One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 4061222 |
| Date de publication | 2022-01-31 15:33:58 (vue: 2022-01-31 21:05:12) |
| Titre | No, a researcher didn\'t find Olympics app spying on you |
| Texte | For the Beijing 2022 Winter Olympics, the Chinese government requires everyone to download an app onto their phone. It has many security/privacy concerns, as CitizenLab documents. However, another researcher goes further, claiming his analysis proves the app is recording all audio all the time. His analysis is fraudulent. He shows a lot of technical content that looks plausible, but nowhere does he show anything that substantiates his claims.Average techies may not be able to see this. It all looks technical. Therefore, I thought I'd describe one example of the problems with this data -- something the average techie can recognize.His "evidence" consists screenshots from reverse-engineering tools, with red arrows pointing to the suspicious bits. An example of one of these screenshots is this on: This screenshot is that of a reverse-engineering tool (Hopper, I think) that takes code and "disassembles" it. When you dump something into a reverse-engineering tool, it'll make a few assumptions about what it sees. These assumptions are usually wrong. There's a process where the human user looks at the analyzed output, does a "sniff-test" on whether it looks reasonable, and works with the tool until it gets the assumptions correct.That's the red flag above: the researcher has dumped the results of a reverse-engineering tool without recognizing that something is wrong in the analysis.It fails the sniff test. Different researchers will notice different things first. Famed google researcher Tavis Ormandy points out one flaw. In this post, I describe what jumps out first to me. That would be the 'imul' (multiplication) instruction shown in the blowup below: It's obviously ASCII. In other words, it's a series of bytes. The tool has tried to interpret these bytes as Intel x86 instructions (like 'and', 'insd', 'das', 'imul', etc.). But it's obviously not Intel x86, because those instructions make no sense.That 'imul' instruction is multiplying something by the (hex) number 0x6b657479. That doesn't look like a number -- it looks like four lower-case ASCII letters. ASCII lower-case letters are in the range 0x61 through 0x7A, so it's not the single 4-byte number 0x6b657479 but the 4 individual bytes 6b 65 74 79, which map to the ASCII letters 'k', 'e', 't |
| Envoyé | Oui |
| Condensat | 000 0x1000000 0x61 0x6b657479 0x7a 2022 256 able about above: actually all analysis analyzed and another anything app are aren arrows ascii assume assumptions audio average baring because beijing below:it bits blowup but byte bytes can case chance chinese citizenlab claiming claims clear code commonly concerns conclusionat consist consists constants content correct das data describe didn different disassembles documents does doesn download dump dumped either endian engineering etc even everyone evidence example expected fails famed find first flag flaw formed four fraudulent from further gets glance goes going google government handwaving happens has hex his hopper however human imul individual insd instead instruction instructions intel interpret isn jumps just large lcg letters like little look looks lot lower make many map may more moreover much multiplication multiplications multiplying never none nonsense not notice nowhere number numbers obviously olympics on:this one onto order ormandy points other out out one output phone plausible pointing possible post pretty problems process proves qed: random range rare rarely read hex reasonable recognize recognize what recognizing recording red requires researcher researchers results reverse roughly screenshot screenshots security/privacy see sees sense series show shown shows single small sniff something spying strange substantiates support supports suspicious takes tavis techie techies technical test text that them there therefore these things think those thought through thus time tool tools tried understand until used user usually values very way website well what when where whether which will winter without words works would wrong x86 you ytek |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.