DefCamp_2019_Conference_Chemerkin_Yury.pdf
YuryChemerkin
23 views
130 slides
Jul 21, 2024
Slide 1 of 130
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
About This Presentation
This presentation focuses on security vulnerabilities in health and fitness apps, wearable devices, and smart home products. It demonstrates techniques for extracting sensitive data from these devices and applications, highlighting privacy risks.
Slide Content
BREAKINGSMART.
H
ACKINGHEALTH, WEARABLEAND SMART
APPSTOPREVENTLEAKING
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORING
H
ACKINGHEALTH, WEARABLEAND SMART
APPSTOPREVENTLEAKING
YURY CHEMERKIN
MULTI-SKILLED SECURITY EXPERT
CJSC ADVANCED MONITORING
YURY CHEMERKIN
I have 10+ years of experience in information
security. I‘m amulti-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
Ipublished many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence- Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: [email protected]
I have 10+ years of experience in information
security. I‘m amulti-skilled security expert on
security & compliance and mainly focused on
privacy and leakage showdown. Key activity
fields are EMM and Mobile &, Cloud
Computing, IAM, Forensics & Compliance.
Ipublished many papers on mobile and cloud
security, regularly appears at conferences such
as CyberCrimeForum, HackerHalted, DefCamp,
NullCon, OWASP, CONFidence, Hacktivity,
Hackfest, DeepSec Intelligence, HackMiami,
NotaCon, BalcCon, Intelligence- Sec, InfoSec
NetSysAdmins, etc.
LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
TWITTER: @YURYCHEMERKIN
EMAIL: [email protected]
SMART ISSUES
FORENSICS
CAPABILITIES
SPORT &
HEALTH
SECURITY &
TIPS
FORENSICS
CAPABILITIES
SPORT &
HEALTH
SECURITY &
TIPS
SECURITY NOWADAYS. FORENSICS
DIRECTION
APP SERVERS HEALTH
VENDOR
CLOUD
CDN 3
RD
PARTY
CLOUD
BACKUP OF
DEVICE
MOBILE DEVICE 2FA LEAKED
DATABASE
DIRECTION
APP SERVERS HEALTH
VENDOR
CLOUD
CDN 3
RD
PARTY
CLOUD
BACKUP OF
DEVICE
MOBILE DEVICE 2FA LEAKED
DATABASE
FORENSICS TOOLS. ADVERTISEMENT IS
NOT SCARIEST THING IN THE WORLD
NOT SCARIEST THING IN THE WORLD
FORENSICS. UNSTOPPABLE ACCESS
STRAVA
GOOGLE,
CRASHLYTICS,
FACEBOOK,
ZENDESK,
IO.BRANCH
NETWORK
DATA IS
PROTECTED
FROM MITM
CREDENTIALS,
PROFILE AND
MEASURES
SPORT GEAR
MEASURES IF IT
EXISTS
MAINLY KEEP
ON STRAVA
SERVERS
GEO DATA IN
BACKUPS
ZENDESK
USERID&
TOKEN
+ BASIC
PROFILE
PHOTOS
TAKEN BY
USERS ON
CLOUDFRONT
GOOGLE,
CRASHLYTICS,
FACEBOOK,
ZENDESK,
IO.BRANCH
NETWORK
DATA IS
PROTECTED
FROM MITM
CREDENTIALS,
PROFILE AND
MEASURES
SPORT GEAR
MEASURES IF IT
EXISTS
MAINLY KEEP
ON STRAVA
SERVERS
GEO DATA IN
BACKUPS
ZENDESK
USERID&
TOKEN
+ BASIC
PROFILE
PHOTOS
TAKEN BY
USERS ON
CLOUDFRONT
STRAVA–DETAILS
•Analytics, 3
rd
party sdk–Google, Crashlytics, Facebook, Zendesk, io.branch
•Network:
•Traffic is generally protected by certificate (Pinning), however developer API
doesn’t have it as a built-in feature
•Protected credentials, profile and measures related to runs, walking stats sync but
aren’t correctly incorporated to overall stats (not supported over years)
•Gear measures if it exists
•Mainly keep on strava servers
•Analytics, 3
rd
party sdk–Google, Crashlytics, Facebook, Zendesk, io.branch
•Network:
•Traffic is generally protected by certificate (Pinning), however developer API
doesn’t have it as a built-in feature
•Protected credentials, profile and measures related to runs, walking stats sync but
aren’t correctly incorporated to overall stats (not supported over years)
•Gear measures if it exists
•Mainly keep on strava servers
STRAVA–DETAILS
•Geo Route details Documents\ *.stravactivity
•wp: lat:55.899412; long:37.575460; hacc:64.000000;
vacc:63.175690; alt:187.060074; speed:4.348559;
course:124.105452; t:1554864639.673529;
dt:1554864639.612675
•Zendesk UserID& Token
•\Library\Preferences\ com.zendesk.core.identity.plist
•Geo Route details Documents\ *.stravactivity
•wp: lat:55.899412; long:37.575460; hacc:64.000000;
vacc:63.175690; alt:187.060074; speed:4.348559;
course:124.105452; t:1554864639.673529;
dt:1554864639.612675
•Zendesk UserID& Token
•\Library\Preferences\ com.zendesk.core.identity.plist
STRAVA–DETAILS
•Photos taken by users
•\Library\Preferences\com.strava.stravaride.plist
•+ basic bio
•Full Name + email
•Photos taken by users
•\Library\Preferences\com.strava.stravaride.plist
•+ basic bio
•Full Name + email
FORENSICS. DEVELOPED IN A MAC
STYLE
STYLE
CLOUDY DATA. EXTRACTION
RUNGAPAPP.
AN EXCHANGE INTERFACE FOR DATA
DROPBOX
SUPPORTS
SPORT
ACTIVITIES
HEALTH DATA BODY
MEASURES
ZIPPED FILES
ROUTES MAPS
AN EXCHANGE INTERFACE FOR DATA
DROPBOX
SUPPORTS
SPORT
ACTIVITIES
HEALTH DATA BODY
MEASURES
ZIPPED FILES
ROUTES MAPS
RUNGAP –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Dropbox support to exchange & store data – highly
detailed files with a source info
•Some general activities data is available but mainly
transfer as zipped files
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Dropbox support to exchange & store data – highly
detailed files with a source info
•Some general activities data is available but mainly
transfer as zipped files
•Examples are on next slides
RUNGAP –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•Activity –Raw data with geo and activity type
•LAP –similar data items like above
•Thumbimage–route with a map background
•Also Mapfingerprint, path, raw data tables
contains raw data
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•Activity –Raw data with geo and activity type
•LAP –similar data items like above
•Thumbimage–route with a map background
•Also Mapfingerprint, path, raw data tables
contains raw data
ALTERNATIVE SOURCES ARE NOT
SUPPORTED
SUPPORTED
ALTERNATIVE SOURCES ARE NOT
SUPPORTED. ~50 APPS W/O 2FA
•GeneralSport:Strava,RunGap,Pacer,NikeRUNClub&Training,
MyFitnesspal
•Gym:Smartgym,Gymaholic,GYM&Freelitcs,Flexi,Hussle,Strong
•Health&Sleep:Pillow,HeartWatch,SleepWatch,Welltory
•SummerSports:RunKeeper,Road&MountainBike,iSkate,Bike
Tracks,SpeedTracker,CycleMeter,FitMeterBike,Crono,Altimeter
•WinterSports:Ullr&UllrMaps,Squawalpine,Snowforecast,
SnocRu,Slopes,Skitude,SkiTracks,SkiAR,JollyTurns,Riders,Fatmap,
Avalanche
•Workouts:Workouts++,Running,Gymatic,Gymnotize,Muscle
Booster,Fitnessbuddy,Centr,Bodyweight,AsanRebel,Training
(Adidas,Runtastic)
SUPPORTED. ~50 APPS W/O 2FA
•GeneralSport:Strava,RunGap,Pacer,NikeRUNClub&Training,
MyFitnesspal
•Gym:Smartgym,Gymaholic,GYM&Freelitcs,Flexi,Hussle,Strong
•Health&Sleep:Pillow,HeartWatch,SleepWatch,Welltory
•SummerSports:RunKeeper,Road&MountainBike,iSkate,Bike
Tracks,SpeedTracker,CycleMeter,FitMeterBike,Crono,Altimeter
•WinterSports:Ullr&UllrMaps,Squawalpine,Snowforecast,
SnocRu,Slopes,Skitude,SkiTracks,SkiAR,JollyTurns,Riders,Fatmap,
Avalanche
•Workouts:Workouts++,Running,Gymatic,Gymnotize,Muscle
Booster,Fitnessbuddy,Centr,Bodyweight,AsanRebel,Training
(Adidas,Runtastic)
DOWNLOADS W/O RESTRICTIONS.
PUBLIC DATA, BACKUP ACROSS CLOUDS
SLEEPWATCH:
SLEEP & HEART
DATA
ROADBIKE,
MOUNTAIN BIKE:
IMAGES ON CDN
PACER:
WORKOUTS,
HEATH & GPS
SKITUDE: RIDER LIST
AND THEIR TRACKS
PUBLIC DATA, BACKUP ACROSS CLOUDS
SLEEPWATCH:
SLEEP & HEART
DATA
ROADBIKE,
MOUNTAIN BIKE:
IMAGES ON CDN
PACER:
WORKOUTS,
HEATH & GPS
SKITUDE: RIDER LIST
AND THEIR TRACKS
SLEEPWATCH–DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Surveys, pdf report with strong auth without
publicly available data unless developer
credentials from AWS S3 leaks
•https://sleepwatch-
backend.bodymatter.io/report/pdf?report_i
d=xxxx
•Daily tracked sleep data
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Surveys, pdf report with strong auth without
publicly available data unless developer
credentials from AWS S3 leaks
•https://sleepwatch-
backend.bodymatter.io/report/pdf?report_i
d=xxxx
•Daily tracked sleep data
SLEEPWATCH–DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•Documents\ data\*.json –Apple Watch model, last ~5 sleep
records (timeframe only)
•Body profile -
\Library\Preferences\ io.bodymatter.SleepWatch.plist
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•Documents\ data\*.json –Apple Watch model, last ~5 sleep
records (timeframe only)
•Body profile -
\Library\Preferences\ io.bodymatter.SleepWatch.plist
ROAD BIKE, MOUNTAIN BIKE –
DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry
•Network
•Basic info, Cloudfront ’edimages
•General and details of tracks
•Video not analyzed
•Examples are on next slides
DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry
•Network
•Basic info, Cloudfront ’edimages
•General and details of tracks
•Video not analyzed
•Examples are on next slides
ROAD BIKE, MOUNTAIN BIKE –DETAILS
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg& max
speed, upward/downward, heartZone values (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg& max
speed, upward/downward, heartZone values (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
DOCUMENTS\DATABASE.SQLITE3
Where to search data (tables):
GPS & location
HeartRate(requires special devices)
Session Data, Speed, User Data
Location and geo snapshots -
Documents\ MapOpenCycleMap.sqlite
User info - Documents\ database.sqlite3
Where to search data (tables):
GPS & location
HeartRate(requires special devices)
Session Data, Speed, User Data
Location and geo snapshots -
Documents\ MapOpenCycleMap.sqlite
User info - Documents\ database.sqlite3
PACER –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry, Mopub ,
Appsflyer, Crashlytics, Amplitude, AWS ads
•Network
•Profile data, device data, geo data,
•Data mainly stored on AWS S3 as backup files
•Workout plan & progression
•MinutelyActivityLog, DailyActivity, HeartLog
•GPS Route logs and indoor routes
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry, Mopub ,
Appsflyer, Crashlytics, Amplitude, AWS ads
•Network
•Profile data, device data, geo data,
•Data mainly stored on AWS S3 as backup files
•Workout plan & progression
•MinutelyActivityLog, DailyActivity, HeartLog
•GPS Route logs and indoor routes
•Examples are on next slides
PACER
PACER –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry,
Mopub, Appsflyer, Crashlytics, Amplitude, AWS ads
•No useful backup data
•\Shared\AppDomainGroup -
group.cc.pacer.shareddata\Library \Preferences\group.cc
.pacer.shareddata.plist
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry,
Mopub, Appsflyer, Crashlytics, Amplitude, AWS ads
•No useful backup data
•\Shared\AppDomainGroup -
group.cc.pacer.shareddata\Library \Preferences\group.cc
.pacer.shareddata.plist
SKITUDE–DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•Network
•Credentials + token, basic info
