Hacking Mandated Apps – Part 1: Intro

NOTE: This was all coordinated work with human rights activists, vulnerabilities were reported, findings public, and talk (below) given! 🙂

Is monitoring your children something your country’s government asks you to do? 
Do you feel you need the government’s help to parent your child, technologically? 
What if I told you there is a country that forced its population to constantly trail their own children? 

Unbelievable, right? Let me tell you more.

In 2015, the South Korean government introduced a mobile monitoring app called Smart Sheriff. It put the privacy of millions of Koreans at risk.

So, what is Smart Sheriff?

Smart Sheriff was a parental mobile monitoring app, introduced in South Korea. It was developed by MOIBA, a Korean-based app maker. The app was funded by the Korean government and distributed for free. The application consisted of two components, namely: “parent-app” and “child-app”. The parent-app is instantly notified of the whereabouts of the phone in which the child-app is installed. After both the applications have been installed, the parent-app can conduct thorough surveillance. This will help it to manipulate the contents of the phone in which the child-app is installed. The parent-app can also control various sources of Internet available on the phone with the child-app.

As reported by the Japan Times, the Korean Government passed a law in April of 2015. The law mandated the installation of Smart Sheriff for all smartphone users under the age of 19. If they failed to do so their phones would be inoperable. The government was determined to protect minors by monitoring their online activity. They also wanted to block access to harmful sites and reduce the use of inappropriate language.

Above all, through this mobile monitoring app, parents would have direct access to their children’s location, data and usage. The Smart Sheriff app was approved by the State as it had the presumed potential to keep children away from bullying, threat and pornography. However, its abysmal security presented an opportunity for attackers from all over the world. This put the personal information of millions of people at risk.

Who tested this? – 2 teams

  1. Cure53: Both rounds were done by two testers Fabian Fäßler (@samuirai) and 7ASecurity [ @7asecurity @7a_ ] 🙂
  2. Citizen Lab: Our work was coordinated with Citizen Lab, who also had another team looking for vulnerabilities. Fabian went to Citizen Lab that summer and reviewed additional apps there, that later work is mentioned in the Brucon and DeepSec talks, which I will link to, and talk about, in the next few blog posts.

Why was this tested?

Honestly, we were just a technical team that was hired. But this was all coordinated work with human rights activists. With such a powerful app mandated in an entire country, human right activists had concerns about the security of the app and whether it could introduce more problems than it would solve.

With this in mind, the first test was initiated by Citizen Lab, a human rights organization, and sponsored by the Open Technology Fund. The goal was to evaluate the security of this app being mandated to ensure the security and privacy of children were not put at risk.

At the beginning, the owner and maintainer of the Smart Sheriff app, MOIBA, was not informed of the test. The team did not get access to the sources of the app. We had to first retrieve the APK from a Korean APK download service, decompile the APK and then analyze the resulting sources.

Please note that after the first and second test, all findings were disclosed to MOIBA (the app vendor) by human right activists, so full props to them for doing the most difficult part of the process!

Hack Smart Sheriff to pieces with us!

NOTE: Attendants will get lifetime access to our training portal with:
– Unlimited course updates & Step-by-step lab video recordings
Lots of real-world apps to practice with, such as:
  + Government-mandated and police apps in various countries
  + Many other excitingly vulnerable real-world apps!
  + IoT apps controlling Toys, Drones, etc.

Cannot make it? ping sales@7asecurity.com for training portal access.

Recorded Talk 1: ConFidEncE

I believe the first time Fabian and myself presented this was at ConFidEncE:

Next blog post:

Hacking Mandated Apps – Part 2: Translating APKs