Auditing the Oral-B App (v5.0.0)

Upon quickly assessing the Oral-B app (com.pg.oralb.oralbapp), the following findings have been made:

Hardcoded AES parameters (CVE-2018-5298) and twitter keys



These parameters are stored in the class OralBApplication and also get used there:



Using the twitter secrets, it's possible to create bearer tokens impersonating the Oral-B twitter application. The secrets stored in the app are application tokens only - in my tests it was not possible to authenticate in user context.

The stored AES parameters are used to encrypt and decrypt the locally stored shared preferences in the class called Preferences:


Because of the static key, an attacker can gain access to user data more easily by leveraging access to the preferences XML file.

Tracking

Upon running the app, the user automatically gets tracked. There is no opt-in required, it's enabled by default.

As you can see, third party advertising providers are allowed to gain access to the user location automatically. Unique advertising IDs are automatically assigned.


It's possible to add your dentist to the Oral-B app. This process uses a server side API to search for a specific dentist in your location. This allows Oral-B to access your location and gain information about your dentist:


Of course, facebook tracking is also enabled by default:


Last but not least, the weather functionality of course also requires and transmits your current location:



Please note no transmission of user specific brushing data has been identified. However, there is a cache that saves your last brushing sessions <:

Popular posts from this blog

Auditing NQ Contacts Backup & Restore 1.1

Auditing WriteDiary.com (CVE-2017-15581 & CVE-2017-15582)