•Rider list with name, photo and their tracks stored on AWS per
resort you’re searched for
•User DB –not analyzed
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•Network
•Credentials + token, basic info
•Rider list with name, photo and their tracks stored on AWS per
resort you’re searched for
•User DB –not analyzed
•Examples are on next slides
SKITUDE–DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Tracks & Images - Documents\skitude_tracking.db&
skitude_images.db
•Friends -FFData.db
•Avatar –avatar.jpg
•May also contains separate photos, videos, audio and temp data
from Apple Watch
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Tracks & Images - Documents\skitude_tracking.db&
skitude_images.db
•Friends -FFData.db
•Avatar –avatar.jpg
•May also contains separate photos, videos, audio and temp data
from Apple Watch
•Examples are on next slides
SKITUDE–DETAILS
SHARING YOUR DATA. LEAKING OUT
OF HEALTH APP
INTER-ACCESS:
GYMAHOLIC,
WELLTORY,
FATMAP,
CYCLEMETER
DISCOVERING IDS:
MUSCLE BOOSTER
TRANSFERRING:
WELLTORY
NOT CLEANING:
GYMNOTIZE
OF HEALTH APP
INTER-ACCESS:
GYMAHOLIC,
WELLTORY,
FATMAP,
CYCLEMETER
DISCOVERING IDS:
MUSCLE BOOSTER
TRANSFERRING:
WELLTORY
NOT CLEANING:
GYMNOTIZE
SECURE APPS. NO DATA, NO ISSUES
•No backup data, no network data
•Speed tracker, Altimeter
•Workouts++, Gymatic, Flexi, Hussle, & Smart gym, BodyWeight
•Squaw alpine, JollyTurns, Avalance
•No network data
•Pillow, SleepWatch
•Cyclemeter, FitmeterBike, Crono
•Muscle Booster
•No backup data
•Pacer, GYM & Freelitcs, Gymnotize, Centr
•Ullr & Maps, Snow Forecast, Slopes
•No backup data, no network data
•Speed tracker, Altimeter
•Workouts++, Gymatic, Flexi, Hussle, & Smart gym, BodyWeight
•Squaw alpine, JollyTurns, Avalance
•No network data
•Pillow, SleepWatch
•Cyclemeter, FitmeterBike, Crono
•Muscle Booster
•No backup data
•Pacer, GYM & Freelitcs, Gymnotize, Centr
•Ullr & Maps, Snow Forecast, Slopes
OVERLOADED APPS
ROAD BIKE, MOUNTAIN
BIKE, ISKATE, BIKE
TRACKS, CYCLEMETER,
FITMETERBIKE, FATMAP,
RUNNING, WELLTORY,
RUNKEEPER
ULLR & MAPS, SNOW
FORECAST, SLOPES,
SKITUDE, SKITRACKS,
RIDERS, FATMAP, FITNESS
BUDDY, CENTR,
WELLTORT
ISKATE, SKITRACKS,
FITNESS BUDDY, CENTR,
RUNKEEPER
ROAD BIKE, MOUNTAIN
BIKE, ISKATE, BIKE
TRACKS, CYCLEMETER,
FITMETERBIKE, FATMAP,
RUNNING, WELLTORY,
RUNKEEPER
ULLR & MAPS, SNOW
FORECAST, SLOPES,
SKITUDE, SKITRACKS,
RIDERS, FATMAP, FITNESS
BUDDY, CENTR,
WELLTORT
ISKATE, SKITRACKS,
FITNESS BUDDY, CENTR,
RUNKEEPER
ANALYTICS & SDK –16
•Google, Facebook, Crashlytics, io.branch
•Flurry, Mopub, Appsflyer, Amplitude, AWS
ads
•NewRelic, Localytics, Zendesk, MixPanel
•AppAnex, Twitter, OneSignal
AMOUNT OF DATA WASTED ON
ANALYTICS MODULES
•Reduced from 0.5 TB per year down to 0.063 TB
•1 hour:0.59 0.06
•1 day:1.76 0.18
•1 week:12.30 1.23
•1 month:52.73 5.27
•1 year:632.81 63.28
APPS – 50
•Strava, RunGap , Pacer, Nike RUN Club&
Training, MyFitnesspal
•Smartgym, Gymaholic, GYM & Freelitcs ,
Flexi
•Hussle, Strong
•Pillow, HeartWatch, SleepWatch, Welltory
•RunKeeper, Road & Mountain Bike, iSkate,
Bike Tracks, SpeedTracker, CycleMeter,
FitMeterBike, Crono, Altimeter
•Ullr & Ullr Maps, Squaw alpine, Snow
forecast, SnocRu , Slopes, Skitude, SkiTracks,
Ski AR, Jolly Turns, Riders, Fatmap ,
Avalanche
•Workouts++, Running, Gymatic, Gymnotize,
Muscle Booster, Fitness buddy, Centr, Body
weight, AsanRebel, Training (Adidas,
Runtastic)
•Google, Facebook, Crashlytics, io.branch
•Flurry, Mopub, Appsflyer, Amplitude, AWS
ads
•NewRelic, Localytics, Zendesk, MixPanel
•AppAnex, Twitter, OneSignal
AMOUNT OF DATA WASTED ON
ANALYTICS MODULES
•Reduced from 0.5 TB per year down to 0.063 TB
•1 hour:0.59 0.06
•1 day:1.76 0.18
•1 week:12.30 1.23
•1 month:52.73 5.27
•1 year:632.81 63.28
APPS – 50
•Strava, RunGap , Pacer, Nike RUN Club&
Training, MyFitnesspal
•Smartgym, Gymaholic, GYM & Freelitcs ,
Flexi
•Hussle, Strong
•Pillow, HeartWatch, SleepWatch, Welltory
•RunKeeper, Road & Mountain Bike, iSkate,
Bike Tracks, SpeedTracker, CycleMeter,
FitMeterBike, Crono, Altimeter
•Ullr & Ullr Maps, Squaw alpine, Snow
forecast, SnocRu , Slopes, Skitude, SkiTracks,
Ski AR, Jolly Turns, Riders, Fatmap ,
Avalanche
•Workouts++, Running, Gymatic, Gymnotize,
Muscle Booster, Fitness buddy, Centr, Body
weight, AsanRebel, Training (Adidas,
Runtastic)
0.00
100.00
200.00
300.00
400.00
500.00
600.00
700.00
1 hour 1 day 1 week 1 month 1 year
Low, GB 0.06 0.18 1.23 5.27 63.28
Medium, GB 0.29 0.88 6.15 26.37 316.41
High, GB 0.59 1.76 12.30 52.73 632.81
0.06 0.18 1.23 5.27
63.28
0.29 0.88
6.15
26.37
316.41
0.59 1.76
12.30
52.73
632.81
Total, GB
100.00
200.00
300.00
400.00
500.00
600.00
700.00
1 hour 1 day 1 week 1 month 1 year
Low, GB 0.06 0.18 1.23 5.27 63.28
Medium, GB 0.29 0.88 6.15 26.37 316.41
High, GB 0.59 1.76 12.30 52.73 632.81
0.06 0.18 1.23 5.27
63.28
0.29 0.88
6.15
26.37
316.41
0.59 1.76
12.30
52.73
632.81
Total, GB
0 1 2 3 4 5 6 7 8 9
MyFitnesspal
Fatmap
SnocRu
Training (Adidas, Runtastic)
Pillow
RunKeeper
Muscle Booster
Nike RUN Club
GYM & Freelitcs
Strong
Squaw alpine
Centr
Hussle
Mountain Bike
CycleMeter
Altimeter
Slopes
Jolly Turns
SleepWatch
FitMeter Bike
Ullr Maps
Ski AR
Smartgym
HeartWatch
Workouts++
MyFitnesspal
Fatmap
SnocRu
Training (Adidas, Runtastic)
Pillow
RunKeeper
Muscle Booster
Nike RUN Club
GYM & Freelitcs
Strong
Squaw alpine
Centr
Hussle
Mountain Bike
CycleMeter
Altimeter
Slopes
Jolly Turns
SleepWatch
FitMeter Bike
Ullr Maps
Ski AR
Smartgym
HeartWatch
Workouts++
EXTENDED SLIDES. APPS’ DETAILS
•Here you find details and examples of 50 analyzed
apps divided into several groups and directly referred to
amount of data can be downloaded from developers’
websites sometimes without credentials
•Here you find details and examples of 50 analyzed
apps divided into several groups and directly referred to
amount of data can be downloaded from developers’
websites sometimes without credentials
GENERAL SPORT CATEGORY
•Strava,
•RunGap,
•Pacer,
•NikeRUNClub&Training,
•MyFitnesspal
•Strava,
•RunGap,
•Pacer,
•NikeRUNClub&Training,
•MyFitnesspal
STRAVA
Google,
Crashlytics,
Facebook,
Zendesk,
io.branch
Network data is
protected from
MITM
