significantly changed their software development practices to emphasize security.

Through a series of audits we have found systemic security and privacy issues in five Korean child monitoring applications provided by different vendors. Our results emphasize the need for independent, comprehensive, and public audits of  all child monitoring apps available in the Korean market. The mandated use of these apps also underscore broader public policy issues regarding privacy and the rights of children and parents. Overall, we find once again that children in Korea are safer without child monitoring apps.

This report proceeds in the three parts:

  • Part 1: Security Audit Results
    This section describes the security vulnerabilities identified in LGU+ Clean Mobile Plus and KT Olleh Kidsafe.
  • Part 2: Responsible Disclosure
    This section provides an overview of our responsible disclosure process and communication challenges with Plantynet, LGU+, and KT.
  • Part 3: Discussion and Conclusion
    This section discusses the implications of our findings and wider policy issues.

    Part 1: Security Audit

    This section describes the security vulnerabilities identified in Clean Mobile Plus and KT Olleh Kidsafe.

    Overview

    We downloaded the APKs for Clean Mobile Plus versions 2.1.1 and 2.2.0, and KT Olleh Kidsafe version 2.1.8 from the Google Play Store. We converted the APKs into smali code with apktool and decompiled to java source code, using dex2jar to convert the APKs dex file to jar and then JD-GUI to decompile the jar file. We performed static analysis of the smali and decompiled java source code.

    We identified a total of four vulnerabilities across the apps. On both apps we found communications to an unprotected FTP server hosted by PlantyNet that is used to load settings for the application. The credentials for this server were hardcoded into the APKs, potentially allowing unauthorized access to users’ personally identifiable information. On KT Olleh Kidsafe, we also identified data leakage and a cross-site scripting (XSS) vulnerability. Our audit was primarily undertaken over the course of two days at the 2016 Citizen Lab Summer Institute (a research workshop hosted at the University of Toronto). It is possible there are security vulnerabilities beyond the ones we identify in this report and we encourage further security audits. Table 1 provides an index of the identified vulnerabilities.

    Application Issue Number Severity Issue Summary Issue Status
    Clean Mobile Plus LGU-01-001 CRITICAL Unprotected PlantyNet Server Fixed
    KT Olleh Kidsafe KT-01-001 CRITICAL Unprotected PlantyNet Server Fixed
    KT Olleh Kidsafe KT-01-002 Medium Data Leakage Vulnerable
    KT Olleh Kidsafe KT-01-003 Medium XSS Fixed

    Table 1: Overview of security and privacy issues identified in Clean Mobile Plus and KT Olleh Kidsafe.

    In the following sections we describe each vulnerability in detail and describe changes made in subsequent updates to the apps.

    Unprotected PlantyNet Server

    Issue Numbers: LGU-01-001, KT-01-001
    Severity: Critical
    Status: Fixed (KT Olleh Kidsafe v02.01.11, LGU+ Clean Mobile Plus v

    On both apps (Clean Mobile Plus v2.1.1, KT Olleh Kidsafe 2.2.0) we found an unprotected FTP server hosted by PlantyNet that is used to load settings for the applications. The login credentials for the servers were embedded in the APK files and easily extractable. The plaintext user credentials included the username and password used to access the server, the server url, and the port number for the FTP service as shown below (the credentials have been redacted in the example below):

    v7.ip = “smartdist.plantynet.com”;
    v7.port = 3000;
    v7.userID = “[REDACTED]”;
    v7.userPW = “[REDACTED]”;
    ftp://smartdist.plantynet.com:3000

    The exploitation scenario for this vulnerability is that an attacker could decompile the binary of the application, locate the hard-coded FTP credentials, and use these credentials to login to the FTP server. The attacker could then access and download all data stored, including user information, configuration files, backups, etc., resulting in a data breach.

    The following sections provide details on this vulnerability within each app and how subsequent updates addressed it.

