Share this page!

Marcus Mengs Profile picture
Twitter logo
8 Dec, 8 tweets, 3 min read
Put another day into bypassing anti debug/instrumentation measures of the "DJI Go 4" app. Reached my goal, but in contrast to published reports on the app results are very disappointing. Not much is sent outside by the app
To put it into perspective, here are the same visualizations for the Burger King app. Compared to DJI it has to be called a privacy nightmare
The BK app not only sends out your location (before the confirmation dialog in "King Finder" tab), it also combines re-settable and persistent identifiers (Android ID and Advertising ID). This allows bridging user initiated resets of the Advertising ID.
There could be several reasons, on why my results differ from earlier reports:
- the app was reworked meanwhile
- former reports used dated Android versions (newer SDK levels prevent reading privacy related device data in many cases)
Also the app requests and processes more data on the device and potentially could send it outbound (this is the case for most apps).

Here is another graph showing data accessed by the DJI app at runtime (not complete, as I have no category for Camera/Sensor/Microphone access):
Please note, that the DJI app does not even try to read the ANDROID_ID ... only the ADVERTISING_ID is requested.
In case you noticed:

One of the first screenshots for the DJI app includes web requests to a local IP. The IP corresponds to the proxy-host, which is requested by the app.

The plain HTTP request for a "getFileList" endpoint on port 8081 is a bit fishy (code source in trace)
... the actual proxy HTTP port is 8080 (known by the app, as it is requested at runtime, too)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Marcus Mengs

Marcus Mengs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mame82

Marcus Mengs Profile picture
9 Dec
Sohn bekommt @kinderus Überraschungs Ei ... ihr wisst schon, das Ding wo früher mal coole Sachen drin waren ... Getriebe, Metallzahnräder richtige Schwungräder

"Spannung, Spaß, Spiel"
Wir kaufen die nur noch selten, weil Heute nur noch Plastikmüll drin ist.

Mein Sohn rennt also wie angestochen durch die Bude und sucht verzweifelt den Beipackzettel zu dem Plastikmüll.

Ich wundere mich, ist ja alles schon zusammengebaut.

Er findet ihn ...
Ich verstehe, ist ein QR Code drauf, das sagt ihm was.

Er: Papa kann ich den mit deinem Handy scannen und die App spielen (App hat er also auch gleich abgeleitet)

Ich: Vergiss es, kostenlose Apps sind alle 😈... ich beschäftige mich gerade damit.

Sohn sauer, ich gehe Rauchen
Read 13 tweets
Marcus Mengs Profile picture
7 Dec
Okay, I managed to instrument the "DJI Go 4" Android application (packed with SecNeo, ptrace-based debugger avoidance).

Here's a quick example with @fridadotre frida-trace utiliy (tracing lib.c->open calls).

Steps to reproduce in a few minutes in this thread ... stay tuned
First things first:

1) I am running the app on a arm32 device (armeabi-v7a)
2) I want to avoid repackaging the APK, thus modifications are done directly on the device, once "DJI Go 4" is installed (requires root)
3) @fridadotre is used in gadget-mode
Step 1)

The SecNeo packed APK ships with various native libs.
The most interesting one is "libDexHelper.so".

Unfortunately this ELF lib has no dynamic section, thus we need an easier target to inject the Frida agent.

Here's an excerpt of the apps '/proc/self/map' Image
Read 14 tweets
Marcus Mengs Profile picture
4 Nov
Throughout last days, I struggled instrumenting Google SafetyNet protected apps with @fridadotre (meanwhile 14.0.6), because SafetyNet's "basic integrity" check failed.

The test device runs LineageOS + Magisk.

Let me share how I approached this issue
The root issue was an outdated version of "Google Play Services", which was fixed by installing the most recent version of "Open GApps". This bumped GMS to version 20.39.15
In order to pass the SafetyNet basicIntegrity check, "MagiskHide" comes to help. It has to be applied to the Google Play Services (formerly known as Google Mobiles Services aka GMS)
Read 13 tweets
Marcus Mengs Profile picture
3 Nov
Request for help.

Recently SafetyNet checks started failing on one of my test devices.

The cause is that the request for the "attestation ID" is failing, with error status -129.
The status code -129 corresponds to a failed Binder transaction. The service backing the called Binder interface is 'KeyAttestationApplicationIdProviderService'.

The specific method is `getKeyAttestationApplicationId`.

Is anybody used such an issue where the Binder ...
... interface IPC call fails? Any guidance on how to fix or further investigate this is welcome!
Read 5 tweets
Marcus Mengs Profile picture
3 Nov
About one and a half years ago, I disclosed several security issues affecting @Logitech wireless peripherals (mainly "Unifying" brand, but others - e.g. "G-Series Lightspeed" - are affected too).

Because of recent requests, I want to briefly review the flaws

1/n
1) CVE-2019-13053 covers a an issue, which allows an attacker to inject encrypted keystrokes over the air, without knowing the actual encryption keys. The root cause is unproper protection against counter reuse for underlying AES CTR.

In order to exploit this ...

2/n
... is required to get knowledge of about 8 keypresses while sniffing encrypted wireless traffic. This step is only required once. If the victim uses a clicker - for example - an attacker could get knowledge on a pressed key sequence, by observing how the slides ...

3/n
Read 30 tweets
Marcus Mengs Profile picture
19 Oct
#AppPrivacy #Android

If you are interested in what data Android Apps push out to AppsFlyer, it might be a good idea to utilize @fridadotre to hook the 'af*' methods of class 'com.appsflyer.AFLogger'.

The screenshot shows an example of the app 'Bild'

1/n
The screenshot contains to events, related to outbound http requests.

1) The one starting with "url:", which contains a request URI
2) The next event starting with "data:", which contains the **unecrypted** content, which is sent out ("appsflyerkey" redacted)

2/n
If you inspect the corresponding HTTPS request, the actual data is encrypted (at least it should be).

So if you have to proof the the data from "AFLogger" is contained in the request, you have to decrypt the body content

3/n
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @mame82 has new unrolls!

Check out other threads from @mame82!

Read all threads by @mame82