Credentials,
profile and
measures
Sport gear
measures if it
exists
Mainly keep on
stravaservers
Geo data in
backups
Zendesk UserID
& Token
+ Basic profile
Photos taken by
users on
CloudFront
Google,
Crashlytics,
Facebook,
Zendesk,
io.branch
Network data is
protected from
MITM
Credentials,
profile and
measures
Sport gear
measures if it
exists
Mainly keep on
stravaservers
Geo data in
backups
Zendesk UserID
& Token
+ Basic profile
Photos taken by
users on
CloudFront
STRAVA–DETAILS
•Analytics, 3
rd
party sdk–Google, Crashlytics, Facebook,
Zendesk, io.branch
•Network:
•Traffic is generally protected by certificate (Pinning), however
developer API doesn’t have it as a built- in feature
•Protected credentials, profile and measures related to runs, walking
stats sync but aren’t correctly incorporated to overall stats (not
supported over years)
•Gear measures if it exists
•Mainly keep on stravaservers
•Analytics, 3
rd
party sdk–Google, Crashlytics, Facebook,
Zendesk, io.branch
•Network:
•Traffic is generally protected by certificate (Pinning), however
developer API doesn’t have it as a built- in feature
•Protected credentials, profile and measures related to runs, walking
stats sync but aren’t correctly incorporated to overall stats (not
supported over years)
•Gear measures if it exists
•Mainly keep on stravaservers
STRAVA–DETAILS
•Geo Route details Documents\ *.stravactivity
•wp: lat:55.899412; long: 37.575460; hacc: 64.000000;
vacc:63.175690; alt: 187.060074; speed: 4.348559;
course:124.105452; t: 1554864639.673529;
dt:1554864639.612675
•Zendesk UserID& Token
•\Library\Preferences\ com.zendesk.core.identity.plist
•Geo Route details Documents\ *.stravactivity
•wp: lat:55.899412; long: 37.575460; hacc: 64.000000;
vacc:63.175690; alt: 187.060074; speed: 4.348559;
course:124.105452; t: 1554864639.673529;
dt:1554864639.612675
•Zendesk UserID& Token
•\Library\Preferences\ com.zendesk.core.identity.plist
STRAVA–DETAILS
•Photos taken by users
•\Library\Preferences\ com.strava.stravaride.plist
•+ basic bio
•Full Name + email
•Photos taken by users
•\Library\Preferences\ com.strava.stravaride.plist
•+ basic bio
•Full Name + email
RUNGAP –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Dropbox support to exchange & store data –highly detailed
files with a source info
•Some general activities data is available but mainly transfer as
zipped files
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Dropbox support to exchange & store data –highly detailed
files with a source info
•Some general activities data is available but mainly transfer as
zipped files
•Examples are on next slides
RUNGAP –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook,
•Backup data:
•Activity – Raw data with geo and activity type
•LAP –similar data items like above
•Thumbimage–route with a map background
•Also Mapfingerprint, path, raw data tables contains
raw data
•Analytics, 3
rd
party sdk–Google, Facebook,
•Backup data:
•Activity – Raw data with geo and activity type
•LAP –similar data items like above
•Thumbimage–route with a map background
•Also Mapfingerprint, path, raw data tables contains
raw data
PACER –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry, Mopub,
Appsflyer, Crashlytics, Amplitude, AWS ads
•Network
•Profile data, device data, geo data,
•Data mainly stored on AWS S3 as backup files
•Workout plan & progression
•MinutelyActivityLog, DailyActivity, HeartLog
•GPS Route logs and indoor routes
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry, Mopub,
Appsflyer, Crashlytics, Amplitude, AWS ads
•Network
•Profile data, device data, geo data,
•Data mainly stored on AWS S3 as backup files
•Workout plan & progression
•MinutelyActivityLog, DailyActivity, HeartLog
•GPS Route logs and indoor routes
•Examples are on next slides
PACER
PACER –DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry,
Mopub, Appsflyer, Crashlytics, Amplitude, AWS ads
•Backup data
•\Shared\AppDomainGroup -
group.cc.pacer.shareddata\Library \Preferences\group.cc
.pacer.shareddata.plist
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry,
Mopub, Appsflyer, Crashlytics, Amplitude, AWS ads
•Backup data
•\Shared\AppDomainGroup -
group.cc.pacer.shareddata\Library \Preferences\group.cc
.pacer.shareddata.plist
NIKE RUN CLUB & TRAINING
•Analytics, 3
rd
party sdk–Google, Facebook, NewRelic,
own
•No useful local data, many data is bound to Nike shoes
•Network –basic profile, achievement, shoes activity,
tracks & geo
•Data mainly stored on Nike servers
•Credentials weren’t caught
•Analytics, 3
rd
party sdk–Google, Facebook, NewRelic,
own
•No useful local data, many data is bound to Nike shoes
•Network –basic profile, achievement, shoes activity,
tracks & geo
•Data mainly stored on Nike servers
•Credentials weren’t caught
MYFITNESSPAL
•Analytics, 3
rd
party sdk–Google, Facebook, Amplitude,
Zendesk, Mopub, AWS, Crashlytics, io.branch
•Network
•No credentials (encrypted one is used)
•Profile info + avatar from cloudfront
•Body measures, timeline activity, messages
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Amplitude,
Zendesk, Mopub, AWS, Crashlytics, io.branch
•Network
•No credentials (encrypted one is used)
•Profile info + avatar from cloudfront
•Body measures, timeline activity, messages
•Examples on next slides
MYFITNESSPAL
MYFITNESSPAL
User profile Pics com.myfitnesspal.android/cache/Picasso- cache
User profile Pics /sdcard/
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
Documents\maindb.sqlite
User details including time zone, gender, date of birth and email
-in tables <user_properties , users> -see a pic
User profile pictures -in table <images>
User personal notes -in table <diary_notes >
User records of exercises, food habits and personal measurements -in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
User last synched items with the server -in table <last_sync_pointers >
User food search history -in table <search_history >
Examples on next slides
User profile Pics com.myfitnesspal.android/cache/Picasso- cache
User profile Pics /sdcard/
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
Documents\maindb.sqlite
