Jawaker, a mobile application that witnessed an increase in popularity during the COVID-19 crisis period, has many privacy and security issues.

Based out of the United Arab Emirates, Jawaker provides popular card games, like 400, Leekha, and Tarneeb. It also provides many in-game chat features between users, and gives them the ability to join clubs and add other users as friends. Jawaker gained around 1 million new users on Android and iOS in April alone, and has more than 7 million total downloads in general.

Serious security vulnerabilities 

We analyzed Jawaker and found that it includes critical information security issues. The application’s dependence on WebView, an in-app implement web browser for delivering web content, and the excessive permissions requests, threaten user privacy and security.

The application’s use of the WebView feature gives attackers the ability to execute code remotely and conduct Man-in-the-Middle Attacks (MitM), which allows the attacker to intercept and augment communications between the user and the app. For example, an attacker launching a Man-in-the-Middle Attack could pretend to be the application and ask the user for their passwords for other apps, like Facebook or their personal email account. Like many free apps, Jawaker uses WebView to load HTML content from remote advertiser networks. These advertisements are also susceptible to MitM attacks.

Jawaker also requires many unnecessary permissions on the Android device, like access to microphone, Google Photos, Wake, and Lock Screen among others. The application can automatically start a phone, which means that it can continue accessing your phone capabilities, including voice recordings, even if the app is not open and you aren’t playing.

In addition, Jawaker has a privacy policy but it’s difficult to find, scant, and does not clearly state that it protects users’ data. You can only read Jawaker’s privacy policy if you go to ‘Terms of Use’ and scroll down to the end of the page.

Recommendations for Jawaker

The Jawaker app should minimize the number of permissions requested to run the application, even if the new versions of Android do not enable permissions automatically. Android started prohibiting apps from automatically running their permissions with Android 9, but only 10% of Android users use Android 9 worldwide.

Additionally, to protect their users’ personal data, Jawaker must address the existing security issues by updating their software and adding javascript verifications.

Jawaker should also publish a privacy policy that respects users’ rights and clearly mentions the data that is collected, how the data is stored, the reason it is collected and stored, who has access to the data, and measures taken to protect and secure users’ data.

Finally, as a user, you should not allow suspicious permissions that don’t appear necessary to run the app. For example, if you do not use the voice chat feature, you should revoke recording access.

Abed Kataya, Digital Content Manager at SMEX for Digital Rights. He is also a digital safety trainer and freelance journalist with a focus on technology, economy, and entrepreneurship. Follow him on Twitter @kataya_abd.

Ragheb GHANDOUR is a Cybersecurity consultant for an Aviation industry company with a research background in risk and crisis management. He mainly focuses on cybersecurity risks and the rights to online free expression and privacy.

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة