14 DAY TRIAL // Microsoft and Lenovo have issued solutions to mitigate the risk posed by the Superfish root certificate, but trouble for the company may extend to the mobile versions of its product as they’ve been found to contain code that can track users.
The mobile equivalent for Superfish is called LikeThat and it is available for both iOS and Android, from the app stores specific for each platform.
The app is designed to help users shop for furniture by taking pictures of the desired items; the pic is then uploaded to Superfish’s servers and visually similar results are provided from thousands of retailers.
Device ID is sent to analytics company
Jonathan Zdziarski, an iOS forensics expert, cast a glance at the code of the app and discovered that it included features to identify a device by a unique ID, and to preserve whatever EXIF data is available in the photos taken by the user and sent to its servers.
The ID code, which is also sent to an analytics company, is assigned to the device without any notification for the user and it could be derived based on the MAC address of the mobile gadget.
As far as EXIF data attached to images is concerned, the privacy risk consists in the fact that it may contain the GPS position and the time when the pic was taken. As such, multiple images from different locations can trace a user’s steps in a specific period of time.
The researcher found that Superfish’s LikeThat on iOS is quite invasive and includes code that can pull information about the device, such as free disk space, MAC address, used memory, CPU frequency or type of display.
GPS position sending capability is present in the code
If location services have been enabled on the device, then Superfish no longer has to rely on the metadata from the photos as the GPS position is delivered from these service. Zdziarski notes that user permission is required on iOS.
In a blog post on Friday, he also points out that, although these tracking features may not be active in the iOS or Android versions of the application, the possibility of collecting and transmitting user’s position is present within their SFLocationAPI class.
“It seems Superfish went out of their way to avoid using the correct method to select an image from your photo album (UIImagePicker), and instead decided to use a technique that could allow access to underlying image metadata most users aren’t aware gets stored,” the researcher says.