User details including time zone, gender, date of birth and email
-in tables <user_properties , users> -see a pic
User profile pictures -in table <images>
User personal notes -in table <diary_notes >
User records of exercises, food habits and personal measurements -in tables
<exercise_entries; exercises; food_entries; foods; measurement_types;
measurements>
User last synched items with the server -in table <last_sync_pointers >
User food search history -in table <search_history >
Examples on next slides
MYFITNESSPAL
User profile Pics com.myfitnesspal.android/cache/Picasso- cache
User profile Pics /sdcard/
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
Documents\maindb.sqlite
User details including time zone, gender, date of birth and email
-in tables <user_properties, users> -see a pic
User profile pictures -in table <images>
User personal notes -in table <diary_notes>
User records of exercises, food habits and personal measurements -in tables <exercise_entries;
exercises; food_entries; foods; measurement_types; measurements>
User last synched items with the server -in table <last_sync_pointers>
User food search history -in table <search_history>
User profile Pics com.myfitnesspal.android/cache/Picasso- cache
User profile Pics /sdcard/
/data/data/com.myfitnesspal.android/databases/myfitnesspal.db
Documents\maindb.sqlite
User details including time zone, gender, date of birth and email
-in tables <user_properties, users> -see a pic
User profile pictures -in table <images>
User personal notes -in table <diary_notes>
User records of exercises, food habits and personal measurements -in tables <exercise_entries;
exercises; food_entries; foods; measurement_types; measurements>
User last synched items with the server -in table <last_sync_pointers>
User food search history -in table <search_history>
GYM SPORT CATEGORY
•Smartgym,
•Gymaholic,
•GYM&Freelitcs,
•Flexi,
•Hussle,
•Strong
•Smartgym,
•Gymaholic,
•GYM&Freelitcs,
•Flexi,
•Hussle,
•Strong
SMARTGYM
•Analytics, 3
rd
party sdk–Flurry
•No useful backup data
•No useful network data
•Analytics, 3
rd
party sdk–Flurry
•No useful backup data
•No useful network data
GYMAHOLIC
•Analytics and 3
rd
party SDKs –Google,
Twitter, Localytics
•Backup Data:
•Strava& runkeepertokens in
\Library\Preferences\mportal.Gymaholic.plist
•Details per a training plan + calories
\Documents\gymaholic.sqlite
•Network
•Credentials, even Stava credentials were
caught in plaintext that usually never happens
•General workout data after payment is done
•Analytics and 3
rd
party SDKs –Google,
Twitter, Localytics
•Backup Data:
•Strava& runkeepertokens in
\Library\Preferences\mportal.Gymaholic.plist
•Details per a training plan + calories
\Documents\gymaholic.sqlite
•Network
•Credentials, even Stava credentials were
caught in plaintext that usually never happens
•General workout data after payment is done
GYM & FREELITCS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Appsflyer
•Backup data
•Basic info : Full Name, email, gender, body measures in plist files
of \Documents\ folder
•Network
•Credentials, workout plan, paid option, messages, selected
coach, progress
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Appsflyer
•Backup data
•Basic info : Full Name, email, gender, body measures in plist files
of \Documents\ folder
•Network
•Credentials, workout plan, paid option, messages, selected
coach, progress
FLEXI
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
io.branch
•No useful backup data
•No useful network data
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
io.branch
•No useful backup data
•No useful network data
HUSSLE
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•No useful network data
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•No useful network data
STRONG
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics, io.branch
•Network
•Credentials, general profile data + public urlof avatar stored on AWS S3
•https://strong-
prod.s3.amazonaws.com/7d4dc7d03a7d5a9b964c1ef8f0951a99_3028C
9B3-412A- 4501-AEA2-8FA26D1B2B58.jpg
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics, io.branch
•Backup data
•Training details & Measures, including basic user info in
\Documents\Strong4.sqlite
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics, io.branch
•Network
•Credentials, general profile data + public urlof avatar stored on AWS S3
•https://strong-
prod.s3.amazonaws.com/7d4dc7d03a7d5a9b964c1ef8f0951a99_3028C
9B3-412A- 4501-AEA2-8FA26D1B2B58.jpg
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics, io.branch
•Backup data
•Training details & Measures, including basic user info in
\Documents\Strong4.sqlite
•Examples on next slides
STRONG
HEALTH SPORT CATEGORY
•Pillow,
•HeartWatch,
•SleepWatch,
•Welltory
•Pillow,
•HeartWatch,
•SleepWatch,
•Welltory
PILLOW
•Analytics, 3
rd
party sdk–Google, Crashlytics, Mixpanel, Flurry,
Appsflyer
•Backup Data
•Sleep details & raw data - \Library\Application
Support\PillowSleepData.sqlite
•Diagram of the last month \Shared\AppDomainGroup-
group.com.neybox.Pillow\Library\Preferences\group.com.neybox.Pillow.plist
•No useful network data
•Analytics, 3
rd
party sdk–Google, Crashlytics, Mixpanel, Flurry,
Appsflyer
•Backup Data
•Sleep details & raw data - \Library\Application
Support\PillowSleepData.sqlite
•Diagram of the last month \Shared\AppDomainGroup-
group.com.neybox.Pillow\Library\Preferences\group.com.neybox.Pillow.plist
•No useful network data
HEARTWATCH
•No analytics, 3
rd
party sdk
•No network data checked
•Backup data
•\Library\Preferences\ com.tantsissa.Heartbeat.plist
•\HeartWatch\ Documents\YYYYMMDDSleep.txt,
YYYYMMDDDetails.txt, YYYYMMDDWorkout.txt,
YYYYMMDDSummary.txt
•Examples on next slides
•No analytics, 3
rd
party sdk
•No network data checked
•Backup data
•\Library\Preferences\ com.tantsissa.Heartbeat.plist
•\HeartWatch\ Documents\YYYYMMDDSleep.txt,
YYYYMMDDDetails.txt, YYYYMMDDWorkout.txt,
YYYYMMDDSummary.txt
•Examples on next slides
HEARTWATCH
•No analytics, 3
rd
party sdk
•No network data checked
•No useful backup data
•\Library\Preferences\ com.tantsissa.Heartbeat.plist
•\HeartWatch\Documents\ YYYYMMDDSleep.txt,
YYYYMMDDDetails.txt, YYYYMMDDWorkout.txt,
YYYYMMDDSummary.txt
•No analytics, 3
rd
party sdk
•No network data checked
•No useful backup data
•\Library\Preferences\ com.tantsissa.Heartbeat.plist
•\HeartWatch\Documents\ YYYYMMDDSleep.txt,
YYYYMMDDDetails.txt, YYYYMMDDWorkout.txt,
YYYYMMDDSummary.txt
SLEEPWATCH
•Analytics, 3
rd
party sdk–Google,
Facebook,
•Network
•Surveys, pdf report with strong
auth without publicly available
data unless developer credentials
from AWS S3 leaks•https://sleepwatch-
backend.bodymatter.io/report/pd
f?report_id=xxxx
•Daily tracked sleep data
•Analytics, 3
rd
party sdk–Google,
Facebook,
•Network
•Surveys, pdf report with strong
auth without publicly available
data unless developer credentials
from AWS S3 leaks•https://sleepwatch-
backend.bodymatter.io/report/pd
f?report_id=xxxx
•Daily tracked sleep data
SLEEPWATCH
•Analytics, 3
rd
party sdk–Google, Facebook,
•Backup data
•Documents\ data\*.json –Apple Watch model, last ~5 sleep
records (timeframe only)
•Body profile -
\Library\Preferences\ io.bodymatter.SleepWatch.plist
•Analytics, 3
rd
party sdk–Google, Facebook,
•Backup data
•Documents\ data\*.json –Apple Watch model, last ~5 sleep
records (timeframe only)
•Body profile -
\Library\Preferences\ io.bodymatter.SleepWatch.plist
WELLTORY
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Appsflyer, io.branch
•Network
•Credentials, avatar, dailystracks & surveys,
•Health data from AppleHealthis transferring out of sandbox
•List of connected sources (health providers)
•Source credentials if allowed
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Appsflyer, io.branch
•Network
•Credentials, avatar, dailystracks & surveys,
•Health data from AppleHealthis transferring out of sandbox
•List of connected sources (health providers)
•Source credentials if allowed
•Examples on next slides
WELLTORY
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Appsflyer, io.branch
•Network
•Credentials, avatar, dailystracks & surveys,
•Health data from AppleHealthis transferring out of sandbox
•List of connected sources (health providers)
•Source credentials if allowed
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Appsflyer, io.branch
•Network
•Credentials, avatar, dailystracks & surveys,
•Health data from AppleHealthis transferring out of sandbox
•List of connected sources (health providers)
•Source credentials if allowed
WELLTORY
•Backup Data
•Logs –AWS keys, useful to download routes from AWS S3
•GEO data
•Route Tracker
•Place = Documents\ journeyLogs\YYYYMMDD.log [backup]
•/var/mobile/Containers/Data/Application/6 DDA7D12-451B-432D-9865-
0777D 6A7B4BA/Documents/journeyLogs/YYYYMMDD.log [out of backup]
•),run_in_foreground:0,meta_user_enabled:0,allow_inaccurate_stationaries:0,trip_timeout:0,crash_detection_spee
d_check:0,required_location_providers:(null),crash_detection_config:(null),sdk_logs_aws_credentials:TSENTAWSCr
edentials(access_key:"AKIATQGKZ2 IE4PE5YR5C",secret_key:"1/szK855FgeqBP8 W2f9oB3SBbHcr8 Bh2zd07Gcor
",shard_key:"80",endpoint:"amazonaws.com",region:"eu-west-1",bucket_name:"sentiance- u1-sdk-
logs"),fake_location:(null),payload_submission_category:{
•SLC: 55.898896, 37.586948 (65.000000m) at 21/10/2019 5:56:05 AM Accuracy:65.000000
•Location will trigger unconfirmed moving state. Location: <+55.89889586,+37.58694751> +/-65.00m (speed
-1.00 mps/ course -1.00) @ 21.10.2019, 8:56:05 AM Moscow Standard Time. Region: CLCircularRegion
(identifier:'SENTGeofenceRegionStationary', center:<+ 55.90087891,+ 37.57366085>, radius:50.00m)
•Backup Data
•Logs –AWS keys, useful to download routes from AWS S3
•GEO data
•Route Tracker
•Place = Documents\ journeyLogs\YYYYMMDD.log [backup]
•/var/mobile/Containers/Data/Application/6 DDA7D12-451B-432D-9865-
0777D 6A7B4BA/Documents/journeyLogs/YYYYMMDD.log [out of backup]
•),run_in_foreground:0,meta_user_enabled:0,allow_inaccurate_stationaries:0,trip_timeout:0,crash_detection_spee
d_check:0,required_location_providers:(null),crash_detection_config:(null),sdk_logs_aws_credentials:TSENTAWSCr
edentials(access_key:"AKIATQGKZ2 IE4PE5YR5C",secret_key:"1/szK855FgeqBP8 W2f9oB3SBbHcr8 Bh2zd07Gcor
",shard_key:"80",endpoint:"amazonaws.com",region:"eu-west-1",bucket_name:"sentiance- u1-sdk-
logs"),fake_location:(null),payload_submission_category:{
•SLC: 55.898896, 37.586948 (65.000000m) at 21/10/2019 5:56:05 AM Accuracy:65.000000
•Location will trigger unconfirmed moving state. Location: <+55.89889586,+37.58694751> +/-65.00m (speed
-1.00 mps/ course -1.00) @ 21.10.2019, 8:56:05 AM Moscow Standard Time. Region: CLCircularRegion
(identifier:'SENTGeofenceRegionStationary', center:<+ 55.90087891,+ 37.57366085>, radius:50.00m)
WELLTORY
•Analytics & 3
rd
party sdk–Crashlytics, Google,
intercom-chat
•Backup Data
•Library\UserProfile\ avatar.jpeg
•AWS keys
•Place = Documents\ SentFiles\configurationDir\config.bin
•Documents\ SentFiles\deviceInfoDir\deviceinfo.bin
•Analytics & 3
rd
party sdk–Crashlytics, Google,
intercom-chat
•Backup Data
•Library\UserProfile\ avatar.jpeg
•AWS keys
•Place = Documents\ SentFiles\configurationDir\config.bin
•Documents\ SentFiles\deviceInfoDir\deviceinfo.bin
WELLTORY
•Backup Data
•\Documents\ com.SENTModel.sqlite
•Raw logs, Raw sensor data –not analyzed yet
•Library\Application Support\com.welltory.client\*.json
•Third-party sport & health apps config to import into welltory
•Library\PrivateDocuments\ io.intercom.ios\ Identity.icm
•Backup Data
•\Documents\ com.SENTModel.sqlite
•Raw logs, Raw sensor data –not analyzed yet
•Library\Application Support\com.welltory.client\*.json
•Third-party sport & health apps config to import into welltory
•Library\PrivateDocuments\ io.intercom.ios\ Identity.icm
SUMMER SPORT CATEGORY
•RunKeeper,
•Road&MountainBike,
•iSkate,BikeTracks,
•SpeedTracker,
•CycleMeter,
•FitMeterBike,
•Crono,
•Altimeter
•RunKeeper,
•Road&MountainBike,
•iSkate,BikeTracks,
•SpeedTracker,
•CycleMeter,
•FitMeterBike,
•Crono,
•Altimeter
RUNKEEPER
•Analytics, 3
rd
party sdk–Google, Facebook, Amplitude,
Crashlytics, Appsflyer
•Network
•Shoes data, Public profile image url, general data + birthday,
geo, weight tracking
•No creds found?
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Amplitude,
Crashlytics, Appsflyer
•Network
•Shoes data, Public profile image url, general data + birthday,
geo, weight tracking
•No creds found?
•Examples on next slides
RUNKEEPER
RUNKEEPER
•Analytics, 3
rd
party sdk–Google, Facebook, Amplitude,
Crashlytics
•Backup data
•cachedMapImages–tracking with rare mapping backround
•\Library\ Preferences\RunKeeperPro.plist
•Public profile
https://profile-
pic.runkeeper.com/57cQPVW3UyFNn1KrKIsQLzUn_norm.jpg
•\Library\ Preferences\group.com.runkeeper.tracking.plist
•Birthday, Name, email, country
•\Documents\ RunKeeper.sqlite= Raw data of
•Feed: Name, Profile Image URL, distance, duration
•History: Activity type, time, date, Calories,
•Points: Lat.,Long.,Alt, distance
•Trips list
•Trip_settings: list of userWeight, activity, userID
•Weight history: list of weight & date
•Analytics, 3
rd
party sdk–Google, Facebook, Amplitude,
Crashlytics
•Backup data
•cachedMapImages–tracking with rare mapping backround
•\Library\ Preferences\RunKeeperPro.plist
•Public profile
https://profile-
pic.runkeeper.com/57cQPVW3UyFNn1KrKIsQLzUn_norm.jpg
•\Library\ Preferences\group.com.runkeeper.tracking.plist
•Birthday, Name, email, country
•\Documents\ RunKeeper.sqlite= Raw data of
•Feed: Name, Profile Image URL, distance, duration
•History: Activity type, time, date, Calories,
•Points: Lat.,Long.,Alt, distance
•Trips list
•Trip_settings: list of userWeight, activity, userID
•Weight history: list of weight & date
~30 m HEALTHAPPS
RUNKEEPER
User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso- cache
/ fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
User details including activities, trips
Trips deleted by user -in table <deleted_trips>
Activities posted by user -in table <feed>
List of user’s friends -in table <friends>
Images uploaded during trips by user -in table <status_updates>
User settings for each trip -in table <trip_settings>
Places visited during all the trips -in table <points>
Information about each trip -in table <trips>
More tables
The points table is to locate the map coordinates of a user’s route
RUNKEEPER
User profile Pics / fitnesskeeper.runkeeper.pro /cache/Picasso- cache
/ fitnesskeeper.runkeeper.pro /databases/RunKeeper.sqlite
User details including activities, trips
Trips deleted by user -in table <deleted_trips>
Activities posted by user -in table <feed>
List of user’s friends -in table <friends>
Images uploaded during trips by user -in table <status_updates>
User settings for each trip -in table <trip_settings>
Places visited during all the trips -in table <points>
Information about each trip -in table <trips>
More tables
The points table is to locate the map coordinates of a user’s route
ROAD BIKE, MOUNTAIN BIKE –
DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry
•Network
•Basic info, Cloudfront ’edimages
•General and details of tracks
•Video not analyzed
•Examples are on next slides
DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry
•Network
•Basic info, Cloudfront ’edimages
•General and details of tracks
•Video not analyzed
•Examples are on next slides
ROAD BIKE, MOUNTAIN BIKE –DETAILS
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg& max
speed, upward/downward, heartZone values (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
GPS Data: longitude, latitude, altitude, accuracy, distanceInMeter,
upward/downward (meters), timestamp local, timestamp gps
Session Data: timestamp (start, end), distance, duration, avg& max
speed, upward/downward, heartZone values (need special device)
Speed Data: timestamp, speed, duration, distance
User Data: email, password, weight, height, gender, name, birthday
DOCUMENTS\DATABASE.SQLITE3
Where to search data (tables):
GPS & location
HeartRate(requires special devices)
Session Data, Speed, User Data
Location and geo snapshots -
Documents\ MapOpenCycleMap.sqlite
User info - Documents\ database.sqlite3
Where to search data (tables):
GPS & location
HeartRate(requires special devices)
Session Data, Speed, User Data
Location and geo snapshots -
Documents\ MapOpenCycleMap.sqlite
User info - Documents\ database.sqlite3
ISKATE
•Analytics or 3
rd
party SDKs –Facebook, Flurry, Appsflyer,
Crashlytics
•Network
•Maps, received email, basic profile, routes, Credentials
•Analytics or 3
rd
party SDKs –Facebook, Flurry, Appsflyer,
Crashlytics
•Network
•Maps, received email, basic profile, routes, Credentials
ISKATE
•No analytics or 3
rd
party
SDKs
•Backup data
•Map & routes + 2d map
•\Documents
•Credentials in
[\Library\Preferences\iSkate
.plist]
•Trip measures in
[\Shared\AppDomainGroup-
group.com.valleydevteam.spo
rtsgroup.iSkate\Library\Pref
erences\group.com.valleydev
team.sportsgroup.iSkate.plist]
•No analytics or 3
rd
party
SDKs
•Backup data
•Map & routes + 2d map
•\Documents
•Credentials in
[\Library\Preferences\iSkate
.plist]
•Trip measures in
[\Shared\AppDomainGroup-
group.com.valleydevteam.spo
rtsgroup.iSkate\Library\Pref
erences\group.com.valleydev
team.sportsgroup.iSkate.plist]
ISKATE
•No analytics or 3
rd
party SDKs
•No useful backup data
•Map & routes + 2d map
•\Documents
•Credentials in [\ Library\Preferences\iSkate.plist]
•Trip measures in [\ Shared\AppDomainGroup-
group.com.valleydevteam.sportsgroup.iSkate\Library\Preferen
ces\group.com.valleydevteam.sportsgroup.iSkate.plist]
•No analytics or 3
rd
party SDKs
•No useful backup data
•Map & routes + 2d map
•\Documents
•Credentials in [\ Library\Preferences\iSkate.plist]
•Trip measures in [\ Shared\AppDomainGroup-
group.com.valleydevteam.sportsgroup.iSkate\Library\Preferen
ces\group.com.valleydevteam.sportsgroup.iSkate.plist]
BIKE TRACKS
•Analytics, 3
rd
party sdk–
Google, Facebook,
•Network
•Credentials, activities &
track detail in zipped json
files
•Analytics, 3
rd
party sdk–
Google, Facebook,
•Network
•Credentials, activities &
track detail in zipped json
files
BIKE TRACKS
•Analytics, 3
rd
party sdk–
Google, Facebook,
•Backup data
•Tracklistin
[\Library\Preference\com.c
orecoders.BikeTracks.plist]
•Track details & photos in
\Documents\ Routes or Trash
•Analytics, 3
rd
party sdk–
Google, Facebook,
•Backup data
•Tracklistin
[\Library\Preference\com.c
