Instagram 10.4 (iOS / App Store) on Jan 18, 2017 (upd. on Jan 19th for v10.4.1)

This application is available for iOS here. This app was designed to share your photos and videos, and keep up with your friends and interests. The latest build was released on Jan 17, 2017 and results are updated on Jan 19th for the last released v10.4.1.

Beware of using previous releases, because all your media data is transferred ‘as is’ without protection and rest data items are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. Have a look.

The current release protects the network data items, however the items are still vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted.

Why is it still bad? Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016

Findings Summary

Our examination revealed total 40 items, where were 12 DAR items and 28 DIT items found. Among DAR items were found 0 worst items, 5 bad items, 7 good items, and 0 best items. Among DIT items were found 0 worst items, 28 bad items, 0 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Application Description

Let’s cite the description of this application below:

Instagram is a simple way to capture and share the world’s moments. Follow your friends and family to see what they’re up to, and discover accounts from all over the world that are sharing things you love. Join the community of over 500 million people and express yourself by sharing all the moments of your day––the highlights and everything in between, too.
Use Instagram to:

Post photos and videos you want to keep on your profile grid. Edit them with filters and creative tools and combine multiple clips into one video.

Share multiple photos and videos (as many as you want!) to your story. Bring them to life with text and drawing tools. They disappear after 24 hours and won’t appear on your profile grid or in feed.

Go live to connect with your friends and followers right now. When you’re done, live stories disappear.

Send disappearing photos and videos, text messages and posts from your feed to groups and friends with Instagram Direct.

Watch stories and live videos from the people you follow in a bar at the top of your feed.

Discover stories, photos and videos you might like and follow new accounts on the Explore tab.

Enable Handoff to switch between your Apple Watch and your iPhone.

Protection levels.

Locally stored data (Data-at-Rest, DAR).

Locally stored data groups include Media Information, Address Book ‘n’ Contact Information, Social Information, Credentials Information, Account Information, Log Information.

The average DAR value is 5.25 points (7.00 points of system protection and 3.50 points of own protection). It is higher than a typical value (3.5 points, where’s 7 points of system protection and 0 points of own protection).

Items’ GROUP #1 with average value 6.50 points (7 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, protection and privacy issues are still possible but might involve interaction with an app code where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – data is not available in backups.

– Screen Snapshots (‘Media Information’ Group) – Screenshots of your device screen running certain apps; common as an iOS app multitasking feature (app swipes) or browser tab swipes. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Media Stream (‘Account Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Log Data (‘Log Information’ Group) – Logged any data as a solid file or multipart files. This data item related to mentioned group meant to be any information stored in local or network logs,

– Contact Short Profile (‘Log Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be any information stored in local or network logs,

– Device Data (‘Log Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be any information stored in local or network logs,

– Environment (‘Log Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be any information stored in local or network logs,

– Media URLs (‘Log Information’ Group) – URLs related to media info such as stream media or profile’s media, etc. This data item related to mentioned group meant to be any information stored in local or network logs

Items’ GROUP #2 with average value 3.50 points (7 points of system protection, 0 points of own protection) means data protection levels have following definitions. Frankly talking, extra data found that shouldn’t be accessed where system protection level means – root/jailbreak is required but not possible without wiping device data, and own protection level means – stored as is.

– Contact Short Profile (‘Address Book ‘n’ Contact Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Media URLs (‘Address Book ‘n’ Contact Information’ Group) – URLs related to media info such as stream media or profile’s media, etc. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Access Permissions (‘Social Information’ Group) – The list of permissions linked to access token used to get access to some features of service. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (IDs) (‘Social Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (IDs) (‘Credentials Information’ Group) – Only account IDs like app or 3rd party user IDs including emails, phone number, usernames, etc. (depends on apps). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.

Also, keep in mind, using jailbroken device means the system protection level is 0 points and you’re using out-of-date iOS < 8.3 the system protection level is 2 points. If some data marked as shareable via iTunes, then the system protection level is 4 points.

Transferred data (Data-in-Transit, DIT).

Transferred data groups include Credentials Information, Social Information, Application Information, Account Information, Media Information, Message Information, Address Book ‘n’ Contact Information, Device Information, Log Information, Personal ‘n’ Private Information.

The average DIT value is 3.14 points (3.14 points of system protection and 3.14 points of own protection). It is less than a typical value (4 points, where’s 4 points of system protection and 4 points of own protection).

Items with average value 5.00 points (4 points of system protection, 6 points of own protection) means data protection levels have following definitions. Frankly talking, data is not available all the time or partially accessed where system protection level means – informs if fake certificate imported into a device, and own protection level means – SSL pinning (can be patched).

