In a new study, Citizen Lab sheds light on the massive security threats facing Latin Americans. Citizen Lab and Open Technology Fund (OTF) fellow Beau Kujath in collaboration with SocialTIC finds that mobile applications in Latin America puts millions of users at a security and privacy risk. Beau’s research focuses on three types of mobile applications: telecommunication apps, government-developed apps, and marketplace apps. Millions of people in Latin America rely on these categories of applications for essential daily functions including cellular service, emergency response, healthcare, money transfers, and more. Thus, people are incentivized to keep these apps on their devices, leaving them vulnerable.

Key Findings

  • A cellular management app from Mexican telecommunications giant MiTelcel consistently fetches images and JSON files for the splash configuration over cleartext HTTP. This vulnerability allows attackers to eavesdrop on the cleartext traffic and potentially inject their own malicious images that will be displayed on the app’s “Home” page.
  • The MiTelcel app sends POST requests to five different third party servers with personal info of the user including their email and phone number, although the app store’s description stated no personal info was shared with any third-parties at the time of analysis.
  • Another cellular management app from Mexican telecom SAT Movil uses cleartext HTTP for the “Chat” page that is responsible for communicating highly sensitive personal info including citizen ID numbers and passwords, allowing eavesdroppers to read these as they are transmitted over the network
  • A Salvadoran cryptocurrency app ChivoWallet checks with Microsoft CodePush servers each time it is opened to see if there is a new update available to fetch, granting the developers the ability to update its functionality on demand outside the trusted app store update mechanisms.
  • Three of the four telecommunication apps analyzed send SMS messages that include external links that are vulnerable to SSL strip attacks. These attacks allow an attacker to downgrade connections from HTTPS to cleartext HTTP in order to eavesdrop on the info exchanged and potentially inject their own malicious responses.

The full detailed technical report includes more information on what live security and privacy issues found in the set of apps, how they were found and the motivation for this project.

Github repo: https://github.com/beaukuj15/relab

Read the full report here (PDF).

Post by the OTF