Why are Facebook engineers confused about App Review?

So Facebook recently changed the policy about their API. Yes, Cambridge Analytica ruined it for everybody. Facebook has limited API access and included also app review for most of the permissions an app requires. Though there are still some loopholes but recently they almost closed everything saying your app has to pass through review.

Image result for facebook engineers

So they basically want to see how you use their API. But this is with the assumption that you are dealing with user data. For example, having a Facebook login for OAuth on your website and when a user uses the plugin to login to your website, you request permissions from the user (e.g., permission to post the user’s behalf). The permissions could be for user profile or the privilege to manage the users pages.

The problem comes here. What if you want to access your own data? Do you have to pass through the review? As long as you’re only accessing your own data, it should NOT be a problem. So, basically, I create my access_token via Graph Explorer and use the API to access my data.

When Facebook required app review, I submitted the app along with a screencast (as they requested). I got a response saying they don’t see the login plugin in the video. But I don’t use the fucking login plugin because I am not asking people to login using Facebook. Basically, I don’t use the app to interact with Facebook users.

I explained in details what I want to do and the fact that my app is not related to users. Their response was “we can’t find the login plugin on our website.” For fucks sakes, Facebook.

During all this time, the API was working on and off without review for a reason that I do not know.  And the people I have been in contact with were developers not just tech support (at least said Facebook). Why they were not able to understand the use-case is beyond me. This is the point where I said fuck their API. I will find a way, though it will be painful, because Facebook API has become useless.

The fix should be very easy though for Facebook. If an app is not reviewed, just limit the access to the app developer’s data/page/group… just like when the app is in development mode except being able to publish on your profile/page/group.

 

ASOS Price Tracker and Price Checker

Screen Shot 2019-02-03 at 6.40.37 PMI used ASOS.com to do several online shopping. They are one of the best online fashion shops. They have several stores in different parts of Europe. Each store might have different price for the same product. Sometimes, you might find up to 50% price difference between stores. If you, for example, always buy from ASOS UK, then you have to compare the price for example with ASOS Germany as you might save a lot.

You can do this buy opening the different store website for the same product and comparing the prices… sometimes converting the currency to your preferred one. To facilitate this process, I have created an ASOS Price Tracker (ASOS Price Checker) Telegram bot that can help you do these automatically. It is easy to use and has the following features:

  • Price comparison: compare the prices of a product in the different ASOS stores and tell you which store has which size and how much it costs
  • Price tracker: you have also the possibility to track the price of a product and get notification as soon as its price changes (drops/increases or the product goes out of stock)

It is very easy to use. You just send a link to an ASOS product to this bot and the bot responds with content similar to the image here. If you are on mobile and have the ASOS app, you can just click on the “Share” button and share the link to the bot.

This is a personal project that was intended to help me manage my shopping on ASOS. As some friends found it interesting and are using it, I thought it might be also interesting for others.

Its accompanying website and mobile apps are in beta testing and will be made public soon. In the meantime, enjoy the service on the Telegram bot.

Feedbacks are welcome!

 

How the latest Facebook hack could have costed money to its users

Related imageFacebook has recently reported that external actors have exploited a bug in its system to gain access to more than 50 million users. Apparently, three different bugs were used together to get access-token of the affected users that lets the attackers login to Facebook without needing the user’s password.  Though Facebook is still investigating what data the attackers could have gotten, considering the fact that the access-token is powerful (it has the permission of the Facebook mobile app), we can assume they’ve got everything. However, apart from getting user data, the attacker could have also performed several (automated/manual) actions using the affected user’s account including costing money! The following are off the top of my head assuming 50 million user acounts:

Bypass Facebook News Feed algorithm

We know the Facebook News Feed algorithm favors posts that have initial momentum (reactions, comments and shares). Thus, that attackers could have used the affected users’ accounts to generate fake reactions, comments and shares in order to fool the algorithm.

Sell Facebook Page Likes

In order to increase a Facebook Page’s Likes, one has to pay for Facebook and advertise the Page to a given audience that most likely will like the Page. However, using the 50 million accounts, the attackers could bypass Facebook advertisement and sell Likes directly to their users. Well, this could also apply for the first case, where the attackers sell traction.