– Credentials (Passwords) (‘Credentials Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Tokens) (‘Credentials Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be any types of credentials including basic (IDs only), passwords, tokens, etc.,

– Credentials (Passwords) (‘Social Information’ Group) – Well-known passwords or PINs you’re using to get access to your account (usually it is worse than tokens because it gives full access to your account). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Credentials (Tokens) (‘Social Information’ Group) – Different tokens used to get access to your account, except for passwords but including app or 3rd party tokens, secret keys, etc. (usually give full access to your account). This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Account Data (‘Social Information’ Group) – Basic info about account like name, a list of sub-account (e.g. financial or other) and some linked data like a phone number. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Application Configs (‘Application Information’ Group) – Different configuration files created by your app, perhaps app permissions. This data item related to mentioned group meant to be any info related to the app, app settings, including installed apps or installers,

– Stream (‘Account Information’ Group) – Any social or another stream activity including posts, walls, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– URLs (‘Media Information’ Group) – Different types of URLs referred to your files stored in clouds, profiles, social accounts, media files available online, etc. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Messages (‘Social Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be info grabbed from 3rd party social networks,

– Messages (‘Message Information’ Group) – Different types of messages, conversations, except for SMS, MMS but including recipient and sender IDs and attachments. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Contact Short Profile (‘Message Information’ Group) – Name, Email ID, Phone number of contacts. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Media URLs (‘Message Information’ Group) – URLs related to media info such as stream media or profile’s media, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Contact Profile (‘Address Book ‘n’ Contact Information’ Group) – Full info about contacts including name email id, phone numbers, gender, linked accounts, geodata, stream and social activity. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Device Data (‘Device Information’ Group) – Device ID, Device Name, Device OS Name and Version, and jailbroken/root status. This data item related to mentioned group meant to be details about your device,

– Environment (‘Device Information’ Group) – Different info about the environment of the device including apps lists, device info, OS name and versions, updates, a list of users, network details, etc. This data item related to mentioned group meant to be details about your device,

– Account Details (‘Account Information’ Group) – Full info about your account including account membership, expiration, profile, linked data and account, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Tracked Data ‘n’ Favorites (‘Account Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, a user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Personalization (‘Personal ‘n’ Private Information’ Group) – Info describes user preferences, favorites, tracked data, search requests, suggestions, etc. This data item related to mentioned group meant to be any personal and private info is not grabbed from the 3rd party social networks or your IDs

– Media Data (‘Media Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any data like photo, image, video, audio,

– Media Data (‘Account Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be any info related to profiles, basic credential IDs like email or username or phone number plus some more info depends on applications,

– Media Stream (‘Address Book ‘n’ Contact Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be info locally stored, cached or transferred over the network and belong to this application if it’s social even,

– Media Data (‘Message Information’ Group) – Any info like images, audios, videos, media notes, etc. This data item related to mentioned group meant to be all message, including SMS, MMS, social and IM messages with or without attachments,

– Tracked Data ‘n’ Favorites (‘Media Information’ Group) – Any favorites data or tracked data marked as desirable by users and for users (Means, user is on FB messenger, Viber, bank client or favourite hotel, room type, flight route, airline). This data item related to mentioned group meant to be any data like photo, image, video, audio

Keep in mind if you’re using out-of-date iOS < 9.0, the system level equals 2 points instead of 4. It means your data can be stolen without involving your actions.

Privacy Policy

Full application privacy policy is available here.

You may find privacy policy details proceeding the link above to compare developer’s vision on data protection with our results.

More than 1 billion users in total use this application.

[Dev Statement #1]>>

In September 2012, we announced that Instagram had been acquired by Facebook. The new Privacy Policy is effective on January 19, 2013. Our Privacy Policy explains how we and some of the companies we work with collect, use, share and protect information in relation to our mobile services, web site, and any software provided on or in connection with Instagram services (collectively, the “Service”), and your choices about the collection and use of your information

[PrivacyMeter comment #1]>>

The last update of Privacy Policy written by Instagram Team is bound to the January 19th, 2013 and cover all services including mobile applications

[Dev Statement #2]>>

1. INFORMATION WE COLLECT

We collect the following types of information

Information you provide us directly:

– Your username, password and e-mail address when you register for an Instagram account

– Profile information that you provide for your user profile (e.g., first and last name, picture, phone number). This information allows us to help you or others be “found” on Instagram

– User Content (e.g., photos, comments, and other materials) that you post to the Service

– Communications between you and Instagram. For example, we may send you Service-related emails (e.g., account verification, changes/updates to features of the Service, technical and security notices). Note that you may not opt out of Service-related e-mails

