User data is collected by programs installed on both mobile devices and desktop computers, and in some cases, abuses by developers can turn an application into a real cyber spy.
In this article I would like to highlight this issue on the example of one program, showing you in detail what information is collected, how and why, adding the examples of data collection abuse.
I am going to analyze with the example of Panic Button, which is our program, where there is no cyber espionage functionality, there are no tools for continuous monitoring of your system and collecting data about the programs you use. Later on, we will discuss it in the chapter on telemetry, which is a phenomenon bordering on cyber espionage.
You may have been surprised with the phrase about collecting information about other programs, but do not be surprised, some applications collect this data, as a rule, to fight competitors. For example, recently there was a scandal in the Russian segment of taxi aggregators; one of the old-school starters of the market, Gett, suspected Yandex.Taxi of unfair competition.
According to representatives of Gett, the Yandex.Taxi application has a hidden functionality, with which it checks whether there are any competitors on the user's device, and if there are some, it changes the pricing policy by dumping their offers. Representatives of Yandex.Taxi, as it was expected, rejected all the charges.
Panic Button does not collect any information secretly, but some programs may well do it. For example, the Uber app was caught spying on passengers, controlling their movements even after the trip was completed.
Unfortunately, we will not be able to teach you how to check which data is sent by applications, because most often they are encrypted, but we will check which applications and programs do that, how often, how much and where, in terms of this course.
What data does Panic Button collect about the user and why?
IP address
The IP address is collected for any data exchange program with the server. I cannot say that this is an important parameter for the developer, the country can only be determined with a big margin of error, it is not static and for most users it is constantly changing.
There are other items that are more important than IP addresses, such as anti-DDoS and IPS (intrusion prevention system), for example, you start scanning our servers for vulnerabilities, the intrusion prevention system will detect this and temporarily may block your IP address. As I said earlier, the IP address is not a static identifier, today a malefactor is using this IP address, and tomorrow there is an honest user, that is why we do not block the IP address for more than 72 hours.
The IP address for most is a synonym for de-anonymization, and there is nothing surprising about what the IP address users most of all want to hide from applications. As a rule, the main hopes are connected with the use of VPN or with the addition of a proxy server in the application settings (if there is such a possibility). I can say for sure that using a VPN alone will not solve the problem of IP address leakage, the application can always connect before launching or bypassing the VPN, especially if there is a problem with the VPN server.
Besides, you can just forget to enable VPN. Even if you connect thirty times via your VPN, and the thirty-first one will be without it, this is not anonymity anymore. They say that the location of the hacker Guccifer 2.0, who hacked the server of the National Democratic Committee of the USA, was found out due to a silly mistake, once he simply forgot to activate the VPN before visiting the site. Everyone is mistaken, even the great ones.
Adding proxy settings also does not guarantee protection. From the developer's point of view, the main task of adding a proxy is to connect one to the server if there are any restrictions, and not for the anonymity of users. There are a lot of nuances known only to the developers of the program, for example, sometimes an application can ignore its connection settings for problems with a given proxy user. Therefore, I recommend using restrictions at the system firewall level; we will teach you how to manage your internet connections in terms of the course.
HWID
HWID is a unique device identifier generated from unique serial numbers of computer components, namely motherboard serial number and model and processor features. The developer determines the composition of the components and the hashing algorithm, i.e. converting the collected data into a value.
HWID allows you to make a device unique, but does not carry any information about the user. When changing the components of the device from which the HWID was generated, its’ meaning will change as well.
We bind the license to HWID. When installing the program, the user’s HWID is sent to us to the server, and we check if the user has a license and whether they used the trial version of Panic Button. If this user has an active license, we will not ask them to activate the program second time, and if they have already used the trial version, we will no longer offer it.
HWID is also used for restrictive measures. For example, if a user was caught trying to fraud the license, we blacklist their HWID, and they will not be able to use Panic Button on their computer anymore, at least until they contact us and we do not resolve our misunderstandings.
