Ministry of Information Application Threatens Citizens’ Privacy

Minister of Information Melham Riachy launching the Eye Police Application, National News Agency, June 2018.

The Eye Police Registration Form, July 2018.

Eye Police, the Ministry of Information’s new mobile application which serves as a platform for users to report issues in Lebanon, poses a serious threat to users’ privacy and does not take adequate measures to protect their personal data.

Melham Riachy, the Minister of Information, announced the launch of Eye Police on June 12. The application, which has at least 500 downloads, allows citizens to report any issues or incidents directly to the Ministry of Information. According to Laure Sleiman, the director of the state-owned National News Agency (NNA), the role of the Ministry is that of “a mediator between officials and citizens, conveying the latter’s problems and working on having them resolved by putting them ‘in the hands of officials’ as soon as possible.” Once users file complaints, the NNA allegedly publishes them on its website to give them greater visibility. It remains unclear if the NNA intends to publish all complaints. Additionally, the application creates an incentive system whereby citizens who report so-called serious violations will get a prize, but neither Sleiman nor Riachy provided clarity on what type of report constitutes a serious violation or what type of prize would be awarded.

The application requires a large amount of user data and stores it on unprotected, centralized servers controlled by CyberWaves, a private company with little publicly available information. At the base level, users must provide their phone number, first name, last name, and create a password in order to use the application.

ACCESS_NETWORK_STATE

Allows applications to access information about networks

ACCESS_WIFI_STATE

Allows applications to access information about Wi-Fi networks

CAMERA

Required to be able to access the camera device.

GET_ACCOUNTS

Allows access to the list of accounts in the Accounts Service

INTERNET

Allows applications to open network sockets

READ_EXTERNAL_STORAGE

Allows an application to read from external storage.

READ_PHONE_STATE

Allows read only access to phone state.

RECORD_AUDIO

Allows an application to record audio

SYSTEM_ALERT_WINDOW

Allows an application to open windows using the type TYPE_SYSTEM_ALERT, shown on top of all other applications.

BIND_GET_INSTALL_REFERRER_SERVICE

Unknown permission

C2D_MESSAGE

Unknown permission

MAPS_RECEIVE Unknown permission

Unknown permission

MAPS_RECEIVE

Unknown permission

READ_GSERVICES

Unknown permission

RECEIVE

Unknown permission

REQUEST_INSTALL_PACKAGES

Unknown permission

VIBRATE

Allows access to the vibrator

WAKE_LOCK

Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming

WRITE_EXTERNAL_STORAGE

Allows an application to write to external storage

Eye Police also requests a series of permissions from Android devices that could violate users privacy, including the RECORD_AUDIO permission, which gives the application the ability to record audio. Beyond just audio, Cyberwaves and the Ministry of Information can obtain information about the users themselves though the GET_ACCOUNT permission, which provides the administrators of the application with information about all of the accounts registered on the phone (i.e Google, email), and READ_PHONE_STATE, which allows the administrators to obtain the phone’s International Mobile Equipment Identity (IMEI), a unique identification number. This information potentially enables both Cyberwaves and the Ministry of information to track these devices.

A few more requested permissions raise red flags as well. For example, WAKE_LOCK permits the application to stay active even when the phone is locked. Usually, developers request this permissions for bulky uploads and downloads, which means that the developers of this app could intend to install additional information on user’s phones. Likewise, the ACCESS_WIFI_STATE permission could be used to perform WiFi triangulation to geolocate the WiFi routers the phone is connected to.

Additionally, all the permissions listed as “unknown” permissions correspond to functions from outdated Android software or are actually imported specific permissions imported from external sources. The inclusion of these permissions demonstrates that CyberWaves did not take serious care of the development of the application. Such services can sometimes be exploited because they do not receive any updates anonymously.

The IP of the server, 2018.

The developers behind the application also neglected to account for the privacy of the data transmitted to their server. Doing some reverse-engineering of the Eye Police Android application, SMEX was able to extract the IP of the server and the protocol it’s using, which is 45.40.138.24.

Interestingly enough, the communication between the Android application and the server does not take any security measures to protect the data. There is no Secure Sockets Layer (SSL) encryption for data exchange with the Application Programming Interface (API), which makes it easy for attackers to perform man-in-the-middle attacks and access users’ traffic. Without SSL, the data is transmitted in plain text, enabling malicious users, or other governmental entities eager to obtain such information, to collect network packets.

The IP of the API’s server, 2018.

After identifying the IP of the API’s web server, SMEX also noticed that the developers exposed the server to the public domain.

Who, or what, is CyberWaves?

The developer, CyberWaves, barely appears on search engines. Using Kali Linux, SMEX reverse-engineered the Eye Police app to discover a little bit more about this company and assess its ability to protect user data by this application. We scanned the code to find the API and the IP. Once we discovered the IP, we did a reverse IP lookup, which produced the following list:

  1. arabpacific.org
  2. beyondassociation.org
  3. bmpcenter.com
  4. building-decoration.com
  5. cbra-lb.org
  6. chehablawfirm.com
  7. eyepolice.net
  8. ip-45-40-138-24.ip.secureserver.net
  9. j-jrealestate.com
  10. johnnyrentacar.com
  11. khabaronline.com
  12. lumidentclinic.com
  13. lumident-lb.com
  14. mca-realestate.com
  15. mnarconstruction.com
  16. naimco.com
  17. saadehcf.org
  18. superior-tt.com
  19. tahawolat.net
  20. t-marbouta.com
  21. transportarabia.com
  22. webperspective.net
  23. www.building-decoration.com
  24. www.cbra-lb.org
  25. www.lumident-lb.com
  26. www.tahawolat.net
  27. www.transportarabia.com
  28. www.webperspective.net

SMEX suspects that the Beirut-based web design agency webperspective.net is behind, or at least affiliated with CyberWaves because WebPerspective, Eye Police, and the Eye Police API are all available on the same server.

With the weak legal framework regarding data protection in Lebanon, the Eye Police application and the Ministry of Information’s partnership with Cyberwaves raises serious concerns. Moreover, the Ministry’s outright disregard to take even moderate privacy measures stresses the need for stronger privacy laws in Lebanon. SMEX advises citizens to stay away from this application, and similar applications that government agencies may release in the future, until it can fully commit to protecting the personal data of citizens.

Ragheb Ghandour is a PhD Student at Mines ParisTech France. He is a computer scientist with a Masters degree in Information Systems for Risk Management and a cybersecurity enthusiast. He mainly focuses on human-error in cybersecurity and the rights to online free expression and privacy.

, , ,

2 Responses to Ministry of Information Application Threatens Citizens’ Privacy

  1. Elijah Burwell August 11, 2018 at 5:01 pm #

    Dear Sir

    Is going to you be an online marketer, do you own a company or businesses? If perhaps you do then you will know the value of having lots of targeted traffic to your sites.

    What if I notified you can get free Facebook traffic with a few simple steps?

    In the members area you will find the Facebook Traffic Sniper App. (nothing to download) –

    you just place in your website URL in the and click “Begin Traffic” – Visitors will start going to your website within a short while from now and tourists your site will never stop.

    You will get traffic and surfers to your website within a short while and will continue to run everyday with no more work on your end!

    Best Regards!

    IG-romingsongoh
    Twitter-romingming

    http://www.adkreator.com/splashpagehit.php?bid=175553

Trackbacks/Pingbacks

  1. تطبيق من وزارة الإعلام اللبنانية يهدد خصوصية المواطنين | - August 2, 2018

    […] Read in English. […]

I footnotes