1/ So previously I shown that the old version of the iWatch Dallas was sending the location of the users every minute without their consent.
I deleted my tweets to avoid confusion because it was not the latest version BUT the story it's not finished. Time for a bit of #OSINT
I deleted my tweets to avoid confusion because it was not the latest version BUT the story it's not finished. Time for a bit of #OSINT
2/ The package name of the old version I analysed is "com.ithinqware.iWatchDallas". The APK has been signed by "Daniel Elliott" at iThinQware. 
3/ If you look at the APK on apkpure you can see that the developer name is "Closewatch Technologies"
5/ If you look at their website on archive.org, you can see that closewatch.tips was redirecting to zeteky.com.
Zeteky is the developer of the latest version of the iWatch Dallas app
Zeteky is the developer of the latest version of the iWatch Dallas app
6/ On Crunchbase, the website of Zeteky is... closewatch.tips
Are Closewatch Technologies and Zeteky two different companies?
Are Closewatch Technologies and Zeteky two different companies?
7/ The 2 companies are located at the same address
8/ The 4 employees of CloseWatch Technologies listed on Linkedin are working at... Zeteky
9/ Bill is nice, be like Bill.
Zeteky Inc. was formerly CloseWatch Technologies Inc
Zeteky Inc. was formerly CloseWatch Technologies Inc
10/ In my opinion, it seems they tried to cover up the old version of the app. The old version was invasive, took the location of the user every minute without user consent.
They changed the company name, took down the app and reuploaded it with a new package name.
They changed the company name, took down the app and reuploaded it with a new package name.
11/ The endpoint of the new version of iWatch Dallas is dallas.closewatch.tips. They keep using a subdomain of their old company
12/ This is why you should always delete your comments in production
13/ Remove test data from production too
14/ As the old version, this app is also getting the user location.
Funny (or not) side not: this is the exact same endpoint schema
Funny (or not) side not: this is the exact same endpoint schema
15/ Because the push token is in the comments, a bad guy should be able to easily pollute their data with fake user location...
16/ If you receive a notification with the additionalData type equals to ping, the app is sending the user location
17/ I will do the dynamic analysis later but I can bet I will not be happy with the results
18/ To sum up:
Old version of iWatch Dallas app:
- Made by Closewatch Technologies
- Bypass Android permission model
- Take user location every minute without their consent
New version:
- Made by Zeteki formely Closewatch Technologies
- Same endpoints, infrastucture
Old version of iWatch Dallas app:
- Made by Closewatch Technologies
- Bypass Android permission model
- Take user location every minute without their consent
New version:
- Made by Zeteki formely Closewatch Technologies
- Same endpoints, infrastucture
- Take user location during the login, the logout, the device registration, when you receive an alert, when user post tip, when you receive a ping notification
19/ The iWatch Dallas app (and the company behind) is shady af
