In a new study, Citizen Lab sheds light on the massive security threats facing Latin Americans. Citizen Lab and Open Technology Fund (OTF) fellow Beau Kujath in collaboration with SocialTIC finds that mobile applications in Latin America puts millions of users at a security and privacy risk. Beau’s research focuses on three types of mobile applications: telecommunication apps, government-developed apps, and marketplace apps. Millions of people in Latin America rely on these categories of applications for essential daily functions including cellular service, emergency response, healthcare, money transfers, and more. Thus, people are incentivized to keep these apps on their devices, leaving them vulnerable.
Key Findings
- A cellular management app from Mexican telecommunications giant MiTelcel consistently fetches images and JSON files for the splash configuration over cleartext HTTP. This vulnerability allows attackers to eavesdrop on the cleartext traffic and potentially inject their own malicious images that will be displayed on the app’s “Home” page.
- The MiTelcel app sends POST requests to five different third party servers with personal info of the user including their email and phone number, although the app store’s description stated no personal info was shared with any third-parties at the time of analysis.
- Another cellular management app from Mexican telecom SAT Movil uses cleartext HTTP for the “Chat” page that is responsible for communicating highly sensitive personal info including citizen ID numbers and passwords, allowing eavesdroppers to read these as they are transmitted over the network
- A Salvadoran cryptocurrency app ChivoWallet checks with Microsoft CodePush servers each time it is opened to see if there is a new update available to fetch, granting the developers the ability to update its functionality on demand outside the trusted app store update mechanisms.
- Three of the four telecommunication apps analyzed send SMS messages that include external links that are vulnerable to SSL strip attacks. These attacks allow an attacker to downgrade connections from HTTPS to cleartext HTTP in order to eavesdrop on the info exchanged and potentially inject their own malicious responses.
The full detailed technical report includes more information on what live security and privacy issues found in the set of apps, how they were found and the motivation for this project.
Github repo: https://github.com/beaukuj15/relab
Read the full report here. Read the Spanish translation of this report on SocialTIC and Datavoros.
About the OTF Fellowship
The Information Controls Fellowship Program (ICFP) from the Open Technology Fund (OTF) supports research into how governments in countries, regions, or areas of OTF’s core focus are restricting the free flow of information, cutting access to the open Internet, and implementing censorship mechanisms, thereby threatening the ability of global citizens to exercise basic human rights and democracy; work focused on mitigation of such threats is also supported.
About the Researcher, Beau Kujath
Beau Kujath is a cybersecurity researcher who earned his B.S. in Computer Science from the University of New Mexico in 2019 and is now pursuing a PhD at Arizona State University. His research focuses on internet freedom and how the network stack, or system in general, can reveal sensitive information about the end user. He is particularly interested in the components required for bad people to create exploits and take advantage of the present privacy tools in use by web users. Recently, his research focused on potential VPN client risks and how information could be leaked from the network stack to expose the client.