I spent an hour last night analyzing the #IowaCaucasDisaster app that VICE reported on. There's nothing outwardly terrible from a privacy and security standpoint at first glance, but it may be worth digging more. Thread. 1/
vice.com/en_us/article/…
vice.com/en_us/article/…
The app is seemingly clean from malware and tracker SDKs, although there is some Google and Facebook code when I disassemble the classes.dex file. Exodus Scan output below (I had to use the CLI because the app is not in Google Play). 2/ 
Here's the output from VirusTotal, which also includes the app permissions from the Android manifest. Did they actually use the camera and fingerprint reader? 3/ virustotal.com/gui/file/70fa1…
There are indicators that the app was rushed or made by non-experts, but I'll defer to hardcore Android app devs for their opinion. There are "example.com" snippets in the code and really simple logic etc. and the app has a bunch of seemingly non-functional hooks. 4/
Through semi-casual grepping, I can't find evidence of security vulns. No passwords, keys, or default/admin usernames in the code that I can find. Much of that extra code, which seems to be superfluous, is Big Tech cloud-linked, which of course increases the attack surface. 5/
As others have said already, this may be basic, "coding bootcamp" quality stuff. They are using React Native (and Android Studio?) and are likely pulling in transitive dependencies from all over the Web that they have no clue about, right before the APK build process. 6/
When I disassemble the classes.dex file manually (i.e. without Exodus), I do find some Google, Facebook, and Adobe SDKs, as well as a ton of other SDKs. There are a lot of parents for this baby app, which is a minimal client that launches the phone's Web browser (more later). 7/
The error tracking service for the app is @getsentry. That means they likely know WTF happened in Iowa, along with, perhaps, other cloud companies that the app pings.
Is this a hardcoded API key/ID? 8/ https://9794bb51044e4aa298d7ce3332dbcea8@sentry.io/179249
Is this a hardcoded API key/ID? 8/ https://9794bb51044e4aa298d7ce3332dbcea8@sentry.io/179249
@getsentry Here are the screenshots from the app on an Android phone that doesn't have GCM or FCM on it. It installed fine, though it has a default Android Studio icon. It asks for Precinct ID, but will accept any string, and then launches the phone's default Web browser. 9/
@getsentry If you provide an incorrect Precinct ID, you're redirected to an "Oops!" page (the same one @matthew_d_green saw in the @motherboard article) at idp-caucus-2020.auth0.com. You then have to re-launch the app to try again, even if you have now entered a correct Precinct ID. 10/
@getsentry @matthew_d_green @motherboard With a correct Precinct ID (the first time you launch the app), you get this at idp-caucus-2020.auth0.com (with a one-time token string following the URL). I don't have a username/password so I couldn't get any further (and it violated the CFAA maybe?). 11/
@getsentry @matthew_d_green @motherboard @auth0 is obviously the authentication service, hosted on Amazon AWS.
Not sure what this server does yet, but it's on the Google cloud (IDP is Iowa Democratic Party): idp-api.americanappservices.com
This is a Google server with hooks in the app as well:
clients3.google.com 12/
Not sure what this server does yet, but it's on the Google cloud (IDP is Iowa Democratic Party): idp-api.americanappservices.com
This is a Google server with hooks in the app as well:
clients3.google.com 12/
@getsentry @matthew_d_green @motherboard @auth0 Here are the graphs from the DNS dumpster reports. As a warning, these include many locations not used by the app (and just the top-level DNS records). More network and dynamic analysis is needed, but it's not worth it without a user/pass to play with (and IDP permission?). 13/
@getsentry @matthew_d_green @motherboard @auth0 There may be data leaks outside of the U.S. and other interesting stuff, but it will take more detailed analysis. So far, nothing glaringly non-private or insecure beyond the typical usage of Big Tech services (still a concern!). All outbound connections use SSL/TLS as well. 14/
@getsentry @matthew_d_green @motherboard @auth0 First-glance Conclusions: It could very well be a nepotism / "procurement" problem, as @superwuster alluded. What I've seen in the app is not at all uncommon, but also not great if it truly was audited by security/privacy experts. Huge attack surface, Big Tech cloud services. 15/
@getsentry @matthew_d_green @motherboard @auth0 @superwuster ...as well as other cloud players who are third-parties keeping the app running. An app like this needs trusted infrastructure run internally on a closed network by an expert staff, which the DNC can afford. Simple DDoS could very well have pwned the #IowaCaucas. 16/
@getsentry @matthew_d_green @motherboard @auth0 @superwuster Beyond that, the UI/UX needs work. Why have an app if all it does is launch a Web browser? Especially if it provides no info for the user (read: Precinct ID lookup by location, or at least a city/town dropdown)? 17/
@getsentry @matthew_d_green @motherboard @auth0 @superwuster I can't rule out sabotage, either within the DNC (we have tangible evidence of candidate bias via technology in the 2016 leaks) or from some other network actor. Is the 2020 Iowa Report dev team the same as the Iowa Report/Aurora app of 2016? They seem to have moved on. 18/
@getsentry @matthew_d_green @motherboard @auth0 @superwuster However, new hires happen often, and we do know @ShadowIncHQ also has close ties to the Hillary campaign(s). The rollout in 2016 seems to have been more limited, and also successful (anyone still have a copy of that app for me to analyze?). End thread. 19/ wikileaks.org/podesta-emails…
@getsentry @matthew_d_green @motherboard *violates the CFAA (typo). I would never attempt to access a system unauthorized, of course. Though the "unauthorized access" CFAA bar has been lowered recently in the case against @wikileaks Assange.
@getsentry @matthew_d_green @motherboard @auth0 @superwuster @ShadowIncHQ update: it's pwnable! aahhhhhhhh
...but seriously, most apps are, esp. under this kind of spotlight. not an excuse and doubly-disturbing given the fact that it supposedly had an independent security audit (or two?) #IowaCaucasDisaster
...but seriously, most apps are, esp. under this kind of spotlight. not an excuse and doubly-disturbing given the fact that it supposedly had an independent security audit (or two?) #IowaCaucasDisaster
