All your family secrets belong to us—Worrisome security issues in tracker apps presented at DefCon26LasVegas 2018

by Stephan Huber, Dr. Siegfried Rasthofer, Dr. Steven Arzt,

Summary : Google Play Store provides thousands of applications for monitoring your children/family members. Since these apps deal with highly sensitive information, they immediately raise questions on privacy and security. Who else can track the users? Is this data properly protected? To answer these questions, we analyzed a selection of the most popular tracking apps from the Google Play Store. Many apps and services suffer from grave security issues. Some apps use self-made algorithms instead of proper cryptography for data storage and transmission. Others do not even attempt to protect their communication at all and make use of the unprotected http protocol, or even give an attacker full access to a vulnerable backend system. Hard coded database credentials in apps allowed access to all stored user locations. We would be able to extract hundreds of thousands of tracking profiles, even in real time. In others, this wasn't even necessary, because the user authentication could be bypassed altogether. Flaws in server API allowed us to extract all user credentials (1.7m plain text passwords), further we saw full communication histories containing messages, pictures and location data. In total, the state of tracker apps is worrisome, effectively leading to users unknowingly installing espionage software on their devices.