    KT Olleh Kidsafe

    KT Olleh Kidsafe Version 02.01.05

    In KT Olleh Kidsafe (v02.01.05) after the APK was disassembled into smali code with apktool the user credentials can be found in the following files:

    com/kt/ollehkidsafe/function/ChildFN.smali
    com/kt/ollehkidsafe/function/SplashNew.smali

    And when decompiled, the credentials can be found in the corresponding Java source files. The code using these constants builds a struct used to store FTP login credentials before using this struct to connect to the FTP server. Sample smali code from ChildFN.smali is shown below:

    new-instance v0, Lcom/kt/ollehkidsafe/data/FTPInfoData;
    invoke-direct {v0}, Lcom/kt/ollehkidsafe/data/FTPInfoData;->()V
    const-string v1, “smartdist.plantynet.com”
    iput-object v1, v0, Lcom/kt/ollehkidsafe/data/FTPInfoData;->ip:Ljava/lang/String;const/16 v1, 0xbb8
    iput v1, v0, Lcom/kt/ollehkidsafe/data/FTPInfoData;->port:I
    const-string v1, “[REDACTED]”
    iput-object v1, v0, Lcom/kt/ollehkidsafe/data/FTPInfoData;->userID:Ljava/lang/String;
    const-string v1, “[REDACTED]”
    iput-object v1, v0, Lcom/kt/ollehkidsafe/data/FTPInfoData;->userPW:Ljava/lang/String;

    KT Olleh Kidsafe Version  02.01.11

    As of version 02.01.11, KT Olleh Kidsafe encrypts the FTP credentials using what appears to be the SEED cipher (an encryption algorithm developed by the Korea Information Security Agency), based on constants found in the APK. We also confirmed that the FTP credentials were changed from the last version. However, it appears that the traffic is still sent via unencrypted FTP, making Man-in-the-Middle attacks or credential sniffing a possibility.

    Clean Mobile Plus

    Clean Mobile Plus Version 2.1.1

    In Clean Mobile Plus v2.1.1 after the APK has been turned into smali code, the user credentials can be found in the following files:

    com/lguplus/cleanmobile/CleanModileService.smali
    com/lguplus/cleanmobile/ChildBlockListFragment.smali

    When decompiled using dex2jar and JD-GUI, the user credentials will be found in packages using the same path and file names as the smali files. These files contain code that fills out structures used to connect to an FTP server. The plaintext user credentials include the username and password used to access the server, the server url, and the port number for the FTP service.

    Clean Mobile Plus Version 2.2.0

    In Clean Mobile Plus v2.2.0, the APK was obfuscated with encryption and the hardcoded credentials were removed. However, in our initial analysis of the app it was unclear if the developers actually changed the credentials. Continuing to use the same credentials represents a risk, because there are many APK mirroring sites that offer old, insecure versions of the app from where credentials could be acquired. If the credentials have not been changed then the exploitation scenario described for v2.1.1 is still possible.

    Clean Mobile Plus v2.2.0 attempts to obfuscate the APK by encrypting most of the code used. This version stores an encrypted JAR file within the APK as: assets/db.dat When the application starts it decrypts this JAR file, then loads and runs it. The JAR file does not appear to contain the hardcoded FTP credentials previously seen in version 2.1.1. Instead the credentials are downloaded from an API endpoint and encrypted using the SEED cipher. In version 2.2.0, a JAR file is encrypted with the blowfish cipher using the following algorithm:

    DECRYPT(crypt, cipher)

    1. An encryption key k is extracted from crypt using the AES key unwrapping algorithm (RFC 3394) as follows:
      1. The first 24 bytes of crypt (bytes 0 until 24) are the wrapped key w
      2. The AES key-encryption key kek is derived as follows:
        1. Bytes 24 until 40 of the crypt are XOR masked with hard-coded mask 0x23F5C89D3C8B1A0AA358D2339B1EF5D7, forming p
        2. These 16 bytes of p are then base64-encoded forming pe
        3. The key kek is derived by computing the PBKDF2 HMAC (RFC 2898), parameterized with hash HMAC-SHA1, 18 iterations, 16 bytes of output, password pe, and the hard-coded salt 0xB9890CA25417B63C120D9F7CEBA01C01
      3. An encryption key k is then derived by using the AES key unwrapping algorithm to unwrap wrapped key w using key-encryption key kek, using the hard-coded initial value 0xA6A6A6A6A6A6A6A6 for verification
    2. Bytes 40 until the end of crypt are decrypted using cipher with key k in ECB mode
    3. The resulting null-terminated string is base64-decoded, producing the plaintext

    Analysis of this decrypted JAR file shows that most internal strings are also encrypted using the DECRYPT algorithm as described above, except with AES being used as the cipher parameter instead of Blowfish. In addition, the previously hard-coded FTP credentials are no longer present.

