This year I'm launching a project called RE:PRIVACY.
This is a piece of work intended to utilize reverse engineering (RE) to find and understand privacy issues within publicly available or enforced applications. This also extends to security & vulnerability research. Inspired by Mozilla Foundation's Privacy Not Included, the goal is to make users aware of what products have privacy and security risks, not just by reading what the company says, but by looking under the hood of the technology itself. With transparency, we can bring accountability and action, making the internet a safer place.
The intent here is to identify any privacy and security risks in the apps, a bit like what I did with the Korean Ministry of Defense's app. The project started in the middle of 2023 and has pretty much turned into a minefield. I started by looking at Reproductive Health apps, namely menstrual cycle tracking apps. I felt real unrest in this market as my partner was utilizing these apps and I grew concerned about the capitalistic nature of data collection relating to women's health. What I didn't realize at the time of starting this project, was that I would find a f*ck tonne of issues in these apps. So far, I've submitted over 20+ bugs to some of these companies. Some have been responsive, I've even been awarded bug bounties, and some have ignored my issues.
There are around 20 popular women's reproductive health apps on the market that Mozilla have documented concerns over. So far, I've completed RE on 4 of these apps. Two, Glow & Ovia Health, I have information ready to publish on. The Glow public disclosure will occur this week. The Ovia Health report is still in situ, waiting on the company to get back to me on legal issues. My aim, with this project is to RE all 20+ of these apps to make a big dent on bringing transparency, accountability and enforcing privacy by design with these companies.
Reverse engineering as a form of activism is one the best modes of building a free fair internet. By exposing injustice within technology through reverse engineering, we can shed light on privacy and security violations and force corporations to be accountable for their products issues.
So far, my findings on two of the applications include:
- Full account takeover vulnerability
- Sensitive image data leak - 176 images leaked of user screenshots. Only 30 appear to be sensitive, including children's photos. Within this 30, this also included advertising campaigns by company including financials.
- Leak of confidential information on companies that have data sharing agreements with employees enrolled with the application (i.e companies that take data from employees with menstrual cycle app installed)
- 2 Arbitrary URL load vulns
- 1 Arbitrary Google Play Package load vulnerability
- 1 IDOR vulnerabilities leading to GDPR breach of 25million users
These are just a few examples of how applications with high risk data, such as reproductive health applications, are getting away with having insecure and non-private applications. The only way to truly understand what they are doing is by reverse engineering them.
All vuln findings are responsible disclosed with a 90 day disclosure period. After the 90 days of reporting any issue to these companies, I will hope to publish the research publicly on the applications. Working with the likes of Mozilla would be a bonus, where the results can not only include review of privacy policies but also technical reverse engineering of applications.
Brief overview of expected work:
- Reverse engineering of 20+ reproductive applications with privacy concerns determined by Mozilla Foundation
- Expected completion time 3-9 months (depending on my workload)
- A detailed report of the reverse engineering of each application, covering all privacy and security concerns
- Any vulnerabilities found would be disclosed responsibly to the application creator with a 90 disclosure period before public release
Support this work
As an researcher who works entirely within the non-profit sector, I rely on grants and donations to fund my work, since I have no affiliation or employment with a corporation. I wish to do this work for the greater good of a fair internet but have little financial support. If you wish to support this project, you would be supporting the vulnerability research of critical applications that need attention for privacy and security of its users.
My work centralizes around exposing corporate injustices, attacks to citizens by hostile governments and decentralization. I stand by the values of the cypherpunk’s manifesto in creating anonymous transaction systems and protecting our right to privacy. I am curious and passionate about exploring human rights, privacy, open society, open-source, open-protocol and commons.
I believe that hacking has the power to change the digital landscape for the people; true hackers, those who are driven by the pursuit of justice, freedom and human rights - have the power to expose the vulnerabilities of oppressive systems and ignite a revolution of change.
If you think that this work is impactful please consider subscribing.
Or you simply want to buy me a coffee, please do so here:
If you wish to support this project through a grant, please contact me through my Mastodon channel.