THREAD: I'm looking at a Huawei P20 from China, let see what can I found
The 1st app I reversed is an app called Decision
Look at the name of the files contains in the assets folder:
- airport_china.txt
- city_china.txt
- cityinfo.db
- parkinglot_china.txt
- railwayinfo.db
- trainInfo.db
- trainstation.db

Interesting, no?
For example, the trainstation database contains:
- address
- name
- latitude
- longitude
- city
In the manifest of this application, there is a GeoReceiver
This receiver is receiving an UUID and will lookup an known fence id
I'm a stupid security researcher. For the moment, the keywords are: train, airport, city, geo fence... Do you see where we are going?
In the data folder, there is a file called CalcMain. Here some of the methods of this class:
- callGetBusTime
- callGetTaxiTime
- isTrafficBusy
- callGetHomeCity
- callHasHotelTicket
- callGetAirportMultiPoi
- callHasGroupBuyingTicket
- ...
Nice data types haha
To be clear, this app is composed of 3 background services and 2 services. There is NO UI in this app.
Please be nice "DO NOT KILL ME >_<"
This is the kind of function that I love to find
This app doesn't seems to send the data BUT they communicate with another service called HiActionService which is coming from an Huawei app called HiAction
The previous screenshot is from the class called ActionCommonUtil. We can easily that Decision is sending all his events to this service through the methods in this class.
I will study the app HiAction another time but what you have to know is that this app is sending the data to hicloud[.]com, "the Huawei Cloud"
In order to be more discreet, the OEM dispatch the responsibilities to multiple apps. In this case:
1. An app or the modified Android is getting your location regularly. It will trigger a GEO_ALARM_TRIGGERED to the Decision app
2. Decision app is getting this location and check with his internal databases. If there is a match, it will generate an event
3. Decision will send this event to HiAction
4. HiAction will upload the data to the Huawei cloud
Ugly, no?
Ofc, this is the big picture, I need more time to get all the details.
I started this thread 2 hours ago. Decision app was the first app I checked. I still have a lot of Huawei apps to check
Ofc, I will continue this thread later 😏
If it was not clear enough: DO NOT buy @Huawei phones. NEVER.
*say
Wow my English is really broken when I’m tired

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Jul 19, 2021
Few words about #Pegasus the spyware made by #NSOGroup

Quelques mots à propos de #Pegasus le malware créé par le #NSOGroup

1/n
#Pegasus is not new. The first analyses and articles has been written in 2016

#Pegasus n'est pas nouveau. Les premières analyses et articles datent de 2016

2/n
#Pegasus is not mass surveillance. This is targeted surveillance on high profiles: lawyers, activists, journalists, ...

#Pegasus n'est pas de la surveillance de masse. C'est de la surveillance ciblée sur des profils importants: avocats, activistes, journalistes, ...

3/n
Read 13 tweets
Apr 21, 2021
#OSINT quizz: Reverse image search is not always the ultimate solution for #GEOINT

Let's try to solve this one the old way
What can we see?
- We can recognise the road signs, we are in the US.
- The building looks like NYC but it just a wild guess
- The store is in a corner
- We can read the store sign: "Hardware *umber store"
- The store sign is also in Chinese. Maybe chinatown?
Just type "Hardware *umber store" in Google. Ok, the missing letter is an l.
Read 10 tweets
Apr 7, 2021
1) After a quick image reverse search on Google Image, we can find the original publication. Yesterday, Louis de Luxembourg announced his engagement with Scarlett-Lauren Sirgue. instagram.com/p/CNUQgmaC7rm/
2) Time to check their last moves. We are in a pandemic and they are public figures, so everything should be documented. After scrolling about the last news on the Royal Family of Luxembourg, I can see they spent the last holidays in Biarritz, France parismatch.com/Royal-Blog/fam…
3) Time to open Google Maps. I can see water behind them and the building in the background is pretty far from them which suggest the beach is probably long.

Quickly, we have a possible match.
Read 10 tweets
Apr 6, 2021
Très forte attaque = Oh mon dieu on a plus que 3 utilisateurs

Venue de l’étranger = Chef on a trouvé une IP venant de Belgique dans les logs

#TraduisonsLes
Vous avez juste une infrastructure qui ne tient pas la charge. Encore une fois. Tous les parents de France font travailler leurs enfants en ce retour de week-end prolongé, ce qui a probablement provoqué la surcharge des serveurs...
On va commencer par un cours de sport. Commence à courir je te rattrape
Read 5 tweets
Mar 29, 2021
WUT? Image
I don’t know bro... stop watching porn might be a solution
Ask a French guy to block porn is not your best shot, just saying
Read 4 tweets
Feb 10, 2021
You asked so I did it. I spent 30 min on this new Koo app. The app is leaking of the personal data of his users: email, dob, name, marital status, gender, ...
*leaking the (sorry for the typo)
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(