How data flows from spyware applications
A huge amount of various software that collects everything that the hands of developers can reach reaches a real problem (among other ethical and legal problems) of the safety of the collected data. Very often, the data simply lies in the clear, as the developers of spyware applications are so passionate about their collection that they have no time to think about their safe storage.
For example, the TeenSafe application, designed to track children’s iPhones, stored Apple email user ID and text passwords in a public Amazon cloud. TeenSafe used two AWS cloud servers (Amazon S3) to store a database of parent and child email addresses (addresses associated with the Apple ID of the device on which the application is installed), device names and identifiers, and text passwords for the Apple ID account baby There were 10,200 entries in the database. The most delicate thing about this moment is that TeenSafe requires you to disable two-factor authentication for the Apple device ID on which the application will be used.
And Spyfone, which sells apps for spying on iOS and Android phones, left terabytes of data, including SMS, audio recordings of calls, contacts, and text messages on Facebook in open access on an incorrectly configured Amazon S3 (AWS) server. At the time of detection in the database were 3,666 monitored phones and 2,208 customers. In addition, Spyfone left unprotected one of the functions in its API, allowing anyone to view a list of customers.
A separate problem is the security of servers where data from such applications is stored. For example, an unknown hacker hacked the server company TheTruthSpy, also producing applications for iOS and Android to spy on the owners of smartphones. He was able to gain access to logins, passwords, photos, audio calls, SMS, geolocation data, chat rooms and other data intercepted on phones with the installed TheTruthSpy software. In total, more than 10 thousand customer accounts were affected. The hacking author claims that he was able to hack TheTruthSpy after examining the code of the Android application, which revealed some vulnerabilities. In particular, TheTruthSpy server returned the login and password of the account in open form in response to sending him the client ID.
Another hacker was able to access the Family Orbit server at the Rackspace site and download 281 gigabytes of photos and video collected by spyware. Family Orbit is another application designed to keep track of "childish" smartphones. As in the case of TheTruthSpy, an error was discovered in the Family Orbit application, which made it possible to gain access to the server without much difficulty. The access key to the cloud server was “wired” right in the application itself, albeit in an encrypted form.
Well, the crown of history is the case of a former employee of the Israeli company NSO Group, producing tools for extracting data from smartphones, who was trying to sell the stolen company code on the black market for $ 50 million. Then I, as an employee of a company producing DLP systems, had to shout “Use DLP systems”, but no. Nothing will help here at all. Just when you trust some application with sensitive information, especially about children, remember that it can store it practically “on the balcony”.
For example, the TeenSafe application, designed to track children’s iPhones, stored Apple email user ID and text passwords in a public Amazon cloud. TeenSafe used two AWS cloud servers (Amazon S3) to store a database of parent and child email addresses (addresses associated with the Apple ID of the device on which the application is installed), device names and identifiers, and text passwords for the Apple ID account baby There were 10,200 entries in the database. The most delicate thing about this moment is that TeenSafe requires you to disable two-factor authentication for the Apple device ID on which the application will be used.
And Spyfone, which sells apps for spying on iOS and Android phones, left terabytes of data, including SMS, audio recordings of calls, contacts, and text messages on Facebook in open access on an incorrectly configured Amazon S3 (AWS) server. At the time of detection in the database were 3,666 monitored phones and 2,208 customers. In addition, Spyfone left unprotected one of the functions in its API, allowing anyone to view a list of customers.
A separate problem is the security of servers where data from such applications is stored. For example, an unknown hacker hacked the server company TheTruthSpy, also producing applications for iOS and Android to spy on the owners of smartphones. He was able to gain access to logins, passwords, photos, audio calls, SMS, geolocation data, chat rooms and other data intercepted on phones with the installed TheTruthSpy software. In total, more than 10 thousand customer accounts were affected. The hacking author claims that he was able to hack TheTruthSpy after examining the code of the Android application, which revealed some vulnerabilities. In particular, TheTruthSpy server returned the login and password of the account in open form in response to sending him the client ID.
Another hacker was able to access the Family Orbit server at the Rackspace site and download 281 gigabytes of photos and video collected by spyware. Family Orbit is another application designed to keep track of "childish" smartphones. As in the case of TheTruthSpy, an error was discovered in the Family Orbit application, which made it possible to gain access to the server without much difficulty. The access key to the cloud server was “wired” right in the application itself, albeit in an encrypted form.
Well, the crown of history is the case of a former employee of the Israeli company NSO Group, producing tools for extracting data from smartphones, who was trying to sell the stolen company code on the black market for $ 50 million. Then I, as an employee of a company producing DLP systems, had to shout “Use DLP systems”, but no. Nothing will help here at all. Just when you trust some application with sensitive information, especially about children, remember that it can store it practically “on the balcony”.