Takeover users Facebook Pages and Facebook Groups

Imagine having a Page with millions of Likes that you spent money on and because of a bug on Facebook system, the attackers take control of and remove you from the admins list? Though Facebook might restore ownership, it is reported that it is not that simple to get back.

Use configured Facebook ad account

This actually will cost money to the user. If a user has a configured ad account, the attackers could use it to promote something that costs money. Moreover, the attackers could advertise something that violates Facebook’s policy and get the users ad account disabled.


According to the notification I received on Facebook, I am one of the 50 million affected users. Though Facebook is still working on it, I tried to go through the possible places where I could see if my account was used to perform some actions. For now, it seems fine. But I can’t say anything about the data they have.

 

Stay safe on this unsafe platform.

Facebook now lets your friends see that you are watching the same live stream

fb

It looks like Facebook rolled out this update letting you know that your friends are also watching/listening to the same live stream. Which means your friends can also see that you are watching the same streaming. I believe this is privacy sensitive information and it shouldn’t be turned on by default.

iswatchingThough this is supposed to be private unless you interact with the streaming (for example react or share), just opening the streaming link informs your friends that you’re on the same thing.

The other problem is that I don’t seem to find the setting to turn off this ‘feature’. And I don’t understand why Facebook turns this kind of privacy sensitive options on  by default.

Let me know if you find the location to turn off this stupid feature.

😤😤

java.lang.VerifyError error after instrumenting/transforming Android apps

You might have encountered the java.lang.VerifyError DEX verification error when developing an Android app. There are several reasons for this. Most commonly being the IDE messing up with the build process and cleaning and rebuilding might solve the problem. In some cases it could also be tools that we use (for example, security tools for obfuscation). There are several resources for this case on the net and is relatively easy to fix.

However, what I wanted to write about in this post is not from the developer point of view, but rather from automated software testing point of view (that involves instrumentation or code transformation), where you have hundreds or even thousands of Android apps to test and you don’t have their source code. Here is my experience.

For a given security testing experiment of Android apps, I had to mutate apps that satisfy some mutation criteria. After the mutation is applied, I had to automatically verify whether the mutation didn’t break the app. To achieve this, I had to apply the mutation (and all the steps necessary to make app ready for install), then install the app on the emulator and test the mutated component if it crashes. In order to understand if the crash is caused by the applied mutation, I wrap the introduced statements within try-catch block and log the exception.

However, running the mutated apps on the emulator failed with the java.lang.VerifyError. The strict Runtime refused to load the “inconsistent” bytecode into the VM because it found a “Bad method” or some other reasons. This might depend on the level of instrumentation that you are applying and hence if you’re just introducing, say, a log statement only, maybe you will not encounter this problem and the instrumented app might run without a problem.

Since mutation is applied automatically in different real world apps, addressing the problem for each app is a bit difficult. For example, it is known that the Runtime will report error if we try to wrap a  synchronized block in a  try-catch block. Therefore, while doing the mutation, it will be a bit difficult (but not impossible) to first know if a call that I wrapped in a  try-catch block will eventually have a synchronized block in it. Even if I know this in advance (say, for example, during static analysis to check mutation criteria), it has no help as I cannot skip the  try-catch block since I need it to see if failure is caused by mutation and I cannot also remove the synchronized block since I will interfere with the design of the app.

Cause

This is just one case as the Android Runtime checks for several inconsistencies that were ignored during the Dalvik VM time. To mention some of inconsitences that are caught by the new Runtime:

  • extending a class that was declared final
  • overriding a package-private methods
  • invalid control-flow
  • unbalanced moniterenter/moniterexit (this might be the reason for the synchronized block but I haven’t checked the final bytecode for the said inconsistency)
  • passing wrong argument to a method

Solution

A more general solution would have been understanding what modifications are making the verification fail and improving the instrumentation. However, that is out of my scope for the moment.

So, the solution that I found is specific to my problem. Considering that the ART is introduced in Android 5 (API 21), the easiest workaround I found was using an emulator running, say, API 20. Since I know what kind of mutations I am applying and I also monitor executions, resorting to a less restrictive Runtime would’t affect the general behavior of the app under test.

