I reinstalled the 360 security app on my phone to check the network connections it used & found via the Network Connections app that it did indeed use an insecure HTTP connection to exchange data with IP address 52.85.77.42 which is assigned to Amazon network(https://www.whois.com/whois/52.85.77.42). Attached is a screenshot from the network connections app showing this connection. From the 360 security app privacy policy page(http://www.360securityapps.com/m/en-us/about/privacy) it can be seen that it uploads sensitive information about installed programs to a cloud security center. So, I am guessing that the above IP address corresponds to an Amazon cloud storage server. So, there is still a security hole in this App, where it may be transmitting sensitive system information via an unencrypted HTTP connection. Thanks. ----- Reply message ----- From: "Daniel Wood" <daniel.wood@xxxxxxxxx> To: <seclists@xxxxxxxx> Cc: <fulldisclosure@xxxxxxxxxxxx> Subject: [FD] 360 security android app snoops data to China Unicom network via insecure HTTP Date: Sun, Apr 30, 2017 6:26 AM Can't you just run the app in an Android emulator and shark it? Sent from my iPhone > On Apr 30, 2017, at 06:02, seclists@xxxxxxxx wrote: > > I have a further update on the issue. After uninstalling the 360 security > android app, I found after repeated checks of Network Info on my phone via > the Ping & DNS app that even then the HTTP connection to IP address > 123.125.114.8 still frequently showed up. So, I monitored the network > connections on my phone via the Network Connections app > (https://play.google.com/store/apps/details?id=com.antispycell.connmonitor) > and found that this time the HTTP connection to IP address 123.125.114.8 was > being established by the ES File Explorer app > (https://play.google.com/store/apps/details?id=com.estrongs.android.pop > (https://play.google.com/store/apps/details?id=com.estrongs.android.pop)). > So, it is possible that the insecure HTTP connection to the above IP address > that I observed when both the 360 security and ES File Explorer app were > installed on my phone was in fact because of the ES File Explorer app or the > other possibility is that both the apps have the same problem. I haven't had > a cha > nce to re-install the 360 security app without the ES File Explorer to check > that and I don't intend to re-install the 360 security app on my phone, since > it anyways used to raise the temperature on my phone suspiciously. So, I will > report this as an issue for the ES File Explorer app in a separate email. > > Thanks. > Hi, > > I found the following review posted about the 360 security android app: > > https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c > > (https://play.google.com/store/apps/details?id=com.qihoo.security&reviewId=Z3A6QU9xcFRPSG1HSTRaSVdNelVWY3FhZk5zcFlFMnZKeXRKRHhhQUE4VU9pLWV4UFBxeHJ3Xy1ZZWU2bEpOLTg0eGxzczFCV0lkaWxxTHRzZTQ4RWxzU2c) > "Snoops data to China Unicom via insecure HTTP link! Found while checking > Network info on my device with this app installed that it had established an > insecure HTTP connection to an IP address(123.125.114.8) on Chinese state > owned China Unicom network (China Unicom owns a stake in app developer via > Qihoo 360). Also, when installed, found my phone temperature rising > frequently indicating covert data transfer from my phone. I've now > uninstalled this Chinese spying app & advice the same to anyone using the > app. Resp to comment: updated above info with IP addr. > 360 Mobile Security Limited April 26, 2017 Hi, sorry for the inconvenience. > It will be helpful for us to solve the problem, if you can give us more > information and details . Attaching some screenshots would be helpful. Please > contact us by email: jenny@xxxxxxxxxxxxx (mailto:jenny@xxxxxxxxxxxxx). Many > thanks." > > I observed the same behavior when I had this app installed on my smartphone. > I checked the Network Info on my phone when this app was installed, using the > Ping & DNS > app(https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping > (https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping)) > and found the insecure HTTP connection to the above IP address. After I > uninstalled the app, the HTTP connection to the above IP address was gone, as > well. On checking the WHOIS info(https://www.whois.com/whois/123.125.114.8 > (https://www.whois.com/whois/123.125.114.8)) for this IP address it can be > seen that it is indeed on the Chinese state-owned China Unicom network. I had > App usage tracking permission on Android enabled for this app, to facilitate > phone temperature reduction, when I observed the above. > > Can other security researchers please check and comment on this security hole? > > Thanks. > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/
Attachment:
Screenshot_20170430-122646.png
Description: PNG image
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
