Tag: Facebook

Facebook (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)

This application is available for Android. This app is designed to keep up with friends is the faster way by using the popular social network. The latest build was released on January 26th, 2017 (updated released on February 1st, 2017).

This release transfers data items are protected by SSL Pinning that means a weakness if you have a rooted device only. The data items are part of menu settings are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. These data items include

  • Media Data related to the ‘Account Information’ Group
  • Stream, Contact Profile, Contact GEO, Tracked Data ‘n’ Favorites related to the ‘Address Book ‘n’ Contact Information’ Group
  • Device Data related to the ‘Analytics ‘n’ Ads Information’ Group
  • Credentials (IDs), Credentials (Passwords), Credentials (Tokens) related to the ‘Credentials Information’ Group
  • Device Details, Network Details, Environment related to the ‘Device Information’ Group
  • Calendar Events, Calendar Details related to the ‘Events Information’ Group
  • GEO Data, Location History, Place Details, Address Data related to the ‘Location ‘n’ Maps Information’ Group
  • Contact Profile, Media Data related to the ‘Media Information’ Group
  • Personalization related to the ‘Personal ‘n’ Private Information’ Group
  • Stream, Messages, Preview, Access Permissions, Media Data, Bookmark Data related to the ‘Social Information’ Group

Findings Summary

Our examination revealed total 58 items, where were 23 DAR items and 35 DIT items found. Among DAR items were found 0 worst items, 23 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 35 good items, and 0 best items.

Below you find 2 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Facebook (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)”

Facebook 77.0 (iOS / App Store) on Jan 26, 2017 (upd. on Feb 3th – ver 78.0)

This application is available for iOS. This app is designed to keep up with friends is the faster way by using the popular social network. The latest build was released on Jan 26th, 2017 (updated released on February 2nd, 2017).

This release transfers data items are protected by SSL Pinning that means a weakness if you have a jailbroken device only. The data items are part of menu settings are vulnerable for intercepting (MITM attacks) with crafted certificate and installed on the device as trusted. These data items include

  • Media Data related to the ‘Account Information’ Group
  • Stream, Contact Profile, Contact GEO, Tracked Data ‘n’ Favorites related to the ‘Address Book ‘n’ Contact Information’ Group
  • Device Data related to the ‘Analytics ‘n’ Ads Information’ Group
  • Credentials (IDs), Credentials (Passwords), Credentials (Tokens) related to the ‘Credentials Information’ Group
  • Device Details, Network Details, Environment related to the ‘Device Information’ Group
  • Calendar Events, Calendar Details related to the ‘Events Information’ Group
  • GEO Data, Location History, Place Details, Address Data related to the ‘Location ‘n’ Maps Information’ Group
  • Contact Profile, Media Data related to the ‘Media Information’ Group
  • Personalization related to the ‘Personal ‘n’ Private Information’ Group
  • Stream, Messages, Preview, Access Permissions, Media Data, Bookmark Data related to the ‘Social Information’ Group

Findings Summary

Our examination revealed total 59 items, where were 24 DAR items and 35 DIT items found. Among DAR items were found 0 worst items, 22 bad items, 1 good item, and 1 best item. Among DIT items were found 0 worst items, 8 bad items, 27 good items, and 0 best items.

Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.

This slideshow requires JavaScript.

Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.

Now let’s go deeper and examine each data item’s protection level.

Continue reading “Facebook 77.0 (iOS / App Store) on Jan 26, 2017 (upd. on Feb 3th – ver 78.0)”