Another Popular Android Application, Another Leak

Many popular Android apps are leaking sensitive data. We have found that another popular Google play app, “Camera360 Ultimate,” not only enhances the users’ photos but also inadvertently leaks sensitive data, which gives malicious parties unauthorized access to users’ Camera360 Cloud accounts and photos. 

UPDATE 9/15/15: We worked closely with the Camera360 team to address the personal information leaks that are described in this blog. The Camera360 team responded quickly and worked diligently to address the issues. In particular, their latest release of the Camera360 app version 7.0 no longer leaks password hash and email address to logcat. Camera360 has informed us that they will process a comprehensive check on all http portals and apply dynamic token refresh in October 2015. For the leaks affecting users of Camera360 v6.2.3 and versions before, code in previous versions can not be modified now so Camera360 is encouraging their users to update to avoid any possible hidden threats.

Prior to this discovery, FireEye researchers discovered SSL vulnerabilities in the widely used Camere360 app and many other popular applications. These vulnerabilities were exploitable by Man-in-the-Middle (MITM) attacks and posed a serious threat to user privacy.

Android app developers should take increased security measures to provide their customers with a more secure mobile experience.

Summary and introduction

Camera360 is a popular photo shooting and editing application. It has millions of users worldwide. It provides a free cloud service for storage of pictures. To use the cloud feature, users create a cloud account that can also be accessed via the website www.cloud.camera360.com.

Cloud access is protected by username and password. But when the app accesses the cloud, it leaks sensitive data, in unencrypted form, to Android system log (logcat) and network traffic. Apps that can read logcat or capture network traffic can steal this data. A malicious party present in your WiFi network can also steal this data by using WiFi sniffing.

Leaked data can be used to download all of the user’s images, except those in the user’s "secret album." The "Secret album" option uses an additional password to secure important images. This particular Android app does not access these secret images and all images uploaded from the device to the cloud are by default non-secret.

Technical details

We analyzed the latest version of Camera360, 6.2, and previous versions: 6.1.2, 6.1.1 and 6.1. We discovered data leakage on all of these versions.

Leaked data can be used in the following ways for unauthorized access to user images:

  • Creating new login session using leaked credentials. Then, fetching keys of images from the server and using them to download images
  • Hijacking the login session, using a leaked token, to download images
  • Using the leaked image keys to download images without authentication

Also, images within captured network traffic can be easily extracted and viewed.

Further details are provided below.

Creating a login session

The Camera 360 app logs into the server using HTTPS, which means sensitive login data cannot be easily read from network traffic.  During the login process, the app logs sensitive data to logcat, which can be read by other apps running simultaneously on the same device.

Camera 360 logs user email addresses, password hashes and other related data. When that data is leaked, it can be used to create a separate login session. In response to a login request, the server returns a token, user id and other account information. This token and the user id can be used to fetch keys of all non-secret images from the server. Using these keys, all respective images can be downloaded.

Figure 1 shows the log message generated during our test:

Figure 1

By reverse engineering the app, we discovered its HTTPS login URL. Data from the above-mentioned log message can be used in this HTTPS request to create a login session. The URL, without test parameters, is shown in Figure 2:

Figure 2

Any app that can read logcat can steal this logged data and create its own login session. Logcat can be read by acquiring READ_LOGS permission, which is accessible to all apps running on Android 4.0 and below, but since Android 4.1 (Jelly Bean), this permission is no longer granted to third-party apps. However, on rooted devices, apps can escalate their privilege level to acquire this permission.

By reverse engineering the app, we also found that password hash is double MD5 of the original password and it is unsalted. Attackers can obtain the original password by using dictionary attack, rainbow table or brute force to generate a string that matches the hash value. Password cracking is not necessary, since hash can be directly used to create a login session. The password hash and the stolen email address can be used to login into the Camera 360 app or the cloud.

Hijacking sessions using leaked tokens

In response to the app's login request, the server sends back a token, user ID and some other account information. The Camera 360 App uses this token and user ID in its next requests to authenticate itself.

The server response for our test account is shown in Figure 3: Figure 3

This token is both non-expiring and permanent. It stays valid even after the user logs out , because session variables are only deleted from the client side, not the server side. Therefore, successful requests can be sent using this token from anywhere at any time.

