Research REarchive

Security and privacy analysis: MDM applications (국방모바일보안) for South Korean Military personnel (2023)

Ovi
Ovi
This is a repost of some critical research I performed back in 2023 that was originally hosted on Interlab's website. Since Interlab has been abandoned by it's owner and thus shut down the website, I'm posting it here to ensure the research I performed is preseved. As stated in the title, this is research from 2023 and is for archiving & indexing purposes so people can still review it. Unfortuantely, I do not have a Korean version of the research right now, and I will publish a translation soon. I wrote a response to this research later on in 2023, which can be found here.

This report provides a detailed analysis of the security, privacy and functional issues that are implemented in the three versions of the Mobile Defence Security application issued by the Ministry of National Defense in South Korea. The application is currently being required to be installed on every soldier, employee, and external visitors’ (including journalists) mobile devices.

The purpose of such a requirement imposed on every individual in the military is to protect military secrets by restricting the camera and other functionalities in mobile devices. However, there has been an abundance of criticism whether the application can be also used for surveillance, especially on journalists who are also being required to install the application when visiting military bases for investigation.

Based on thorough analysis, I confirm that the application’s vulnerability and weak source codes can potentially breach user and military base locations, thus directly and critically violating its purpose.


Key Findings:

  • The developer of the application states that the application does not store any user generated personal data, such as contact lists, videos, photos or SMS data. However, based on our analysis, the application did store sensitive personal data including geolocations with precise timestamps. My analysis deems this to be in breach of safeguarding of sensitive data and is a privacy and security risk to users and the Ministry of National Defense themselves.
  • For the Staff and External version of the application, I identified two vulnerabilities that would allow an attacker to export the personal data without requiring any permissions. If an attacker had access to the device, they would be able to export all application log files, which include coarse GPS locations and respective timestamps.
  • My evidence found that the application contained unused code and functionality that would raise further privacy or security concerns.

I responsibly disclosed(On March 10th) these vulnerabilities to The Ministry of National Defence, detailing how an attacker could leverage it and how to fix it. The Ministry of National Defence did not respond to me, and On July 18th 2023, the Ministry of National Defense (MND) released an update for the application which patched the vulnerabilities I found. Further writings on this finding can be found here.

Full report in English: