Last weekteam, everyone who deals with technology has heard the news that wants Lenovo to have installed the Superfish adware along with a security certificate on its devices.
Meanwhile, Microsoft, Lenovo and other companies have released software to remove Superfish and the security certificate, but the problem seems to be on mobile devices as well.
The mobile equivalent of Superfish is called LikeThat and is available for iOS and Android devices in dedicated apps bedspread of each platform.
The app is designed to make it easier for users to take pictures by taking pictures. The photo then goes up to Superfish's servers and compares it to discover visually similar results provided by thousands of other retailers.
Ο Jonathan Zdziarski, ένας ειδικός ερευνητής του iOS, ελέγχοντας τον κώδικα της εφαρμογής ανακάλυψε ότι συμπεριλάμβανε ορισμένα characteristics that give each device a unique identity, and preserve all the EXIF data available in the photos.
The device ID is also sent to an analytics company assigned to the device without any notice to the user while sending the mobile MAC address.
As for the EXIF data in the images, each user's private life is trapped if the GPS is enabled. So, among other things, companies have their exact location and the time that photography was taken. Imagine many photos from different locations can very well show the movements of a user in a specific time period.
The researcher found that the LikeThat Superfish for iOS is quite invasive and includes code that can leak device-related information such as free disk space, MAC address, memory used, CPU frequency, or type screen.
In a Friday's publication, the investigator points out that if some of the tracking capabilities are disabled (closed GPS) in versions of the application for iOS ή Android, the ability to collect and transmit the user's location is possible through the SFLocationAPI they use.
"It appears that Superfish, if it doesn't have a way to collect information from an image you select from your photo album (UIImagePicker), uses a technique that could allow access to underlying image metadata that most users don't know is being stored," the researcher says.
You can see it all analysis of the researcher from here.
