2019-10-22, 10:30–10:50, Europe
Smartphone applications do not respect your privacy.
If you are at Hack.Lu, you probably more or less already know this.
In the best cases, you found a few solutions to minimize the issue.
Or you surrendered (what can we do about it, huh?).
But are you really aware of the extent of the problem? Is it only your IMEI and your location that leak?
Are there are still private apps out there?
Jump in for some Android disassembly, logs and Frida hooks.
I am a malware researcher. So, every day, I disassemble Android apps, and decide whether they are benign or malicious. We can't expect privacy from malware, can we? But actually, nearly all so-called benign applications I look into are far from private.
It is time we discuss this seriously in a conference. I want to show you the extent of garbage-ware we find in our smartphone's apps. Adkits are big issue, of course. There are hundreds. But there are not the only ones. There are also analytics, crash reporting, IO analyzers, affiliate SDKs, cross platform gaming frameworks...
Sometimes, privacy issues are blatant. Very often though, they are more insidious: e.g. reports are anonymized, but the level of details is a concern. We show issues in common genuine apps we use every day. People who use Facebook, Messenger etc usually know they face a few privacy issues. How about medical applications? games? Why do simple applications weigh 30MB for tasks they could do in less than 2? Are there still private apps out there?
Let's look inside our smartphones.