MyPhoneRegistration - MyPhone MyA2
MyPhoneRegistration is an app that allows you to register your MyPhone device with MyPhone in order to ease things like accessing warranties, getting software updates and sending advertisement and promotional material. The app gets permissions to make and manage phone calls, to send and view SMS messages, and to access storage.
The following is the output from MyPhone Registration of Exodus Standalone, by Exodus Privacy
{
"trackers": [],
"apk": {
"path": "/media/transfer/AndroidAnaylsis/Library/OriginalAPKs/MyPhoneRegistration.apk",
"checksum": "584fb7efe352024b52e2584de6afd6944d5bdf038c6459200c5e4a021d3f096a"
},
"application": {
"libraries": [],
"version_code": "1",
"permissions": [
"android.permission.DISABLE_KEYGUARD",
"android.permission.RECEIVE_BOOT_COMPLETED",
"android.permission.READ_PHONE_STATE",
"android.permission.SEND_SMS",
"android.permission.INTERNET",
"android.permission.REORDER_TASKS",
"android.permission.SYSTEM_ALERT_WINDOW",
"android.permission.STATUS_BAR",
"android.permission.DISABLE_STATUS_BAR",
"android.permission.ACCESS_NETWORK_STATE",
"android.permission.READ_LOGS",
"android.permission.WRITE_EXTERNAL_STORAGE",
"android.permission.READ_EXTERNAL_STORAGE"
],
"name": "MyPhoneRegistration",
"uaid": "B06D57C12A09AB0C1B0F79DE5F51D0CEAD67162F",
"handle": "registration.pinoy.zed.com.myphoneregistration",
"version_name": "2.1"
}
}
The following information is exchanged unencrypted with Zed servers once the MyPhone Registration process has been "successfully" completed. (Redactions for the protection of personal data)
store_type:
profession:
store_name:
age: 19XX-XX-XX
city:
retail_partner:
msisdn2: 0799XXXXXXX
name: Eva Blum Dumontet
gender: 1
province:
imei1: 35824005010XXXX
The POST request is such
POST http://180.87.143.45/ph.zapp.api/user_info_reg.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; MyPhone MyA2 My802)
Host: 180.87.143.45
Connection: Keep-Alive
Accept-Encoding: identity
Content-Length: 156
The request times out with the following error
Server connection to ('180.87.143.45', 80) failed: Error connecting to "180.87.143.45": [Errno 110] Connection timed out
Due to the timeout, the app continues to try and send the data indefinitely
We also identified vulnerabilities that could allow a malicious individual with physical access to the phone to run their own code in the MyPhoneRegistration app context, allowing them to execute code with the same privileges as the MyPhoneRegistration app. When combined with other known vulnerabilities within Android 6.x, this could compromise the device remotely. As this app cannot be updated or deleted by the user, this vulnerability threatens the user permanently.
We will not be disclosing the nature of these vulnerabilities at this time
MyPhone made the following statement via email:
"For the models we have launched before, we have lost access and support to update the apps we have pre-installed, but we remain committed to provide a secure platform to our new and upcoming devices by complying to the latest Google requirements to keep the devices secure."
Further statements are available in the full report