HTTP Cookie Warfare

You won’t visit any web page today without having cookies being involved, literally making you leaving a trail of crumbs for all kinds of third parties to track your whereabouts and activities in the web. Cookies get a lot of attention, you are constantly creating and updating them by accepting or consenting to the privacy and cookie usage terms on many websites, but most internet users don’t really know what cookies are or how they work. They were created back in 1994 by Lou Montulli, working at Netscape, with a legitimate reason, storing a file in your local browser storage as a reference to inform a server if the user has visited the site previously. It was patented in 1995:
US5774670A Persistent client state in a hypertext transfer protocol based client-server system

Original Drawing U.S. Patent 5,774,670 Page 6

About Cookies

Cookies are served by either the website you visit (First-Party-Cookie) or as a Third-Party-Cookie of a service embedded into the website you visit, e.g. ad companies. The browser creates a local cookie file with some unique ID to check on the server side during the next visit or visit to another site using the same cookie. The primary purpose is session management, personalization and tracking. Technically, it is a text file with key-value combinations, in the modern browser it is stored in a database, e.g. Firefox uses a SQLite DB. Unlike common understanding there is no encrypted information and there is no personal information such as your name or similar. The power is the creation of a digital fingerprints by combining with other information, e.g. the IP address, the agent-string send by the browser and information about other sites visited to perform profiling of the user.

Table Stucture for cookies in Firefox

You like to observe the creation of cookies and their content when opening a website? Start the developer tools of Firefox or Chrome first. I randomly choose cnn.com, you can do with any commercial website.

Firefox Developer – Cookies View

Take note of cnn.com placing a cookie before you consent.

Earlier, if you want to protect yourself from third party tracking, you had to install additional add-ons for your browser, now Firefox becomes smarter and comes with an onboard protection. If you like to see the blocked cookies, disable the feature. I recommend doing this in a private window session (which deletes all cookies after closing).

Firefox protection

Blocked Tracker Cookies

Cookies and Privacy Consent Pop-Ups

Hidden Options

Very common to all websites, they try to keep you away from not consenting. The ACCEPT button is very prominent but there is no I DO NOT ACCEPT, the options are alway hidden behind a link with different label. They rely on our laziness to go to an extra page to disable the cookies.

Ebay Consent Pop-Up

eBay makes you accept by pressing the button Accept or clicking on any item on the website. To disable cookies you have to go to More Information and scroll to the end to confirm by pressing Continue. At least all cookies are disabled in this screen by default.

Some other samples:

ZDnet Pop-Up

cnn.com pop-up

A sample for proper implementation: One click to reject all or limit cookies.

Overwhelming Number of Players

This marketing landscape behind the scenes can be breathtaking, let’s look at the website wired.co.uk.

Have you ever clicked on the List of Partners (vendors) ?
There are not less than 500 companies listed, each one comes with its own privacy policy.

The different Strategies

Today cookies (or the pop-ups) become an annoyance, it disturbs any user experience in the web because the cookie consent pop-up is first representative of a company or service you will when visiting a site. Sometimes followed by the pop-up asking if it can alert you for any news or a bot assistant asking to give (not so) smart answers. Let’s have a look at the different ways of obstructing content with consent pop-ups.

The Obfuscator Entrance Website

The first thing you see is nothing but the pop-up over a blurred background. You literally can’t read a line without consenting to all or going through the options.

Engadget.com by Verizon (the company that bought Yahoo)

The ‘Not-so-obfuscated-but-no-control” Websites

Same as the previous type, a prominent pop-up, but you can see the landing page content, though you cannot click anything.

The ‘There-are-no-Options” Websites

You land on the page, you can access all links and pages, but you cannot opt-out of anything. There is a permanent display of the pop-up until you finally Accept.

TechNewsWorld pop-up

theverge.com pop-up

Tools

The different browser offer different add-ons to manage cookies or look at their content. One is Cookiebro, there are many similar ones.

Conclusion

With the current laws and regulations (GDPR, 2009/136/EC) all of these samples are in line with legislation (to be proved).
Basically, you cannot escape completely from cookies. If you disable them completely you won’t be able to read your (web-)emails, manage your shopping-cart and do other essential functions. We can rely to some extent to Firefox to block the worse tracking cookies and we can wipe out all cookies after closing the browser, which requires you to enter passwords every time you visit the same site (or use the password manager in Firefox).

Budget Android Phone Security Considerations

The market for Android phones and tablets (plus other devices) is huge, Android is dominating the market at almost 90%, followed by iOS around 10% and rest together less than 1%. Google claimed in May 2017 there are 2 billion active devices worldwide.
IT security for mobile devices is a huge topic and we face similar threats as in the desktop OS landscape with virus, trojan horses, backdoor apps and other malware. Some remarks about this at the end of the article.

