This application is available for Android. This app is designed to instantly reach the people by texting them. The latest build was released on January 24th, 2017 (updated released on February 1st, 2017).
This release transfers data items are protected by SSL Pinning that means a weakness if you have a rooted device only. However, the application has an issue with protecting media data items related to friend profile’s pictures (avatars). Since the first time the app runs, until all media data items will be download eventually, all media data items transferred in plaintext (without protection/encryption)
Findings Summary
Our examination revealed total 27 items, where were 10 DAR items and 17 DIT items found. Among DAR items were found 0 worst items, 10 bad items, 0 good items, and 0 best items. Among DIT items were found 0 worst items, 0 bad items, 15 good items, and 1 best item.
In this case, ‘1 best item’ is not really best one but two duplicated items, one of them is assigned to 6 points (Good Protection Level) and the second one is assigned to 3 points (Obesity Protected Level). During many tests, the second item was found and means the cached activity that happens once (usually when the app starts the first time) and ends when all profile pictures related to the Facebook Contacts will be downloaded. Normally, these pictures (media data) transferred securely and not available to intercept (MITM) if the device is not rooted.
Below you find 3 infographics summarizing what we described above. Each image provides information about both DAR and DIT items.
Everything presented below is related to well-known CWEs, such as Sensitive data leakage [CWE-200], Unsafe sensitive data storage [CWE-312], Unsafe sensitive data transmission [CWE-319]. You can read more about it here.
Now let’s go deeper and examine each data item’s protection level.
Continue reading “Facebook Messenger (Android / Google Play) on Jan 26, 2017 (upd. on Feb 3th)”
PrivacyMeter 