Archive | Information Security RSS feed for this section

GetJar is logging more than you think

26 Feb

I was doing some network analysis on my phone related to another matter, and noticed that GetJar was logging some of my activity. This isn’t that surprising for an app store that provides free apps. Nothing comes for free. I would expect that they would log some information related to their apps provided through their store. However, what surprised me was logging occurred as I was uninstalling apps that I did not purchase or install through GetJar. After seeing this behavior, GetJar got an immediate uninstall. I don’t know what other data GetJar might have been logging as I didn’t leave it on long enough to find out anymore.

 

Here is what was logged:

GET /backchannel/metadata/
?gjClientInstallationID=<24char string>
&androidID=<44 char string>
&gjClientVerCode=3378
&src=gjca
&gjClientVerName=3.3.78
&packageName=com.qik.android
&status=UNINSTALLED
&versionCode=382
&versionName=0.03.765
&appLabel=Qik
&uninstallTime=1329696276134

 

I have reformatted this GET request for easier reading. The character count is based on the decoded URL. There is nothing super personal in there, but they are definitely collect what apps you are using.

 

I took a quick look at GetJar’s privacy policy to see if this was disclosed. As many privacy policies, the sections on personal information collection are a bit vague and open-ended. Even so, I didn’t get the sense that they would be collecting information on what apps I was uninstalling or using. Here’s the relevant excerpt from their privacy policy:

Personal Information Collected via Technology

As you use the GetJar Site or any GetJar Service, some information may also be collected passively, including your Internet protocol address, browser type, access time, mobile phone model, and telecom carrier. We may also store a small text file called a "Cookie" on your computer or phone to store certain information about your use of the GetJar Site or GetJar Services. We may use both session Cookies (which expire once you close your browser) and persistent Cookies (which stay on your computer or phone until you delete them).

Personal Information from Other Sources

We may receive Personal Information about you from other sources, including other users. We may associate this information with the other Personal Information we have collected about you.

 

 

I went on to take a quick look at their logging server eventlogger.getjar.com. It discloses some configuration information which I am not sure how accurate it is. If the information disclosed is to be trusted, the jetty.config.contextMap seems to give an indication on what else is collected or sent to GetJar.

/*=com.getjar.els.servlet.StatusServlet;
/thrift/*=com.getjar.els.servlet.ThriftServerServlet;
/backchannel/messaging/*=com.getjar.els.servlet.BackchannelMessagingServlet;
/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet;
/backchannel/metadata/*=com.getjar.els.servlet.BackchannelMetadataServlet;
/backchannel/event/*=com.getjar.els.servlet.BackchannelEventServlet;
/20110506/4933/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet;
/20111010/5001/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet;
/20111102/5002/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet

* Reformatted for easier reading.

It appears that messaging, usage, and event details might be logged as well. What those all entail I’m not sure as uninstalling an app fell under Metadata.

Disclaimer: By writing this, I’m not claiming that GetJar is engaging in malicious activities. If anything, I want others to be aware of this and make an informed decision. No one is being forced to use this app so choose to do what you will.

Tags: , , ,

Extracting and Parsing the MFT of a logical disk from a Live Windows Machine

17 May

Over the weekend I had a family Windows XP box come to me with fake AV malware. The user indicated they didn’t know how or when it happened. Out of curiosity I began to investigate the cause and decided to see if could replicate Tim Mugherini’s work as presented on Pauldotcom on this system to determine when the infection took place, and any possible related files.

My first step was to grab the latest release of The Sleuth Kit (TSK). Once the files were obtained and extracted the next trick was how to extract the MFT. Most of the reference materials I was able to locate on using TSK involved passing an image file to the utility in use. I had no desire to image the whole 160GB drive just for the MFT. Looking at further reference sites, I did see some passing the a hard drive directly, but they were Linux systems. I also didn’t have the option of booting from a Live Linux distro at the time. I finally found a post by Rob Lee on the SANS Computer Forensics blog that referenced a logical drive in Windows in a way The Sleuth Kit utilities would recognize it. The commands below have been translated from here for Windows:


fsstat \.C:

ifind -d number_address(from above) \.C:

istat \.C: | more

 

 

icat \.C: 0-128-1 > MFTextracted

This left me with a raw MFT file which isn’t very useful unless you parse it. I first tried to use Mark Menz MFT Ripper, but the free version is limited to 50,000 lines. Next I turned to the David Kovar’s analyzeMFT.py. I didn’t have a Python environment on the system I wanted to analyze from so I need to quick setup Python. I decided to use ActivePython, and grabbed the 3.2 version of Python. I made sure Python was in my Path and tried to run the script:

python .analyzeMFT -f MFTextrated -o T:TempMFTextracted.csv

Everything seemed fine, but I kept receiving syntax errors. I couldn’t find anything obvious on this error, but I did see at least one post reference using Python 2.7. To troubleshoot, I grab ActivePython 2.7, installed, and then changed my Path to point to 2.7 instead of 3.2. After reloading my command prompt, I kicked off the same command to successfully begin the parsing.

Tags: , , ,