InstallID
InstallID is a unique identifier of the installation, which is sent to the server each time the program is installed. This indicator is purely technical, it is not tied to a specific device or user, only to a specific installed program. During reinstallation it changes, it is used to track the number of installations and identify suspicious activity.
Email user specifies when activating a full license. It is necessary to transfer the license to a new device, as well as to reactivate in case of a change of components that affect the HWID generation.
We do not check the relevance of the user-specified email, however, by indicating an incorrect email, the user must understand that they may lose their license. In case of an email changing, we keep the entire history of changes, namely when, from which IP address; almost all services do this for security reasons. If your license is stolen from you in any way and you complain to us, we should be able to investigate the incident.
License history
We store all this information mainly for statistical and marketing tasks. It is important for us to understand what percentage of users switch from a trial license to a full one, what percentage of users extend a full license after it expires.
It looks like this:
HWID 875785RFJYFUYFUYD5775
13.03.2018 17:30 trial version is activated
20.03.2018 18:40 full version is activated
Version of the program
The version of the program is needed solely to check the relevance of the installed program. The version information is sent to the server where the check for updates is taking place, and if the version is not the latest, the user is sent an offer to update.
From my own experience I can say, users do not like to get updated in a timely manner, and this is very sad. If we release an update, it is most likely to have a good reason, for example, this could be a critical vulnerability that could lead to remote computer compromise. Not updated in a timely manner, the user is at great risk.
Fortunately, in terms of the Panic Button project, we have not had critical problems yet. But it is important to remember that problems and mistakes happen to everyone, the developer needs to fix them promptly, and users should be updated in time.
When sending a message to the support service from the program, we also request the version used by the client, since a number of errors may occur due to the use of an outdated version of the software.
Email and Jabber which notifications are sent to
I suppose you may not like it. The specified data remain in the logs of the servers responsible for sending. This is necessary to solve some problems, for example, if notifications do not come and you contact us for help, we need to see if the sending from our servers was done and whether it was successful. We delete this data after three days, there is no information in the logs which HWID or email of the user who initiated the request.
Calls to technical support
Calls to the technical support service from the program via the API are redirected to the UserEcho service, which we use for customer support. The storage of transmitted information is governed by the privacy policy of the UserEcho service. UserEcho allows us to process all your requests efficiently and quickly.
When sending a message to customer support, the user can add the program log file. This file contains only technical information on the use of Panic Button without personal information of the user. Which files you delete (name and path), to which contacts you send notifications are the information that never gets into the log file. We recommend adding a log file when contacting us with any problems associated with the use of the program.
CrashRepots
CrashRepots is the data that the program collects when a critical error occurs that prevents it from continuing. In the programmers’ language, this is called the fall of a program or service. The collected data is needed by our technical support to identify the cause of the problem.
You can only send this data on your own, and although some programs send crash data to their server without notice, this is considered to be a bad manner. The information collected contains a lot of information about your system; having obtained it, one can use this information to prepare an address attack on the user's device. I understand that it sounds like paranoia, but I must warn you about this possibility.
In the case of Panic Button, CrashReports sent to us are stored in the box.com cloud storage. After solving the problem, the data is deleted, they can also be deleted earlier at the request of the user.
When and how the data is transmitted to the server
The main data is sent when the program is installed and activated, it is then that the HWID, email, program version, and other information necessary for the program to interact with the licensing and update server is created and sent.
However, after that, periodically Panic Button contacts the managing server to check the validity of the license and the version installed by the user of the program. This happens every time Panic Button is turned on, notifications are sent, as well as every 12 hours.
Most programs are periodically associated with management servers. When we make out traffic analysis, you will be able to check independently which programs are connected to which servers, and whether these connections are encrypted.
And the transmitted data is not always encrypted, this problem applies to both desktop and mobile applications. And if the complete lack of encryption is a rare phenomenon, partial sending of unencrypted data, unfortunately, happens even in quite popular applications.
