Last year I launched a project called RE:PRIVACY.
This is a piece of work intended to utilize reverse engineering (RE) to find and understand privacy issues within publicly available or enforced applications. This also extends to security & vulnerability research. Inspired by Mozilla Foundation's Privacy Not Included, the goal is to make users aware of what products have privacy and security risks, not just by reading what the company says, but by looking under the hood of the technology itself. With transparency, we can bring accountability and action, making the internet a safer place.
The intent here is to identify any privacy and security risks in the apps, a bit like what I did with the Korean Ministry of Defense's app. The project started in the middle of 2023 and has pretty much turned into a minefield. I started by looking at Reproductive Health apps, namely menstrual cycle tracking apps. I felt real unrest in this market as my partner was utilizing these apps and I grew concerned about the capitalistic nature of data collection relating to women's health. What I didn't realize at the time of starting this project, was that I would find a f*ck tonne of issues in these apps. So far, I've submitted over 20+ bugs to some of these companies. Some have been responsive, I've even been awarded bug bounties, and some have ignored my issues.
There are around 20 popular women's reproductive health apps on the market that Mozilla have documented concerns over. So far, I've completed RE on 4 of these apps. Two, Glow & Ovia Health, I have information ready to publish on. The Glow public disclosure will occur this week. The Ovia Health report is still in situ, waiting on the company to get back to me on legal issues. My aim, with this project is to RE all 20+ of these apps to make a big dent on bringing transparency, accountability and enforcing privacy by design with these companies.
Reproductive health application are often built with data-as-commodity models and have little security and privacy. Many programs such as Mozilla Foundation's Privacy Not Included review the privacy policy of these applications to advise on application integrity where the data is highly sensitive such as reproductive data. The only way to truly tell how secure these applications are, is by reverse engineering, this project aims to do that.
Reverse engineering as a form of activism is one the best modes of building a free fair internet. By exposing injustice within technology through reverse engineering, we can shed light on privacy and security violations and force corporations to be accountable for their products issues.
So far, my findings include, though not limited to:
- Two full account takeover vulnerabilities
- PII data leaks
- IDOR vulnerabilities leading to GDPR breach of 25million users
- Sensitive image data leak - 176 images leaked of user screenshots. Only 30 appear to be sensitive, including children's photos. Within this 30, this also included advertising campaigns by company including financials.
- Leak of confidential information on companies that have data sharing agreements with employees enrolled with the application (i.e companies that take data from employees with menstrual cycle app installed)
- 2 Arbitrary URL load vulns
- 1 Arbitrary Google Play Package load vulnerability
These are just a few examples of how applications with high risk data, such as reproductive health applications, are getting away with having insecure and non-private applications. The only way to truly understand what they are doing is by reverse engineering them.
All vuln findings are responsible disclosed with a 90 day disclosure period once the organization has agreed to communicate with me. After the 90 days of reporting any issue to these companies, I will hope to publish the research publicly on the applications. If they ignore my report, I inform them of publication after a short period of time in order to instill action to protect their users.Working with the likes of Mozilla would be a bonus, where the results can not only include review of privacy policies but also technical reverse engineering of applications.
Support this work
As an researcher who works entirely within the non-profit sector, I rely on grants and donations to fund my work, since I have no affiliation or employment. I wish to do this work for the greater good of a fair internet but have little financial support. If you wish to support this project, you would be supporting the vulnerability research of critical applications that need attention for privacy and security of its users.
I will publish a number of these pieces of research to paid subscribers of the site, though I will be sure to include the majority of high-level content in order to invite action to the organization at fault. I am doing this on research reports where the organization has either denied my claims or ignored me. This allows me to sustain the work by having my time and effort compensated with a small subscription from my readers.
My work centralizes around exposing corporate injustices, attacks to citizens by hostile governments and decentralization. I stand by the values of the cypherpunk’s manifesto in creating anonymous transaction systems and protecting our right to privacy. I am curious and passionate about exploring human rights, privacy, open society, open-source, open-protocol and commons.
I believe that hacking has the power to change the digital landscape for the people; true hackers, those who are driven by the pursuit of justice, freedom and human rights - have the power to expose the vulnerabilities of oppressive systems and ignite a revolution of change.
If you think that this work is impactful please consider subscribing.
Or you simply want to buy me a coffee, please do so here:
If you wish to support this project through a grant, please contact me through my Mastodon channel.