The Camera 360 app leaks these tokens, with the users ID, other app- and device-related data to logcat, and network traffic.  Any Android app that can read logcat, and any network sniffer running on the device or within the device’s WiFi network can steal this data. This leaked data can be used to send unauthorized requests to server and download all non-secret images from the cloud.

Data leaked to logcat

The Camera 360 App leaks data to logcat during the login process and whenever users open their cloud account-related activities.

Two examples of these log messages they receive are given in Figure 4:

Figure 4

In the above messages, "uid" and "userId" are set to same user id. Values of "token," "userToken" and "localkey" are set to the same token.

Data leaked to network traffic

The App sends login requests over HTTPS but next requests are sent over HTTP with an unencrypted authentication token and user id. This unencrypted data can be easily read from network traffic.

One such HTTP request is given in Figure 5:

Figure 5

Using token and user id to download images

The leaked token, user id and other app related data can be utilized in any one of the following requests to get access to the users images:

Figure 6

These HTTP requests can be used in two different ways to download images, which are given below:

Fetching image keys

Any one of above mentioned HTTP requests can be used to fetch image keys from server. Server responses to our test requests are given below:

Response for "http://cloud.camera360.com/v2/page/timeline?...."

Figure 7

Response for "http://cloud.camera360.com/v2/page/getNew?..."

Figure 8

Keys can be extracted from the server response and used in the following HTTP request to download respective images:

Figure 9

Bypassing login page of web cloud

HTTP GET requests, that are used to fetch image keys, can also be used to bypass the login screen of camera360 web cloud, "https://cloud.camera360.com/login". Execution of any one of these requests in web browser gets user logged-in in the web service, because these requests contain the authentication token. The user is instructed to enter one of these URLs in a browser tab, proceeding to go to the cloud home page resulting in the user to be logged in.

Image downloading using leaked image keys

Camera 360 App's "Cloud Album" activity fetches the latest image (non-secret image) keys from the server to display stored cloud images to user. It logs the received server response to logcat. One such message is given in Figure 10:

Figure 10

These logged keys can be stolen by apps that are capable of reading logcat.  All the keys consist of userID, followed by the unique image id. As mentioned before, these keys can be employed in following HTTP request to download images.

Figure 11

This is a permanent link to the image, without an expiration. This link can be used to download image without providing credentials or authentication token.

Image extraction from captured traffic

Images collected from the server can be extracted from captured network traffic. These are unencrypted and easily viewed.

Prevention

Cloud and Android app security needs to be increased to prevent further data leakage and unauthorized data access. The following methods can be used for this purpose:

  • Do not log sensitive data into Android system log (logcat) in any production applications.
  • Take measures to prevent session hijacking by using the following methods:
  • Encrypt not only the login process but also other transactions that involve sensitive data such as token, userid, image keys, and image files.
  • Set expiration timestamp on tokens.
  • When sending a logout request, properly delete all session variables from the server side. Do not accept previously issued tokens anymore.
  • Server can keep changing the token with each request. This will limit the window in which a hacker can attack.
  • The token can be bound to IP address, but it can be inconvenient for users who use a dynamic IP address.
  • Permanent link to images, i.e., "http://dn-c360.qbox.me/[KEY]", should require authentication. Or make the image link expirable instead of permanent..

Conclusion

Camera360 leaks sensitive unencrypted data to both network traffic and Android system log, which compromises a user's privacy. A summary of data leakage follows:

  • Non-expiring and permanent auth token is leaked along with user id, which can be used for unauthorized access to user’s account and photos from anywhere at any time. Leaked data can be used in the following ways:
  1. Bypassing web cloud login page, "https://cloud.camera360.com/login," to access user’s account and photos
  2. Fetching permanent image keys from server and using them to download images
  • Permanent and non-expiring image keys are leaked, which can be used to download images without providing credentials or token
  • Unencrypted pictures are sent to network traffic, which attackers can steal using a network sniffer
  • Leaked email addresses and password hashes can be used to send an unauthorized login request to the server
  • User passwords can be obtained by cracking the leaked password hash. Password hashes and leaked email addresses can be used to log in to the cloud service

It is crucial that Android app developers improve security to provide users with a better and more protected Android experience.

The FireEye Mobile Threat Prevention Platform detects critical data leakage and vulnerabilities found in Android applications, and helps users make informed decisions about sharing private data with apps.

References

http://en.wikipedia.org/wiki/Session_hijacking

http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/