For example, the application of the popular dating service Tinder on iOS and Android encrypted connections, but the downloaded photos were transmitted in unencrypted form. In practice, if someone “overheard” the user's Internet traffic, they would receive all the downloaded photos. And based on the photo one can find out a lot.
And here I would like to recall the story of Edward Snowden in an interview to The Guardian about viewing for the sake of entertainment photos of naked girls by NSA employees. Here is a translation taken from the popular Russian resource Habr.
«Young men aged 18-22 work in the ranks. Suddenly, they are sent to a position of extraordinary responsibility, where they have access to your private records. During the working day they meet something completely unrelated to their work in no sense, like, intimate photos of a girl in a sexy pose. But the photos are extremely attractive. So what should they do? They turn around in a chair and show the ones to a colleague, who says: “Wow, that's cool. Send them to Bill to have a look.” And then Bill sends the ones to George, and George sends them to Tom. And sooner or later, all these people get to know the girl’s secrets. This will never be reported in official reports. Nobody even knows about this, since the audit of the systems is very bad. The fact is that your private photos, videos, recordings with intimate moments are taken out of the communication flow and transferred to the government without any special authorization and without special need, as the violation of your rights. Why do they need it in the country database?»Edward Snowden
In the case of Panic Button, all data collected is sent to a server located in Amsterdam. Immediately it is worth noting that the transfer of all data from the program to the server is carried out using the encrypted HTTPS protocol.
Data on connections to the update server and licensing are logged. This is necessary to protect the infrastructure from attacks, since malefactors can imitate the requests of real users in order to overload our servers and disable them.
How does this help security? The anti-attack system running on our servers constantly analyzes logs for suspicious activity. Logs are analyzed both personally for a particular user, and for the system as a whole, it allows us to detect attacks and ensure the stability of the system. For example, we see an unusually large number of resource-intensive download requests for updates, but no external motivation is found, as that day no new versions are released.
The system knows that a normal user makes no more than three requests for downloading updates per day, if there are more than 100 such requests in the log, this is undoubtedly an attack aimed at overloading the system. The data goes to the system administrator for manual inspection, or traffic is blocked if the corresponding rule is created in the security system.
Where and how long data is stored
The data is stored on the main server in the Netherlands, owned by the hosting provider Digital Ocean. Logs are stored for seven days; other data is stored based on needs. In addition, logs from all servers are transmitted to the intrusion prevention system, which processes them and stores them for one month.
Do not forget about backups. Backups are securely encrypted and transmitted over an encrypted channel to European Amazon servers. Backup copies are stored for six months, after that they are deleted. Backups are needed to restore the infrastructure and a possible rollback to the last stable state. Logs are never stored in backups.
Who has access to the data
Some time ago, a scandal broke out regarding the ability of Uber employees to obtain data on passenger trips uncontrollably. Some employees were engaged in part-time work, tracking the users on travel request. Trips of celebrities were of particular interest, for example, from the revelation it became known that they followed the trips of the famous R & B singer Beyonce.
This data was provided under oath by former Uber employee Samuel Spangenberg. Despite the statements of Uber about the security of data users, it seems, it was not so, and it is not the fact that today it is so. Especially considering the history of the leakage of personal data of 50 million Uber users and concealing this fact from the regulator on the part of the company.
In the case of Panic Button, we have no private information, with the exception of email, we cannot follow the user, their personal life, their device. An ordinary technical support worker has a standard set of license data, like email, email change history, IP address, key activation history, they can see HWID, InstallID, can read the history of calls to technical support, see the version of the program used, whether the application has crashed (the information is sent when creating a request through the program). A technical support worker can change the email, block and unlock the license, change the license validity period.
The technical support worker does not have access to the sent CrashReports and server logs, this is the responsibility of the developers, if the technical support specialist cannot help, they will forward the task to them.