    Our analysis of LGU+ v2.2.0 identified open questions for the developers to address specifically:

    • Hard coded FTP credentials have been removed, but did the credentials change from what was found in previous versions? Continuing to use the same credentials still represents a risk because there exist many APK mirroring sites that offer old, insecure versions of the app where credentials could be acquired.
    • The use of encryption in version 2.2.0 is an improvement compared to previous versions, but the use of symmetric ciphers (Blowfish, SEED) allows for the possibility of a man-in-the-middle attack against network traffic. We recommend the use of asymmetric cryptography to mitigate the potential for Man-in-the-Middle attacks against symmetrically encrypted data.
    • Is all network traffic encrypted or is traffic to the FTP server sent in plaintext? Lacking a user account to LGU+ services we were unable to analyze network traffic sent by the app to verify if it is encrypted. If network traffic is not secured, an attacker could capture FTP credentials via a Man-in-the-Middle attack. In general we recommend using a protocol that is more secure than FTP to transfer the data.

    We made attempts to communicate our analysis of v2.2.0 and these questions to LGU+ and PlantyNet, but encountered ongoing difficulties in obtaining a response from the vendors leading to a disclosure to KISA (we detail the full disclosure process in Part 2).

    Additional KT Olleh Kid Safe Vulnerabilities

    Data Leakage

    Issue Number: KT-01-002
    Severity: Medium
    Status: Vulnerable (v02.01.11)

    An endpoint for KT was discovered that can be used to check if a phone number is registered on KT and if the number belongs to a minor. This issue is still vulnerable in v02.01.11.

    http://kidsafe.olleh.com/api/common/checkChildService.jsp;jsessionid=null?phoneNo=01026081008&authNo=<isKTUser>true</isKTUser>

    <isOver19>false</isOver19>

    http://kidsafe.olleh.com/api/common/checkChildService.jsp;jsessionid=null?phoneNo=01026081234&authNo=

    <isKTUser>true</isKTUser>

    <isOver19>true</isOver19>

    XSS vulnerabilities

    Issue Number: KT-01-003
    Severity: Medium
    Status: Fixed (v02.01.11)

    We identified an XSS vulnerability  on a feedback form for KT. This issue allows an attacker to craft a special URL that can steal a victim’s password or trick a victim into providing private data, if the victim visits this URL. The example URLs below would display an alert box as a proof of concept:

    In v02.01.11, the URL identified in this issue was removed preventing the XSS attack.

    Part 2: Responsible Disclosure

    This section provides an overview of our responsible disclosure process and communication challenges with Plantynet, LGU+, and KT.

    Overview

    Following our initial discovery of the vulnerabilities we made efforts to disclose our findings to the responsible vendors and developers (KT, LGU+, and PlantyNet). We encountered significant challenges making contact with the companies and having our report acknowledged and acted on. Following lack of response from the companies, we provided a disclosure report to KISA, which operates a bug bounty program to promote independent security reports to Korean companies. Issues were eventually resolved through the KISA disclosure process. In total this process took over 12 months and demonstrates serious gaps in the abilities of KT, LGU+, and PlantyNet to respond to security disclosures and be accountable and responsible for user security.

    As PlantyNet was the developer for both apps, which both communicated with the vulnerable server that was maintained by PlantyNet, we made two separate disclosures to KT and PlantyNet, and LGU+ and PlantyNet. The following sections provide details on our interactions for each disclosure (a full timeline of the disclosure process is provided in Appendix A: Disclosure Timeline).

    KT and PlantyNet Disclosure

    We disclosed the unprotected PlantyNet server, data leakage, and XSS vulnerabilities in KT Olleh Kid Safe v2.2.0 to KT and PlantyNet on September 2, 2016. After repeated attempts to follow-up with the vendors through email and phone calls, PlantyNet acknowledged our disclosure on October 26, 2016, but provided no details on how the issues would be addressed or a timeline for fixes.

    On November 13 2016, KT released v2.01.11. Despite repeated attempts to follow-up with PlantyNet regarding the update no further information was provided by KT or PlantyNet.

    LGU+ and PlantyNet Disclosure

    We made our initial vulnerability disclosure to LGU+ and PlantyNet on September 2, 2016. On October 26, 2016, PlantyNet acknowledged our disclosure, but only noted the report on KT Olleh Kidsafe and did not reference Clean Mobile Plus. Despite multiple follow-ups to PlantyNet and LGU+ to remind them of the vulnerabilities affecting Clean Mobile Plus, we received no further communications regarding the app.

