Skip to content

Instantly share code, notes, and snippets.

@FredericJacobs

FredericJacobs/gist:b1b518125b7066880359

Last active November 7, 2021 09:54
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FredericJacobs/b1b518125b7066880359 to your computer and use it in GitHub Desktop.
Save FredericJacobs/b1b518125b7066880359 to your computer and use it in GitHub Desktop.
Download ZIP
Some notes about Reporta app since some people expressed worry about Reporta's security.
Raw
gistfile1.md

Analytics

Analytics track you, but they also keep local files really useful for forensics to gather evidence against you.

Google Analytics

Because of course, you need to know if people actually use it when it's developed by a PR firm. Google Analytics tracks a lot of your moves and stored locally in a cache then uploaded to Google servers. Every action is logged.

Crashlytics

Free forensics! Unencrypted file accessible when phone booted of everytime the user opened and closed the app.

Client-Side Encryption from iOS

I really don't see the point of not using NSFileProtection classes for protecting the data at rest, and not only when phone is shut down. The app has no database, just storing everything in the preferences file using NSUserDefaults. Another useful aspect is that they store the last locations in plaintext there too. See more below

The SSL Test

An app review can't be done without a screenshot from SSLLabs. No PFS or TLS1.2 support.

Auditing server side matters most

I've quickly looked at the clients that contain things you wouldn't really expect from an app supposed to provide security. To be fair here, these details matter far less than having the server-side audited and pentested. I think some architectural changes should be done to give less incentive to an attacker to compromise the server-side. Currently all personal information, locations, check-ins are available on the servers, in plaintext. This is a goldmine for multiple nation states if the app takes off. Just imagine the information that would be contained in that data dump. I hope they will open-source the backend too.

Side-note: Weird encoding of data

Bro, do you even JSON/ProtocolBuffer?

Raw
gistfile1.txt
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Application Support - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Application Support/com.crashlytics - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Application Support/com.crashlytics/CLSUserDefaults.plist - protection class:NSFileProtectionNone
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/LaunchImages - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/LaunchImages/com.iwmf.reporta - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/LaunchImages/com.iwmf.reporta/LaunchImage-Portrait{320,568}@2x.png - protection class:NSFileProtectionCompleteUnlessOpen
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/Snapshots - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/Snapshots/com.iwmf.reporta - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/Snapshots/com.iwmf.reporta/com.iwmf.reporta - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/Snapshots/com.iwmf.reporta/com.iwmf.reporta/UIApplicationAutomaticSnapshotDefault-Portrait@2x.png - protection class:NSFileProtectionCompleteUnlessOpen
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/Snapshots/com.iwmf.reporta/com.iwmf.reporta/downscaled - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/Snapshots/com.iwmf.reporta/com.iwmf.reporta/downscaled/UIApplicationAutomaticSnapshotDefault-Portrait@2x.png - protection class:NSFileProtectionCompleteUnlessOpen
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics/v1 - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics/v1/ACTIVE - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics/v1/ACTIVE/1443804237755_247dc18618ef413a9a5041041330ce3f - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics/v1/ACTIVE/1443804237755_247dc18618ef413a9a5041041330ce3f/1443804237755_CDF476CE-E318-4655-A05B-A460C8AB2431 - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics/v1/ACTIVE/1443804237755_247dc18618ef413a9a5041041330ce3f/1443804237755_CDF476CE-E318-4655-A05B-A460C8AB2431/0.log - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/analytics/v1/ACTIVE/1443804237755_247dc18618ef413a9a5041041330ce3f/1443804237755_CDF476CE-E318-4655-A05B-A460C8AB2431/1.log - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3 - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/active - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/active/247dc18618ef413a9a5041041330ce3f - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/active/247dc18618ef413a9a5041041330ce3f/binary_images.clsrecord - protection class:NSFileProtectionNone
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/active/247dc18618ef413a9a5041041330ce3f/internal_incremental_kv.clsrecord - protection class:NSFileProtectionNone
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/active/247dc18618ef413a9a5041041330ce3f/metadata.clsrecord - protection class:NSFileProtectionNone
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/active/247dc18618ef413a9a5041041330ce3f/sdk.log - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/prepared - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.crashlytics.data/com.iwmf.reporta/v3/processing - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/Cache.db - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/Cache.db-shm - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/Cache.db-wal - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl/compileCache.data - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl/compileCache.maps - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl/linkCache.data - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl/linkCache.maps - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl/shaders.data - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/com.apple.opengl/shaders.maps - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/fsCachedData - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/fsCachedData/7B2F20F8-F45A-4B49-BACA-A40CE6BF5A89 - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/fsCachedData/9ABD5446-9BF1-421D-84B1-2E7C391E4C01 - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Caches/com.iwmf.reporta/fsCachedData/9E29FF73-5A2F-4AF0-ADB3-EAEE748CFB7B - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Cookies - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Cookies/Cookies.binarycookies - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Preferences - protection class:(null)
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/Preferences/com.iwmf.reporta.plist - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-aux-v4.sql - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-v2.sql - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-v2.sql-shm - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-v2.sql-wal - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-v3.sql - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-v3.sql-shm - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
/User/Containers/Data/Application/060741BD-DB5E-49A7-9730-ED9F53DDC509/Library/googleanalytics-v3.sql-wal - protection class:NSFileProtectionCompleteUntilFirstUserAuthentication
@OlivierBoulot
Copy link

I suspect, after briefly playing with the app, that the backend is Mandrillap/mailchimp.
If that is indeed the case, I would not expect the source code of the msg servers to be released any day, considering they are in the business of gathering data on the end users.
Hopefully I am wrong about that...........

That said, I would also like to understand why the app is opening a socket to 179.60.192.3 on my MotoG....

Ain't that facebook?
Do you see that on IOS?

Best,

O.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment