26 Apr Security and privacy analysis: MDM applications (국방모바일보안) for South Korean Military personnel
Posted at 10:00h in 연구
This report provides a detailed analysis of the security, privacy and functional issues that are implemented in the three versions of the Mobile Defence Security application issued by the Ministry of National Defense in South Korea. The application is currently being required to be installed on every soldier, employee, and external visitors’ (including journalists) mobile devices.
The purpose of such a requirement imposed on every individual in the military is to protect military secrets by restricting the camera and other functionalities in mobile devices. However, there has been an abundance of criticism whether the application can be also used for surveillance, especially on journalists who are also being required to install the application when visiting military bases for investigation.
Based on thorough analysis, Interlab confirms that the application’s vulnerability and weak source codes can potentially breach user and military base locations, thus directly and critically violating its purpose.
- The developer of the application states that the application does not store any user generated personal data, such as contact lists, videos, photos or SMS data. However, based on our analysis, the application did store sensitive personal data including geolocations with precise timestamps. Our analysis deems this to be in breach of safeguarding of sensitive data and is a privacy and security risk to users and the Ministry of National Defense themselves.
- For the Staff and External version of the application, we identified two vulnerabilities that would allow an attacker to export the personal data without requiring any permissions. If an attacker had access to the device, they would be able to export all application log files, which include coarse GPS locations and respective timestamps.
- Our evidence found that the application contained unused code and functionality that would raise further privacy or security concerns.
Interlab responsibly disclosed(On March 10th) these vulnerabilities to The Ministry of National Defence, detailing how an attacker could leverage it and how to fix it. The Ministry of National Defence did not respond to Interlab, and at the time of publication of this report, the latest version of the application remains vulnerable.