    On October 21 2016, LGU+ published Clean Mobile Plus 2.1.1 on the Google Play Store. Our analysis of version 2.1.1 showed that the application introduced the SEED algorithm to encrypt previously hard-coded strings, with a key downloaded after the user has authenticated. However, artifacts from previous versions of the application were still present and contained the FTP hostname, port, username, and password in plaintext.

    We disclosed the issues in v2.1.1 to LGU+ and PlantyNet on February 17 2017, but despite repeated follow-up attempts did not receive a response.

    On May 15, 2017 LGU+ published  Clean Mobile Plus  2.2.0 for Android. No notification of this new version or any other communication was provided to us from either LGU+ and PlantyNet.

    On July 7, we sent a vulnerability report on LGU+ 2.1.1 and 2.2.0 to the Korea Internet and Security Agency (KISA). On September 4, KISA reported to us that developers for the app had received our report and changed the FTP server information as we had requested.  However, FTP was still used, which we had identified in our disclosure as an insecure protocol for transmitting user information.

    Part 3: Discussion and Conclusion

    This section discusses the implications of our findings and wider policy issues.

    Systemic Security Issues in Child Monitoring Apps

    In total we have released security audits of five Korean child monitoring apps (Smart Sheriff, Cyber Security Zone, Smart Dream, KT Olleh Kid Safe, Clean Mobile Plus). Across the audits we found that these apps were not designed with security or privacy in mind. The apps do not follow best security practices for data transmission, data storage, or user authentication. The results of our audits point to systemic security issues in child monitoring apps in Korea that are not isolated to a single developer or vendor.

    Applications designed to protect children must be held to the highest privacy and security standards. Privacy and security should be high priorities for developers, with features that give users control over their data enabled by default. If apps are made mandatory for public use by a government it has a responsibility to ensure the apps undergo independent security audits to determine if they are safe. The results of independent audits should be made public and any apps that fail to meet security and privacy standards should not be available on the market.

    Broken Disclosure Process

    Independent security researchers can help developers and vendors by reporting vulnerabilities in their apps to them. Companies can reduce barriers for reporting vulnerabilities by having clear policies and communication channels for researchers to follow and incentivize reports by paying researchers to disclose them.

    None of the child monitoring app developers or vendors had policies for vulnerability disclosure, nor bug bounty programs, reflecting a general gap in Korea’s IT sector. According to KISA, Samsung is the only Korean company to provide a bug bounty and it only offers it for one of its product lines (Smart TVs). The role of the KISA bug bounty program in part is to fill this gap, but Korean information security professionals and academics have called on the IT industry to take on more of a leadership role and encourage a greater culture of information security.

    Our frustrating experience in disclosing vulnerabilities to PlantyNet, LGU+, and KT underscores the need for companies be more proactive and responsible with vulnerability disclosures and the security of their users.

    Still Safer Without

    Parents around the world have growing concerns about their children’s use of social media and mobile devices. These concerns motivate the development of parental controls such as those offered in Android and iOS that allow parents to restrict applications, limit content, and enforce privacy settings. While the intent of child monitoring apps in Korea may reflect general worries that parents everywhere have, the invasive controls enabled by the apps go beyond standard parental control features (such as those in mobile operating systems) and have been implemented insecurely. These issues and the mandated use of child monitoring apps in Korea underscore broader public policy issues.

    When governments mandate the use of a specific type of application by the general public there must be an exceptionally rigorous process of due diligence around security and privacy that is transparent and accountable to the users. Our research shows that child monitoring apps from multiple vendors and developers have systemic security and privacy issues that are putting children at risk. Vendors and developers must develop products that are secure by design, welcome and encourage vulnerability reports from third parties, and be transparent to users about security and privacy issues so they can make informed choices. Together, our series of security audits have found that Korean children are safer without child monitoring apps.

    Footnotes

    [1]For a detailed overview of the legal and regulatory frameworks surrounding this mandate see https://citizenlab.org/wp-content/uploads/2015/09/legal-appendix.pdf

    [2]MOIBA subsequently released Cyber Security Zone, which we audited and found was merely a rebranded version of Smart Sheriff that included the same security issues that we revealed in version 1.7.7 of Smart Sheriff.