Finding your friends on Instagram:

– If you choose, you can use our “Find friends” feature to locate other people with Instagram accounts either through (i) your contacts list, (ii) third-party social media sites or (iii) through a search of names and usernames on Instagram

– If you choose to find your friends through (i) your device’s contacts list, then Instagram will access your contacts list to determine whether or not someone associated with your contact is using Instagram

– If you choose to find your friends through a (ii) third-party social media site, then you will be prompted to set up a link to the third-party service and you understand that any information that such service may provide to us will be governed by this Privacy Policy

– If you choose to find your friends (iii) through a search of names or usernames on Instagram then simply type a name to search and we will perform a search on our Service

– Note about “Invite Friends” feature: If you choose to invite someone to the Service through our “Invite friends” feature, you may select a person directly from the contacts list on your device and send a text or email from your personal account. You understand and agree that you are responsible for any charges that apply to communications sent from your device, and because this invitation is coming directly from your personal account, Instagram does not have access to or control this communication

Analytics information:

– We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your device or our Service, including the web pages you visit, add-ons, and other information that assists us in improving the Service. We collect and use this analytics information with analytics information from other Users so that it cannot reasonably be used to identify any particular individual User

Cookies and similar technologies:

– When you visit the Service, we may use cookies and similar technologies like pixels, web beacons, and local storage to collect information about how you use Instagram and provide features to you

– We may ask advertisers or other partners to serve ads or services to your devices, which may use cookies or similar technologies placed by us or the third party

– More information is available in our About Cookies section

Log file information:

– Log file information is automatically reported by your browser each time you make a request to access (i.e., visit) a web page or app. It can also be provided when the content of the webpage or app is downloaded to your browser or device

– When you use our Service, our servers automatically record certain log file information, including your web request, Internet Protocol (“IP”) address, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Service, domain names, landing pages, pages viewed, and other such information. We may also collect similar information from emails sent to our Users which then help us track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of the Service

Device identifiers:

– When you use a mobile device like a tablet or phone to access our Service, we may access, collect, monitor, store on your device, and/or remotely store one or more “device identifiers.” Device identifiers are small data files or similar data structures stored on or associated with your mobile device, which uniquely identifies your mobile device. A device identifier may be data stored in connection with the device hardware, data stored in connection with the device’s operating system or other software, or data sent to the device by Instagram

– A device identifier may deliver information to us or to a third party partner about how you browse and use the Service and may help us or others provide reports or personalized content and ads. Some features of the Service may not function properly if use or availability of device identifiers is impaired or disabled

Metadata:

– Metadata is usually technical data that is associated with User Content. For example, Metadata can describe how, when and by whom a piece of User Content was collected and how that content is formatted

– Users can add or may have Metadata added to their User Content including a hashtag (e.g., to mark keywords when you post a photo), geotag (e.g., to mark your location to a photo), comments or other data. This makes your User Content more searchable by others and more interactive. If you geotag your photo or tag your photo using other’s APIs then, your latitude and longitude will be stored with the photo and searchable (e.g., through a location or map feature) if your photo is made public by you in accordance with your privacy settings

[PrivacyMeter comment #2]>>

The Instagram Team collects the following types of information, doesn’t describe how it is protected. In the description below the ‘Group’ term means a place in the application where it was found, so there is a possibility that the same data item might be duplicated and found in one or more places at the same times with a different protected level too even.

For DIT (network) items that are represented by all network data items are assigned to the Medium Protected Level

These data items include

Media Data, Media Stream related to the ‘Account Information’ Group
Media Data, Tracked Data ‘n’ Favorites related to the ‘Media Information’ Group
Media Stream related to the ‘Address Book ‘n’ Contact Information’ Group
Media Data related to the ‘Message Information’ Group
Credentials (IDs), Credentials (Passwords), Credentials (Tokens) related to the ‘Credentials Information’ Group
Credentials (IDs), Credentials (Passwords), Credentials (Tokens), Account Data related to the ‘Social Information’ Group
Application Configs related to the ‘Application Information’ Group
URLs related to the ‘Media Information’ Group; Messages related to the ‘Social Information’ Group
Messages, Contact Short Profile related to the ‘Message Information’ Group
Media URLs, Contact Profile related to the ‘Address Book ‘n’ Contact Information’ Group
Device Data, Environment ‘Device Information’ Group
Log Data related to the ‘Log Information’ Group; Stream, Account Details, Tracked Data ‘n’ Favorites related to the ‘Account Information’ Group
Personalization related to the ‘Personal ‘n’ Private Information’ Group.