The mobile phone manufacturer segment is still dominated by Samsung, followed by Huawei, LG, Motorola, to name a few. A medium range device with decent specs costs around $200 to $400.

Apart from the known brands there is wide range of china produced phones at a partially much lower price. Remark: The famous brands might produce as well in China but you pay a higher price for the brand in some sense.

Wouldn’t it be great to get a phone with good specs for less than $100,- ? Some of the brands are HOMTOM, Cubot, OUKITEL, Jesy, DOOGEE and other never-heard-of names.

The temptation is great to buy one of these phones, but it comes at a price. How do you value privacy and security ? Already end of 2016 these devices made it into the news because of sending user data over to servers in China.

Android Phone connections

Lets get some hands-on and investigate with a current phone. I bought a phone for the sole purpose of development testing, not to use for calls or storing sensitive data. I decided to get a BLACKVIEW A7 PRO, available at U$ 70,- from various online stores.

Blackview A7 Pro Android Phone

The phone casing and screen makes a good first impression, the specs do not need to hide behind other medium range phones:

• Android 7.0
• MTK6737 1.3GHz, Quad Core
• 2GB RAM
• 16GB ROM
• 4G/LTE with 2 sim card slots
• 5″ HD screen

Out-of-the-box it comes with the default Android apps, access to the Google Playstore and without any visible bloatware.

Before getting too much excited lets take a look at the communication this device tries to establish after connecting to the internet. I installed a connection and communication inspection tool, these tools are available on the Playstore too. I do not recommend any specific tools here as some of these tools have questionable permission requests.

It does not take too much time before the device starts communicating with a server based in China.

Both domains are registered with a hosting company, but you find plenty of news and forum entries if you google for them.

Most interesting is the pre-installed Beau _t_ ySnap application that is not only invisible as app to the user but permanently running in the background. You can find it with a package inspector. Looking at the permissions the application is not only hidden but also very generous with system access.

Bea_u_tySnap permissions

Needless to say you cant restrict the permissions because it is not visible as app but part of the firmware. It also seem to request for hardware specific permissions.

Lets look at the traffic and the data exchanged, seems the app tries to call home a few time per hour.

 

Quite obviously they transmit some basic data un-encrypted, like version, current internet connection (wifi), the phone (A7Pro), timezone, screensize and they created a user id to identify the device (aka its user). IMSI and IMEI are not used, though the fields exist. There are some extra fields with encrypted info, I suspect the soc, scc, noc,.. fields might store the celltower info, which serves the coarse geoloaction even if you have GPS disabled.

The least I could do with this phone without rooting it, is to disable the Be_a_utySnap application. Do this by going to Setttings – Apps, enable the display of system apps, select Be_a_utySnap and disable it.

Besides this app, there is still the A_dU_ps FO_TA app and the M_T_K_Logger which are worth looking at. They cant be disabled. I have not caught them yet transferring data out.

Lessons learned

• Cheap comes at a price. If you are concerned about privacy and security do not buy or use such a phone as your main device to access sensitive personal data or sites like online banking, etc. If you dont want to be tracked and data sold or given to other unknown parties this phone is not for you either. Though there is no guarantee expensive branded devices are protected or cannot be affected too.
  You can use the phone when you know how to disable the spyware elements (and still be careful) or root the phone and install another OS like LineageOS (which comes with separate risks).
• Do not download applications (apk files) from outside the Google Playstore as the minimum protection and be careful even you download apps from the Playstore by looking at the permissions of the app. You dont need to get a malware infection if you allow a regular app do retrieve your contacts, phone identity and location without knowing what the company behind the app does with the data. GDPR might be irrelevant and impossible to enforce if the app is provided by a company in some non-EU country and has no proper business entity.

Comments on the Android threats landscape

Unlike in the Windows world where we learned the hard way to deal with virus and malware, pretty much securing the OS after treats materialized. Though the first viruses made their first public appearance in the 1980’s, only in 1990/91 the first serious antivirus products were established.
When Android was born some safe concepts were integrated, and with the newer releases more and more security measures were taken (please refer to the below links). Some key elements:

• Apps run in a sandbox and cant access the OS.
• Apps are deployed through a central repository (Playstore)
• User can can control system access via permissions
• Controlled inter-app communication

Certainly some user still break this by downloading apk files from outside the store, rooting the device, allowing all permissions, etc.

Recommended Reading

• Have a look at the Android Security Report by Google.
  The document was released in March 17 for 2016.
  Also the “video version” on Youtube.
• Slashgear article about AdU_ps
• CNET article about cheap phones