    [3]We did not pursue a monetary reward from KISA for our disclosure. The purpose of reporting to KISA was to help facilitate resolution of the issues with LGU+ and PlantyNet. Due to the challenges we experienced in reporting to these companies directly, the KISA program was used as a means for ensure the issue was acknowledged and addressed by the companies.

    Acknowledgements

    Special thanks to participants at the 2016 Citizen Lab Summer Institute who contributed to our initial security audit session of the apps.

    We are grateful to K.S. Park, Mino Choi, Esther Lim, Adam Lynn, Jakub Dalek, Adam Senft, for assistance and comments and to Professor Ron Deibert for supervision.

    This report is part of the Net Alert project funded by the Open Technology Fund.

    Appendix A: Disclosure Timeline

    Date Event Description
    September 2 2016 Initial disclosure attempt (KT) Email sent to Plantynet and KT representatives to disclose vulnerability report.
    September 2 2016 Initial disclosure attempt (LGU+) Email sent to Plantynet and LGU+ representatives to disclose vulnerability report.
    September 9 2016 Follow-up email attempt (KT & Plantynet) Email follow-up to KT and PlantyNet representatives. No response.
    September 9 2016 Follow-up email attempt (LGU+ & Plantynet) Email follow-up to LGU+ and Plantynet representatives. No response.
    October 21 2016 Follow-up email attempt Email follow-up sent to different LGU+ and Plantynet representative emails.. No response.
    October 21 2016 LGU+ update 2.1.1 LGU+ releases 2.1.1 on Google Play Store.
    October 26 2016 Call made to LGU+ customer service operator Call made to LGU+ customer service requesting contact info for disclosure. Representative said they forward the disclosure report to the person in charge.
    October 26 2016 Call made to KT customer service operator Call made to KT  customer service representative who connected us to a Plantynet representative. The representative asked questions about the disclosure process and said they would follow-up on the issue in a week.
    October 26 2016 Follow-up email attempt  (LGU+ and Plantynet) Email sent to different LGU+ representative emails no response.
    October 26 2016 Email response from Plantynet representative Plantynet representative provides acknowledgement of our security disclosure, but only for the LGU+ app not for the KT app. No details of the planned fixes or timeline were provided.

    The email stated: “We will make sure checking your result of your research and inquiry, ASAP, and then we will send reply on your ask by e-mail or via Opennet. Co,. Ltd…Thank you for your research of our mobile application, “올레 자녀폰안심 프리” (version 2.1.8)”.

    October 26 2016 Citizen Lab Email Response (Plantynet) Email sent to Plantynet representative to remind them that LGU+ has the same vulnerability.
    November 7 2016 Citizen Lab Email Follow-up (Plantynet) Follow-up email sent to Plantynet representative requesting status update. No response.
    November 13 2016 KT Olleh Kidsafe update 2.01.11 KT releases KT Olleh Kidsafe v2.01.11 on the Google Play Store.
    November 18 2016 Citizen Lab Email Follow-up (Plantynet) Follow-up email sent to Plantynet representative requesting status update. No response.
    November 30 2016 Citizen Lab Email Follow-up (Plantynet) Follow-up email sent to Plantynet representative requesting status update. No response
    January 20 2017 Citizen Lab Email Followup Email sent to Plantynet and LGU+ representatives requesting status update. No response.
    February 1 2017 Call made to PlantyNet Phone call made to Plantynet representative. The representative states that the previous emails have been received on the persistent LGU+ issues, but they do not have the responsibility to respond to these emails and resolution will be dealt with between Plantynet and LGU+. The representative noted that LGU+ had received our emails and made request to Plantynet to implement fixes. Plantynet noted updates were made to the app in October 2016. They noted LGU+ is responsible for correspondence on the issue.
    February 17 2017 New disclosure sent for Clean  Mobile Plus Disclosure for Clean Mobile Plus version 2.1.1 sent to LGU+ and Plantynet. No response.
    February 23 2017 Follow-up on new disclosure sent Email sent to Plantynet and LGU+ requesting acknowledgement of second disclosure. No response.
    July 7 2017 Disclosure sent to KISA Vulnerability report on Clean Mobile Plus sent to KISA as part of their bug bounty program.
    September 4 2017 KISA sends update on fixes for Clean Mobile Plus Updates received from KISA on status of Clean Mobile Plus.