Security BSides London 2019

At a time when user experience can make or break a business, app developers are turning more and more to third-party app analytics tools to help them get insight on how customers are interacting with their app. GlassBox, AppSee, Testfairy, and UXCam are a handful of popular analytics SDKs used by app developers to track in-app user behaviour, crashes, bugs, and other issues. The extent of the data collected by these Analytics and Attribution tools without it being clear in the privacy policy has raised several security and privacy concerns lately. Embedding ‘Session Replay’ technology to record the user’s screen received special attention from security researchers in the early 2019 as it can include privacy-sensitive data, such as login credentials, financial information or medical records. In this presentation we go over an in depth analysis of popular Apps we reversed, and show different methods they use to record user’s screen/session in both iOS and Android platforms. We further explain static and dynamic techniques to identify Session Replay capability in an App. We also discuss advanced techniques Apps implement to fingerprint mobile devices in the hardware, OS or Application level. Correlating this information with user’s identity, App developers or third-party analytics services can profile and attribute the user.