You Won't Even Know It's Recording You! - Elaheh Samani

my name is Ella Himani I consider myself as a Malvern slash stop reverse engineer and I'm based in Montreal Canada was formerly part of chrome Protection team at Google Montreal and recently I joined Symantec modern OS security team we continuously research new mobile threats and we focus mostly on enterprise apps but on both markets Android and iOS and peace can apps and provide detection for unwanted malware or any misusing apps today I am going to talk about analytic SDKs and session recording technology for those of you who might not be familiar with session replay is a technology provided by analytic SDKs mostly to monitor user interaction with the app it can contain any information like touch mouse movement scrolling type

in court base literally anything any interaction and this helps developer to find when and where with their application crashes or it's for marketing purpose to see which part of their application is most popular and this sort of stuff but some holistic SDKs they take one step further and they want to watch you as you interact with the app and they basically take in APIs screenshots or the actual recording while you are using the application I am going to show you one little this is ab c-- sdk one of the popular SDKs with session recording capability you see you can browse all the sessions that are recorded and the sessions are all and the third power

the application or third-party servers and you can replay the session to see where and when the crash happens this is alleged use case for analytic SDK but looking at other SDK like breakout room this one is a calendar or presentation scheduling app and this is a sample recording where you can see all the content and even user profile picture and everything and on the right side you see a lot of user specific information okay so in other word we can say they are looking over your shoulder and watch you as you interact with the app and the extent of data that is being recorded for exceed user expectations when you type in a form even before

submitting that form or when you are editing a photo a private photo in your application all I mean everything can be recorded and monitored and everything is done without any user indication because this SDKs they don't need any specific permission so user most of the time they have no idea that they are being recorded security concern and incidents associated with this SDKs is not something new we had a couple of incidents Mixpanel in 2017 or ab c test very SDKs in 2018 and most recent one glassworks sdk in 2019 where a lot of PRI information like postal code credit card numbers they were leaked and with GlassBox sdk a lot of big and popular apps they were using glass box air

canada hotels.com singapore airline and Expedia so with air canada incident the problem was this SDKs they provide basic API to hide or mask certain fields and sensitive fields and Canada was using glass box and they were the developer they were aware of such a the api's to mask certain fields and you see on the left side they were masking credit card numbers or address information but in another view they were they failed to mask those fields and they were recorded as plain text in the second screenshot in another view and it's the same that's the case for password field to the left screenshot they mask the password and that's the login page but on the right side

screenshots that they are for initial login attempt or when you would create an account they fail to mask a password field and they are included in the screenshots and akov is one of the applications that collect a lot of PII information password number data pairs I mean and credit card numbers and it's not easy to test an app for this sort of stuff because you have to test all views and all fields to make sure you capture all the interactions and nothing is passed so it's not an easy job another problem with these SDKs is that they let you identify sessions by collecting and associating some user specific information like actual name that user used inside the app or address postal

code on or UUID or any device information for user attribution and these pictures are from again breakout room SDK and shockingly they put user profile picture inside the session and we sought other information like email address name and real address and etc as I said they can also use a unreadable unique ID or device IDs as well like IMEI MSI and despise all the recommendation that they tell us use randomly generated IDs per installation that we see a lot of apps they're still using IMEI and IMS I'll or phone number and numbers is high okay there are different methods to take in alpha screenshots or make a video recording in iOS 9 and later we have

replay kit but you can use to just stream video from from the screen but it requires user constant so this is not something that SDKs videos the other option is using UI graphic begin image contacts API to capture the content of topmost UI window that the top one and a story that's UI image in this case all the popovers and alerts will also be included in the screenshot the second one is basically similar but capturing all the UI view content inside a UI image another technique is leveraging JavaScript bridge to manipulate or capture everything inside the do Mui pepper you do em and then make an actual recording the only caveat here is that you need to have all the static