Therefore, if your instrumented Android app isn’t running on the emulator for ART  java.lang.VerifyError  error, just use emulators running API level below 21 and it should be an easy workaround.

Cheers!

Chrome Extension “Video Downloader GetThemAll 30.0.2” might contain malware

lo

So I have been using this extension for a while and all of a sudden it was disabled. When going to the extension to see what happened, Chrome reports that the extension contains malware and for this reason it is disabled.

What could have happened?

As it happened to other popular extensions, it could have been modified to include malicious behavior, transferred ownership to potential malicious owners, have been hacked or update included policy violating feature (e.g., download from YouTube)–but we don’t know. There is also a rumor that the extension was mining cryptocurrency. It is time to analyze version 30.0.2 in details in order to understand what information could have leaked, if any.

Though GetThemAll 30.0.3 is already available on Chrome web store, probably it is better to stay away until further results on what happened on the previous version.

A quick look at the diff of version 30.0.2 and 30.0.3 shows, the earlier has a suspicious obfuscated “background.js” file that accesses the images/video_help.png file, which also exists only in version 30.0.2.

Cheers

Problems with the Moto X Style/Moto X Pure Edition (Mostly the Battery)

from: neurogadget

The Moto X Style is one of the Motorola’s flagship phones released in September 2015. It comes with Android 5.1.1 and upgradeable to Android 7 (Nougat). But the upgrade is so slow that in September 2017, they still haven’t covered many countries. Some of the specifications of the phone are as follows;

Network: GSM / CDMA / HSPA / LTE

Memory:

  •  microSD, expandable up to 256GB
  • Internal 16/32/64 GB, 3GB RAM

Camera: 21MP back camera, 5MP font camera with flash

Processing:

  • Hexa-core (4×1.4 GHz Cortex-A53 & 2×1.8 GHz Cortex-A57)
  • Qualcomm MSM8992 Snapdragon 808
  • GPU Adreno 418

As it can be seen, the phone has a very good specification. One of the feature that I like about this phone is the fact that it has two stereo FRONT speakers! Yes! I pretty much enjoy watching episodes on Netflix right from my phone.

The other feature that I like is the fact that when the phone is on a desk, the screen illuminates by just passing my hand over the screen to see if there are any notifications. However, other phones have a dedicated LED light showing notification (which also exists on the Moto X Style, however needs rooting and programming the phone to use the LED for notification. The only time I have seen this LED turning on is when the battery is completely dead and the phone is attached to the charger.)

Another interesting feature about this phone is the way to turn on the camera. Yes, you just shake the phone and you have the camera open. I almost never found error in the sensors and always picks up the camera whenever I shake the phone.

All these and other interesting features are useless if the phone has a bad battery. Yes, the phone comes with a very bad battery. It’s less than 2 years since I had this phone and it is already messed up. For an expensive phone like this one (500 euros in October 2015), it’s unacceptable to have a very poor quality battery. Some of the weird characteristics of the phone in relation to the battery are as follows:

  • Phone shuts down even if the battery is above 25% and won’t start unless it’s attached to the charger
  • The moment the charger is attached, the battery shows 25% (or above)
  • The phone shuts down even if the battery is above 60% when the camera (or an app using the camera) is opened
  • If you let the phone off for a while, it finally will open (as if it wants to cool down)

Since it was a weird characteristics, I didn’t think it was a battery problem. I assumed it was software issue (either some apps or the platform itself). I reset the phone and didn’t see any improvement. That’s when I decided to change the battery. I bought a kit with several screwdrivers and a non-OEM battery. I removed the back cover, unscrewed 19 of the 20 screws and had a stripped-screw on the last one. Tried for a couple of hours to unscrew this damn screw to no avail. So finally screwed back the 19 screws and attached the back cover again. Probably will try again soon when I have time.

Conclusion, the phone is very good. It has good spec, good usable features. Camera is good, screen is big and has good resolution. But, the battery sucks. It’s also impossible to get the OEM replacement battery. Therefore, unless you’re fine with carrying a power-bank all the time, I would not recommend buying this phone.

Cheers!