Mobile Apps
Vulnerability: linking photos to ID
By Yaniv Balmas, Head of Cyber Research at Check Point Software Technologies
Yaniv Balmas, Head of Cyber Research, Products-R & amp; D at Check Point
The application Voila is able to create a cartoon avatar from a user’s photo. This cartoon may often look funny or cute and the process is fun for many people, but joy can quickly turn into suffering if the app incorrectly handles user data and their protection. There are already discussions about privacy regarding this program.
“We briefly looked at the application and the following concerns are to be expressed: Voila sends the portraits of users to its server for processing; these are not processed locally on the phone, as many people probably think. In the course of this, however, the app notes the special and assignable installation identification (vdid, ID), which is created under Android systems by Google Play and connected to the user’s smartphone.”
Thus, the photos are bound to this ID and the facial images of the users can be identified with it, so they are not transmitted and processed anonymously – but this is honestly stated in the company’s privacy policy. But if a virtual attack happens by some kind of hacker group, the danger is obvious, because ID and associated photos of the face can be stolen and misused for various purposes. It attracts a large database of often high-resolution portraits with clear identification of the respective person. In addition, the company itself, or an affiliated company, could also exploit this information for other purposes, which are unlikely to be right for users. All users or newcomers to the application should be aware of this risk.
Good about the application are these features: It was written by a registered and therefore legally approved LLP company in the UK and requires only the minimum of access rights and permissions on the smartphone, which are necessary for the functions. The app ensures that only one face is visible on the image, otherwise not, and only after this confirmation sends the images to the server. The communication with the server is encrypted by HTTPS and is therefore protected ex-works. Voila also uses well-known open-source libraries for the program lines, as far as this is possible.
Thus, after our little investigation, it can be summarized that the developers of the application have done a lot of right to protect the privacy and data of users.
However, there remains a big downer regarding the linking of photos with the ID, whereby users can be unmasked.
