Feature image via national news agency, June 2018: Minister of information Melham Riachy launching the Eye Police Application .
The Eye Police Registration Form, July 2018.
Eye Police, the Ministry of Information’s new mobile application which serves as a platform for users to report issues in Lebanon, poses a serious threat to users’ privacy and does not take adequate measures to protect their personal data.
Melham Riachy, the Minister of Information, announced the launch of Eye Police on June 12. The application, which has at least 500 downloads, allows citizens to report any issues or incidents directly to the Ministry of Information. According to Laure Sleiman, the director of the state-owned National News Agency (NNA), the role of the Ministry is that of “a mediator between officials and citizens, conveying the latter’s problems and working on having them resolved by putting them ‘in the hands of officials’ as soon as possible.”
Once users file complaints, the NNA allegedly publishes them on its website to give them greater visibility. It remains unclear if the NNA intends to publish all complaints. Additionally, the application creates an incentive system whereby citizens who report so-called serious violations will get a prize, but neither Sleiman nor Riachy provided clarity on what type of report constitutes a serious violation or what type of prize would be awarded.
The application requires a large amount of user data and stores it on unprotected, centralized servers controlled by CyberWaves, a private company with little publicly available information. At the base level, users must provide their phone number, first name, last name, and create a password in order to use the application.
|
ACCESS_NETWORK_STATE |
Allows applications to access information about networks |
|
ACCESS_WIFI_STATE |
Allows applications to access information about Wi-Fi networks |
|
CAMERA |
Required to be able to access the camera device. |
|
GET_ACCOUNTS |
Allows access to the list of accounts in the Accounts Service |
|
INTERNET |
Allows applications to open network sockets |
|
READ_EXTERNAL_STORAGE |
Allows an application to read from external storage. |
|
READ_PHONE_STATE |
Allows read only access to phone state. |
|
RECORD_AUDIO |
Allows an application to record audio |
|
SYSTEM_ALERT_WINDOW |
Allows an application to open windows using the type TYPE_SYSTEM_ALERT, shown on top of all other applications. |
|
BIND_GET_INSTALL_REFERRER_SERVICE |
Unknown permission |
|
C2D_MESSAGE |
Unknown permission |
|
MAPS_RECEIVE Unknown permission |
Unknown permission |
|
MAPS_RECEIVE |
Unknown permission |
|
READ_GSERVICES |
Unknown permission |
|
RECEIVE |
Unknown permission |
|
REQUEST_INSTALL_PACKAGES |
Unknown permission |
|
VIBRATE |
Allows access to the vibrator |
|
WAKE_LOCK |
Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming |
|
WRITE_EXTERNAL_STORAGE |
Allows an application to write to external storage |
Eye Police also requests a series of permissions from Android devices that could violate users privacy, including the RECORD_AUDIO permission, which gives the application the ability to record audio. Beyond just audio, Cyberwaves and the Ministry of Information can obtain information about the users themselves though the GET_ACCOUNT permission, which provides the administrators of the application with information about all of the accounts registered on the phone (i.e Google, email), and READ_PHONE_STATE, which allows the administrators to obtain the phone’s International Mobile Equipment Identity (IMEI), a unique identification number. This information potentially enables both Cyberwaves and the Ministry of information to track these devices.
A few more requested permissions raise red flags as well. For example, WAKE_LOCK permits the application to stay active even when the phone is locked. Usually, developers request this permissions for bulky uploads and downloads, which means that the developers of this app could intend to install additional information on user’s phones. Likewise, the ACCESS_WIFI_STATE permission could be used to perform WiFi triangulation to geolocate the WiFi routers the phone is connected to.
Additionally, all the permissions listed as “unknown” permissions correspond to functions from outdated Android software or are actually imported specific permissions imported from external sources.
The inclusion of these permissions demonstrates that CyberWaves did not take serious care of the development of the application. Such services can sometimes be exploited because they do not receive any updates anonymously.
The IP of the server, 2018.
The developers behind the application also neglected to account for the privacy of the data transmitted to their server. Doing some reverse-engineering of the Eye Police Android application, SMEX was able to extract the IP of the server and the protocol it’s using, which is 45.40.138.24.
Interestingly enough, the communication between the Android application and the server does not take any security measures to protect the data. There is no Secure Sockets Layer (SSL) encryption for data exchange with the Application Programming Interface (API), which makes it easy for attackers to perform man-in-the-middle attacks and access users’ traffic. Without SSL, the data is transmitted in plain text, enabling malicious users, or other governmental entities eager to obtain such information, to collect network packets.
The IP of the API’s server, 2018.
After identifying the IP of the API’s web server, SMEX also noticed that the developers exposed the server to the public domain.
Who, or what, is CyberWaves?
The developer, CyberWaves, barely appears on search engines. Using Kali Linux, SMEX reverse-engineered the Eye Police app to discover a little bit more about this company and assess its ability to protect user data by this application. We scanned the code to find the API and the IP. Once we discovered the IP, we did a reverse IP lookup, which produced the following list:
-
- arabpacific.org
- arabpacific.org
-
- beyondassociation.org
- beyondassociation.org
-
- bmpcenter.com
- bmpcenter.com
-
- building-decoration.com
- building-decoration.com
-
- cbra-lb.org
- cbra-lb.org
-
- chehablawfirm.com
- chehablawfirm.com
-
- eyepolice.net
- eyepolice.net
-
- ip-45-40-138-24.ip.secureserver.net
- ip-45-40-138-24.ip.secureserver.net
-
- j-jrealestate.com
- j-jrealestate.com
-
- johnnyrentacar.com
- johnnyrentacar.com
-
- khabaronline.com
- khabaronline.com
-
- lumidentclinic.com
- lumidentclinic.com
-
- lumident-lb.com
- lumident-lb.com
-
- mca-realestate.com
- mca-realestate.com
-
- mnarconstruction.com
- mnarconstruction.com
-
- naimco.com
- naimco.com
-
- saadehcf.org
- saadehcf.org
-
- superior-tt.com
- superior-tt.com
-
- tahawolat.net
- tahawolat.net
-
- t-marbouta.com
- t-marbouta.com
-
- transportarabia.com
- transportarabia.com
-
- webperspective.net
- webperspective.net
-
- www.building-decoration.com
- www.building-decoration.com
-
- www.cbra-lb.org
- www.cbra-lb.org
-
- www.lumident-lb.com
- www.lumident-lb.com
-
- www.tahawolat.net
- www.tahawolat.net
-
- www.transportarabia.com
- www.transportarabia.com
- www.webperspective.net
SMEX suspects that the Beirut-based web design agency webperspective.net is behind, or at least affiliated with CyberWaves because WebPerspective, Eye Police, and the Eye Police API are all available on the same server.
With the weak legal framework regarding data protection in Lebanon, the Eye Police application and the Ministry of Information’s partnership with Cyberwaves raises serious concerns. Moreover, the Ministry’s outright disregard to take even moderate privacy measures stresses the need for stronger privacy laws in Lebanon. SMEX advises citizens to stay away from this application, and similar applications that government agencies may release in the future, until it can fully commit to protecting the personal data of citizens.
Ragheb Ghandour is a PhD Student. He is a computer scientist with a Masters degree in Information Systems for Risk Management and a cybersecurity enthusiast. He mainly focuses on human-error in cybersecurity and the rights to online free expression and privacy.