information of that you stored in the third-party SDK then mix it with what you capture from the do em and make it a pixel perfect perfect recording this doesn't need any user permission or consent and its platform independent and that's the popular technique used by and I'll take SDKs so um okay alright we talked about SDKs but how do we detect them and how do we identify SDKs inside the app or more importantly how we can I mean how can we identify misusing apps it's not easy to decompose an application into SDKs you can look for static information like Android manifest or in populace or class dump and check them against predefined signatures for and

sdks popular SDKs or you can look into dynamic if you have dynamic analysis you can look at the trace dawn file to see all the calls to the analytic SDKs api's and a better way or maybe more automated way is to use classification and classify apps based on their method calls and the frequency we expect if you are calls with the higher frequency to be part of SDK and then you can try to extract the SDK name from the package we looked into five analytic SDKs and apps is one of them we absolutely you have server-side setting and you can exclude user input or certain fields on service or certain views from the session recording or

nothing basically and capture everything on the developer side you have mark us sensitive API or you can use resume and paws-up right before and after entering a sensitive view we checked our database to see if the applications are using this API s or not and with the static detection we found around 24,000 apps that are using app C and our trace dump shows that around 3500 apps they actually started recording during the dynamic analysis and less than half of them used markup us sensitive API and only 200 used pause and resume so what about the remaining apps here's the list of application that they started recording and they never called hype sensitive view API we see big

applications like CheapOair Adobe photo editing app or go shopping babies Corinth all and etc Tesla is another SDK something interesting about this tech test way is that it provides a separate API to set user ID it led a developer to identify sessions basically you can pass or set attributes like age phone number and again you see example here but if you check the documentation it says this API should only be used on a private cloud or on a on premise solution but we found 25 applications that they were using this API and on and on it's not it wasn't quite private cloud and for again it has high view API and the static detection 25,000 apps we

are using test very 3000 apps they started recording during dynamic analysis and only eight of them used hide view API and this set user ID as I said 25 apps they're setting user ID and I will give you an example of that application very soon so these are applications that they started recording and they didn't hide sensitive views we see this I do I'm not sure if I'm pronouncing this application correctly uh a dating app with more than 100 million downloads and the other dating app for whatever reason Tesla was very popular and dating apps I don't know and we have our popular Enterprise at the slack here and both and transfer they or money transfer app and also

we're getting app if you are fan it's just one of them and here's a here's their example at that use users set user ID and we looked deeper to see what it passes as user ID if it's a random ID or is it something identifiable and looking at the manifest file you see it has yet account permission and it also calls a con manager which means it can grab the actual Google divided Google ID from the device and it also collects other information like SIM card information and networking formation and basically passes everything glass box I talked about it in a Canada case the number of apps using glass books they were lower we had 500 883 apps in our

static detection and dynamic detection account 73 apps and only six of them use set a screen as sensitive or set views as sensitive api's and example apps I already mentioned them uux cam is another example of ux camera is doing slightly better in terms of documentation they have different api's for hiding sensitive views or fields or screen they have separate api's and again 3,000 or 4,000 applications and only who among 2,000 applications in dynamic analysis only 217 they were using one of these api's and here's example of pad apps that they started recording and you see leafy application it's marijuana application to find years to a nearby can abuse it and this might have some medical or I don't know

preferences user preferences in it alright so here's the overview of applications in each category SDK and you see tests very and app see they have highest number followed by UX cam and on the right side we have platform distribution and as you can see iOS is dominant so yeah I just want to wrap up my presentation analytic SDK is not something or such high replay technology it's not something that is likely to go away very soon developers and companies they rely on this data for marketing purposes and it's important for them to know where the application what happens inside their application and etc but the fact that they don't publicize such behavior just shows that they know how

creepy it is and so in Canada incident Apple enforce all the developers to either remove this session replay or session recording behavior or updated my privacy page and let the user know but I mean it's still pretty Android they don't have to and also user again they don't have a clear idea of the extent of data that can be captured with these SDKs yeah I can stop here and if there's any questions comments feel free to ask yeah also for Android is pretty similar to iOS there's a thing again kit I don't remember the name but for that you need the user constant but for the other technique that I mentioned UI webview and using javascript you