Medium Protected Level means the application has SSL mechanisms implemented but data items can be intercepted with crafted and installed a certificate as trusted.

Also, the application can validate an SSL connection and detected crafted certificate, however, that security feature is limited to perform checks by comparing SSL certificate with a list of installed certificates on the device including certificates added by the user and marked as trusted. In this case, MITM is possible to intercept data items in traffic. All data items found in research are affected to MITM with installing crafted certificate. The crafted certificate can be either installed by the user or be already on the device and expired. The first case divides into parts when user knowingly installs the certificate or someone makes him install it by misleading into change to access to the network. ‘Making someone to install’ is divide to the simple case to get access to the public network or serious one like in Kazakhstan (Kazakhstan is going to start intercepting HTTPS traffic via “man-in-the-middle attack” starting Jan 1, 2016, Government root SSL certificate possible vulnerabilities, Bug 1232689 – Add Root Certification Authority of the Republic of Kazakhstan (root.gov.kz), Mozilla – CA Program (Included Government of Kazakhstan roots)). The second case divides into parts when the certificate is preinstalled and expired or was revoked but not removed, or when the user got the firmware with a specially crafted certificate.

If you have up-to-date iOS, it means you still do not have additional protection from the MITM attacks aimed to intercept the network traffic if you have trusted certificated installed by yourself. If you have outdated iOS below iOS 9th version, you might have issues that decrease your system level of protection due to known problems with security mechanisms and leads to the MITM attacks without installing a crafted certificate as trusted.

For DAR (local) items that are represented as data items stored in backup too and out of backup only and not accessible without jailbreak/outdated iOS.

The ‘in-backup’ items include

Contact Short Profile, Media URLs related to the ‘Address Book ‘n’ Contact Information’ Group
Access Permissions, Credentials (IDs) related to the ‘Social Information’ Group)
Credentials (IDs) related to the ‘Credentials Information’ Group)

The ‘Out of backup only’ items include

Screen Snapshots related to ‘Media Information’ Group
Media Stream related to the ‘Account Information’ Group
Log Data, Contact Short Profile, Device Data, Environment, Media URLs related to the ‘Log Information’ Group.

The locally stored data requires either jailbreak or a backup, however, usually not all data items are included in a backup file. If you use outdated iOS below iOS 8.3th version, you might have issues that decrease your system level of protection due to known problems with security mechanisms and leads to stealing the data items of the application stored in an application folder (except keychains) without jailbreaking the device but having the device connected to PC/Mac.

[Dev Statement #3]>>

This statement is not related directly to the Privacy Policy but related to the article published in 2014:

Instagram said it’s moving to encrypted communications for its images by moving to HTTPS, the secure version of the standard used to transfer Web data over the Internet

“We’re doing the technical work that’s necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance,” the company said in a statement. “We’ll keep the Instagram community updated on our progress.”

[PrivacyMeter comment #3]>>

The curious fact, in 2014 Instagram promised to fix it. In 2014, Instagram stored media data items at least on S3 services (Amazon Web Services, AWS S3), in 2015 Amazon fixed the issues related to the media data items and transferring without protection. However, in 2016 Instagram obviously left the AWS solution and went to the own or Facebook services but forget to turn on the encryption (SSL) of media data items. On Jan 17th, 2017, Instagram fixed the issues with media data only, so now all data items are protected in the same way. The current release protects the network data items, however the items are still vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted.

[Statement #1 and comment #1]

[Solutions for Developers #1]>>

In general, the dev team should revise the policy and include information how the application data is protected, because this part is obviously missed.

[Solutions for users #1]>>

Nothing required

[Statement #2 and comment #2]

[Solutions for Developers #2]>>

The dev team should implement SSL Pinning in a way to trust only Instagram SSL certificate. The certificate is easiest to pin. It is possible to fetch the certificate out of the band for the website, use openssl s_client to retrieve the certificate, etc. At runtime, the application retrieves the website or server’s certificate in the callback. Within the callback, the application compares the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function.

The locally stored data should be protected and encrypted. Adding information what data is included in backup help users make a security decision clearly.

[Solutions for users #2]>>

Avoid installing suspicious SSL certificates into your device if you are not sure where it comes from, avoid using this application in the non-trusted network and check your device for installed user CA SSL certificates that marked as trusted. Also, you may use VPN solutions to prevent MITM

Keep in mind, that a backup is an additional insecurity flow even if you do not have a jailbroken device. Avoid to create a non-encrypted (non-protected by password) backup files, use jailbroken device and outdated iOS below 8.3 version.

[Statement #3 and comment #3]

[Solutions for Developers #3]>>

Fixed

[Solutions for users #3]>>

Fixed