Share this page!

Marcus Mengs Profile picture
Twitter logo
19 Oct, 7 tweets, 3 min read
#AppPrivacy #Android

If you are interested in what data Android Apps push out to AppsFlyer, it might be a good idea to utilize @fridadotre to hook the 'af*' methods of class 'com.appsflyer.AFLogger'.

The screenshot shows an example of the app 'Bild'

1/n
The screenshot contains to events, related to outbound http requests.

1) The one starting with "url:", which contains a request URI
2) The next event starting with "data:", which contains the **unecrypted** content, which is sent out ("appsflyerkey" redacted)

2/n
If you inspect the corresponding HTTPS request, the actual data is encrypted (at least it should be).

So if you have to proof the the data from "AFLogger" is contained in the request, you have to decrypt the body content

3/n
I recently tweeted on an approach doing this by hooking 'com.appsflyer.AFEvent' and other dynamically loaded classes. but the approach does not always apply (AFEvent class does not always exist).

I don't want to get into great detail on reversing the encryption ...

4/n
... but what I believe is safe to reveal is safe to reveal that

1) The redacted "appsflayerKey" from the 1st screenshot could be obtained from several hook points
2) This keys is a password and the actual key is obtained using PBKDF2
...

5/n
3) Once the key is derived (exists per app) it is used to encrypt the data with AES128-CBC.

I don't want to give more details on key derivation/encryption, to avoid legal issues. But I consider it to be a valid demand, to inspect what gets pushed out from your device.

6/n
7/7
So if you are interested in this, the information from above should give you a good starting point to get the necessary details on encryption/key derivation parameters.

Also pay attention to the following tweet (crypto classes exist in-memory only):

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Marcus Mengs

Marcus Mengs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mame82

Marcus Mengs Profile picture
1 Jul
Some months I reported "HTTP request smuggling" vulnerabilities to various VDPs.

All of them fixed the issue in the meantime. There was one interesting exception which taught me how careful you have to act, even with VDPs: A German company which is described like this
When I found the first issue with this company, I publicly asked on where and how to report.

It didn't take long till I got a direct contact and was directed to a private VDP on the major bounty platform. I agreed to use it (which meant NDA) because my contact was trustworthy
The report was pending for about two weeks (no managed program). During this time I started to work out related issues in other public web pages from the same company, when the initial report was closed as "not being applicable" without any explanation.
Read 11 tweets
Marcus Mengs Profile picture
17 Jun
@K_Plattform_f_R @th0rst3n @heutejournal @ClausKleber @Falafelkid Nochmal falsch. Die Genauigkeit der Entfernungsschätzung bei BLE 4.0 liegt nicht bei 10m. Die Gesammte Betriebsreichweite liegt etwa bei 10-15m. Ich denke du verwechselst Entfernungschätzung mit Positionsbestimmung.

Ich versuch dir mal zu helfen:
@K_Plattform_f_R @th0rst3n @heutejournal @ClausKleber @Falafelkid 1) Proximity (BLE 4.0)

Du möchtest nur Wissen ob ein BLE Beacon (oder anderer Advertiser, wie Smartphone) sich in der Nähe befindet. Dazu genügt es festzustellen, ob du Advertisements empfängst. Die Genauigkeit liegt dann bei 10-15m (keine Verwendung von RSSI)
@K_Plattform_f_R @th0rst3n @heutejournal @ClausKleber @Falafelkid 2) Entfernungsschätzung (BLE 4.0)

Du betrachtest nicht nur *OB* du Advetisements empfängst, sondern auch die RSSI und errechnest daraus eine Entfernungsschätzung zum Empfänger. Ungenauigkeit 1-2m (je mehr Messungen, umso besser können fehler herausgerechnet werden.
Read 11 tweets
Marcus Mengs Profile picture
11 Mar
@_MG_ @ektoplant @Korsakoff1 @campuscodi @LucaBongiorni Agreed on both. Depends on attack style.

If a user should do injection by accident and the attack should succeed before intervention (f.e. device looking like flashdrive), typing has to be fast (and will still be noticed).

1/n
@_MG_ @ektoplant @Korsakoff1 @campuscodi @LucaBongiorni If you have interactive control on injection (point in time when it should happen; speed; actual payload to type), typing speed is less a concern. Injection could be carried out when the user doesn't notice it (f.e. injection implants in legit devices).

2/n
@_MG_ @ektoplant @Korsakoff1 @campuscodi @LucaBongiorni In both variants, first infection stage (the one typed out) should require only a few characters. This is esp. true for Internet connected targets (f.e. short download cradles in stage 1).

3/n
Read 5 tweets
Marcus Mengs Profile picture
13 Dec 19
Personal challenge today:

1) Work on something I'm not good at
2) Do something calming

Solution: Do some soldering and reduce footprint of cheap USB-A plug inside by 50% to get some headroom for other things
No idea if this gets me somewhere. Maybe I should have tested the components upfront.

Doesn't matter ... it is somehow satisfying

P.S. seem I'm getting old, feel the need for a magnifying glass
Okay, I'm definitely not the right person to solder this up ... anyways, fits the housing basically.

@LucaBongiorni me pressing F1 !!
Read 15 tweets
Marcus Mengs Profile picture
11 Dec 19
As you might have noticed, I'm working on a low-cost single device Bluetooth Low Energy proxy based on @NordicTweets nRF52840.

I'll take my time for this, but wanna share some (meaningless) curiosities/spec violations I saw on some test devices (kept addresses visible) ...
@NordicTweets 1) The Logitech "R500" clicker rejects reading protected characteristic values with "Insufficient Authentication" Error (not "Insufficient Encryption")
@NordicTweets ... but reading the value after UNAUTHENTICATED pairing is fine (mode: 1, level: 2 == encryption, unauthenticated)

I assume this is true for most devices with IO capabilities "NoInputNoOutput", as it seems to be the only way to make iOS initiate pairing automatically.
Read 9 tweets
Marcus Mengs Profile picture
2 Sep 19
Back to the roots:

LOGITacker v0.1.5-beta now supports USB keystroke injection (on 10$ hardware)
Quick how to (hopefully readable)
The update was quickly hacked together, because I need it for an engagement, myself.

Of course I share with you, but please hold back with feature requests. ToDo list is full ... triggering USB injection with Logitech devices (f.e. presentation clickers) is planned (low prio)
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @mame82