don't need basically any permission it's very similar to iOS like I said after Canada incident it was a big news and the only thing that happened after that was Apple asking developers to exclude such behavior just publicize I mean just to mention that they are recording but I'm not aware of any illegal or a de any law change regarding these recordings and it's again developers responsibility because SDKs they just provide you some api's and ask developers to hide fields but even with those api's like the demo that i showed a few minutes ago it can capture other contents like the actual text that insider or photo that you are editing they can't mask at the photo

because that's still the whole point of recording yes

Oh

some of this thing is like I think you ex cam was one of them they they are hiding just password fields by default but that's all they do they're basically they don't care they just want their customers are developers and they want to make them happy and app developers they want to see everything right well that's the kind of reason yes sir

so I'm not supposed to kind of advertise for my company but that's what we do at Symantec we have set mobile app just icon here that's the set mobile app so most of these techniques that I mentioned here we basically follow follow them all these through your static and dynamic detection and for SDK identification and also for misusing apps we have a combination of a static and dynamic detection to find misusing the but I mean it's not easy again you have to look at both the static and dynamic analysis is not something and again even with dynamic analysis if you see an application that is using height view it doesn't mean that they are used

hiding everything it's just you know they are using this API is but it's not search and to say this is 100% perfect app yes everything from app stores both Android and iOS - yeah yes I'm not sure if you're talking about the the detection companies like [Music]

well again they give you some api's and the documentation but that'sthat's the thing that most of the time developers they don't follow documentation at they find the easiest way and they just use the Stack Overflow mostly and so I mean for I believe SDKs they can provide better I mean they can't do better in terms of providing any parts or forcing him one thing I forgot to mention a lot of crashlytics data and analysis data we checked they send them to analytic SDKs over HTTP and that was in the focus of this talk and crashlytics logs can contain a lot of PII information or Enterprise Information can lick a lot of stuff but again nobody forcing them to

use HTTP for example that's something that you can actually enforce but I don't know why maybe that's why we are in business and making money yes oh good question I would say SDKs because you can't rely on developers I mean I'm not you can't rely on that other purse but for security purposes I mean because that's their business when something like that's what's happened developers they were not affected it's the company that crashes so I would say maybe both but mostly SDKs any other question

yes yeah good question again um for snapshots they can store them inside the app so you can just go browse the recorded snapshots but the the end goal is to send them somewhere or an all-seater purpose and mining so they send it to either the SDK company like glass box server or their custom servers for mining and but at the end they will send everything today third parties yeah

there's oh the idea is basically similar in web and in-app but in a bazaar I would say they're just identical they're saying this at the amount of data but the only difference is for web application you don't you might have used more user specific information but as is different because inside the app you are dealing with private data like like I said you can edit your photo well I mean you can do the same thing in web browser but the browser or I mean they might they might collect less private information or be less risky but they basically say yes so a static analysis if you have before if you are using an SDK you have to define it in a domestic

manifest file as a service or you you will see the the package because you you include that package inside your app so you see it in class dump just by looking into their class stop use you see the package name and then you can look into the api's and again based on some signatures that you have you can use it but again you just have to have a predefined signatures of common or popular SDKs but if you want to die any SDKs that's I mean hard and tricky that's where you can use classification on method calls and that's against that if you can just grab the class stomp information or you can use it tre stomp

if you want to have dynamic information just to make sure because studying information that will let you that app has the possible or capability but it it's not necessarily this is necessarily tell you that it is actually recording that's why we look at both the static and dynamic to see if they start recording and our dynamic analysis as the default is two minutes so inside two minute and we see that they started recording yes yeah it's either the company a web server the company server you say send it to me cuz I mean they're studying you can specify where you want to send data or it's the comp at the SDK company server you can send everything

to glass box or popsie as you see and the demo other I showed you you have both options yeah yeah you can also look at the network traffic to see if you see any connections to any of this if you have list of non domains of this excuse yeah pusher right the only thing is you have to make sure that they send data in that two minutes or during your dynamic analysis that's why all right yes that's it you