Vulnerability: linking photos to ID
By Yaniv Balmas, Head of Cyber Research at Check Point Software Technologies
Yaniv Balmas, Head of Cyber Research, Products-R & amp; D at Check Point
The application Voila is able to create a cartoon avatar from a user’s photo. This cartoon may often look funny or cute and the process is fun for many people, but joy can quickly turn into suffering if the app incorrectly handles user data and their protection. There are already discussions about privacy regarding this program.
“We briefly looked at the application and the following concerns are to be expressed: Voila sends the portraits of users to its server for processing; these are not processed locally on the phone, as many people probably think. In the course of this, however, the app notes the special and assignable installation identification (vdid, ID), which is created under Android systems by Google Play and connected to the user’s smartphone.”
Good about the application are these features: It was written by a registered and therefore legally approved LLP company in the UK and requires only the minimum of access rights and permissions on the smartphone, which are necessary for the functions. The app ensures that only one face is visible on the image, otherwise not, and only after this confirmation sends the images to the server. The communication with the server is encrypted by HTTPS and is therefore protected ex-works. Voila also uses well-known open-source libraries for the program lines, as far as this is possible.
Thus, after our little investigation, it can be summarized that the developers of the application have done a lot of right to protect the privacy and data of users.
However, there remains a big downer regarding the linking of photos with the ID, whereby users can be unmasked.