Redfort Infosec Solutions Blog Privacy test for IndiaChat

Name of the Application: India Chat !Version of the Application: 1.1Developed By: pDevs Android Version No: 2.3 and upIndia Chat ! :Make new friends from India.See friends with their location.Chatrooms.India Chat Permissions:Read Phone status.Location(GPS and network based).Modify or delete the contents of your SD card.Read Google Service configuration.Full network access.Google play billing service.Receive data from Internet.View network connections.View Wi-Fi connections.Control Vibration.Prevent Phone from Sleeping.Privacy Implications:Heavy usage of Adware websites which it transmits sensitive user information to .Sensitive user information includes the IMEI , location information , phone model etc and this behaviour is mentioned nowhere in its download page in the Google Play store.Leaks Facebook and Twitter usernames , profile links and other personal information like names, email id's and local addresses.Viewing any user's profile leaks their email address.A malicious user can assume any authenticated user's identity and perform actions on the user's behalf such as Follow profiles, send messages, check inbox etc.An attacker can bypass the block feature and access the profile of the user that blocked him.Tracks Users using tracking cookies.Accesses Wi-Fi information such as mac address and info about clients connected to the phone's Wifi network.For a detailed report on the privacy implications for Indiachat, click here:Read MorePermissions Chart: Servers it connects to :http://www.startappexchange.com/1.1/getads?publisherId=101067107&productId=201314448&type=SCRINGO_TOOLBAR&os=ANDROID&subPublisherId= http://a.applovin.com/ad?sdk_key=VT1fX88MroaVX8f4owyTBI4lQMbtuLzNv-1R79oyyNSTV6TI1UrDnwyCGT38v1Wo0XE7h04dOX6uefBg80uwxr&package_name=https://42matters.com/api/1/apps/lookup.json?access_token=14500d80ce12bf7f2fe58baf2016fb9e6b1b1236&p= http://media.admob.com/mraid/v1/mraid_app_interstitial.jshttp://googleads.g.doubleclick.nethttps://www.googleapis.com/auth/gameshttps://graph.facebook.comObservations:Asks for Permissions it does not require such as Google play billing information , viewing WIFI connections etc considering its a chat client of limited scope.It accesses private information like Facebook usernames and other data of logged in users .Unauthenticated users can access information of logged in users logged in through Facebook/Twitter such as their Email addresses, Usernames , Local addresses , Facebook Profile Links etc .An attacker can follow any user from any user's account .An attacker can access the private chat exchange between any two users.An attacker can access the inbox of any User authenticated to the application.An attacker can assume another user's identity and send messages to any user including himself.Opening the Profile of any user leaks confidential PID such as the email address of the victim.An attacker can see the people the victim follows even if he is blocked by the victim.An attacker can post assuming any victim's identity .Connects to an Adware library called Airpush (does not mention that it is ad-supported) and transmits sensitive information about the users to it such as IMEI number of the Cellphone , Location of the Cellphone , Browser information and so on and so forth.Connects to multiple other adware services.Sets tracking cookie and calls a url and sends info to it.Detailed Analysis: 1. Leaks Personal information of other users connected to the website or registered in the website .Personal information is revealed. The highlighted field below is the userid which it leaks along with other information in JSON format.which for instance can also be used to spoof identity and masquerade as any other user by inserting the stolen userid and then sending the message to the website owners using a spoofed userid as no checks are in place to prevent this malicious action.2. Leaks Facebook ID's and profile links of authenticated users:It makes requests which leak the Facebook id of those users of the website who use their Facebook login credentials to connect to the website.The highlighted parameter below is the Facebook id of one such user leaked by the application.When we use this id in a graph search we get the following:3 .Reveals sensitive information about authenticated users to unauthenticated users:Request: Response:4. Transmits sensitive user information such as Mobile Phone IMEI to an 'ads' library called airpush:5. Sets tracking cookie and calls a tracking URL and sends user information to it:6. An attacker can follow any user from any user's account :Original legitimate request:Modified malicious request:Thereby, After replacing the userId with another user's Id which can be easily acquired as all the userId's of users in a chatroom are leaked, an attacker can use any make follow requests to any other account masquerading as someone else.7. An attacker can access the private chat exchange between any two users:As well as any user's inbox, by replacing the userid parameter with the victim's id , as follows:As demonstrated above, the userId parameter is modified to another user's userId ,which can be obtained from the feeds page or any chatroom as the userId's of authenticated users are leaked to every user, allowing the attacker to access contents of any user's inbox.8. An attacker can assume another user's identity and send messages to any user including himself:9. Opening the Profile of any user leaks confidential PID such as the email address of the victim:10. An attacker can see the people the victim follows even if he is blocked by the victim:This is accomplished by editing the parameter : otherUserId11. An attacker can post by assuming any victim's identity :This is also accomplished by modifying the userId parameter and replacing it with the victim's.