orecoders.BikeTracks.plist]
•Track details & photos in
\Documents\ Routes or Trash
SPEED TRACKER
•Analytics, 3
rd
party sdk–Google, Facebook, AppAnex
(GPS/Car Tracker, DVR cameras)
•No useful backup data
•No useful network data
•Analytics, 3
rd
party sdk–Google, Facebook, AppAnex
(GPS/Car Tracker, DVR cameras)
•No useful backup data
•No useful network data
CYCLEMETER
•Analytics, 3
rd
party sdk–
Google, Facebook, Crashlytics
•Backup data
•\Documents\Meter.db–highly
detailed runs + MyFitnessPal
token
•Network
•No credentials are required
•General profile, geo + nearest
valuable place, like airport
•Examples on next slides
•Analytics, 3
rd
party sdk–
Google, Facebook, Crashlytics
•Backup data
•\Documents\Meter.db–highly
detailed runs + MyFitnessPal
token
•Network
•No credentials are required
•General profile, geo + nearest
valuable place, like airport
•Examples on next slides
FITMETERBIKE
•Analytics, 3
rd
party sdk–Google, Facebook
•No useful network data
•Backup data
•\Documents\ CycleComputer.sqlite
•Analytics, 3
rd
party sdk–Google, Facebook
•No useful network data
•Backup data
•\Documents\ CycleComputer.sqlite
CRONO
•Analytics, 3
rd
party sdk–Google, Facebook, io.branch
•No useful network data
•Backup data
•\Shared\AppDomainGroup-group.de.j-gessner.Crono –basic
track details, geo, elevation, altitude
•Analytics, 3
rd
party sdk–Google, Facebook, io.branch
•No useful network data
•Backup data
•\Shared\AppDomainGroup-group.de.j-gessner.Crono –basic
track details, geo, elevation, altitude
ALTIMETER
•Analytics, 3
rd
party sdk–Google, Twitter, Facebook
•No useful network data
•No useful backup data
•Analytics, 3
rd
party sdk–Google, Twitter, Facebook
•No useful network data
•No useful backup data
WINTER SPORT CATEGORY
•Ullr&UllrMaps,
•Squawalpine,
•Snowforecast,
•SnocRu,
•Slopes,
•Skitude,
•SkiTracks,
•SkiAR,
•JollyTurns,
•Riders,
•Fatmap,
•Avalanche
•Ullr&UllrMaps,
•Squawalpine,
•Snowforecast,
•SnocRu,
•Slopes,
•Skitude,
•SkiTracks,
•SkiAR,
•JollyTurns,
•Riders,
•Fatmap,
•Avalanche
ULLR
•Analytics, 3
rd
party sdk-Googe,
Facebook
•No useful data in backup data
•Network:
•Credentials + token
•Near located parks + park searches
•Analytics, 3
rd
party sdk-Googe,
•No useful data in backup data
•Network:
•Credentials + token
•Near located parks + park searches
SQUAW ALPINE
•Analytics, 3
rd
party sdk–
Google, Facebook, OneSignal
(push deliver system), Twitter
•No useful backup data
•Network
•Name, Email, no password is
required, resortInfo, nearest geo
•Analytics, 3
rd
party sdk–
Google, Facebook, OneSignal
(push deliver system), Twitter
•No useful backup data
•Network
•Name, Email, no password is
required, resortInfo, nearest geo
SNOW FORECAST
•Analytics, 3
rd
party sdk–Google, Facebook, OneSignal
•No useful backup data
•Network:
•Credentials + token
•Name & geo Place alerts by a token
•Analytics, 3
rd
party sdk–Google, Facebook, OneSignal
•No useful backup data
•Network:
•Credentials + token
•Name & geo Place alerts by a token
SNOCRU
•Analytics, 3
rd
party sdk–Google,
Facebook, Twitter, Crashlytics , Appslyer,
io.branch
•No useful backup data
•Network
•Basic profile, credentials, CRU info, activities,
resorts & nearest places
•Analytics, 3
rd
party sdk–Google,
Facebook, Twitter, Crashlytics , Appslyer,
io.branch
•No useful backup data
•Network
•Basic profile, credentials, CRU info, activities,
resorts & nearest places
SLOPES
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Network credentials + avatar
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Network credentials + avatar
SKITUDE–DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•Network
•Credentials + token, basic info
•Rider list with name, photo and their tracks stored on AWS per
resort you’re searched for
•User DB –not analyzed
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•Network
•Credentials + token, basic info
•Rider list with name, photo and their tracks stored on AWS per
resort you’re searched for
•User DB –not analyzed
•Examples are on next slides
SKITUDE–DETAILS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•Backup data
•Tracks & Images - Documents\skitude_tracking.db&
skitude_images.db
•Friends -FFData.db
•Avatar –avatar.jpg
•May also contains separate photos, videos, audio and temp data
from Apple Watch
•Examples are on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•Backup data
•Tracks & Images - Documents\skitude_tracking.db&
skitude_images.db
•Friends -FFData.db
•Avatar –avatar.jpg
•May also contains separate photos, videos, audio and temp data
from Apple Watch
•Examples are on next slides
SKITUDE–DETAILS
SKI TRACKS
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Credentials only
•Analytics, 3
rd
party sdk–Google, Facebook,
•Network
•Credentials only
SKI TRACKS
•Analytics, 3
rd
party sdk–Google, Facebook,
•Backup data
•Track list, activity type, email = \Library\Preferences\
com.corecoders.SkiTracks.plist
•Track details = \Library\SkiTracks\ Tracks\Track00000.ski\
•Event.xml
•Segment.csv
•Track.xml
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Facebook,
•Backup data
•Track list, activity type, email = \Library\Preferences\
com.corecoders.SkiTracks.plist
•Track details = \Library\SkiTracks\ Tracks\Track00000.ski\
•Event.xml
•Segment.csv
•Track.xml
•Examples on next slides
SKI AR
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•Except photo, graph, model data of mountains
•Network
•Credentials + a hash as a token
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•Except photo, graph, model data of mountains
•Network
•Credentials + a hash as a token
RIDERS
•Analytics, 3
rd
party sdk–Google, Amplitude, Flurry,
io.branch, MixPanel, Newrelic
•No useful backup data
•Network
•Credentials, Level & skills, Photo, Profile Info, Rider’s photos
•Examples on next slides"photo":
"http://ucarecdn.com/b7e14a7e-641f-4a64-
9b35-16295b4c9bd9/-/quality/lighter/-
/sharp/3/",
•Analytics, 3
rd
party sdk–Google, Amplitude, Flurry,
io.branch, MixPanel, Newrelic
•No useful backup data
•Network
•Credentials, Level & skills, Photo, Profile Info, Rider’s photos
•Examples on next slides"photo":
"http://ucarecdn.com/b7e14a7e-641f-4a64-
9b35-16295b4c9bd9/-/quality/lighter/-
/sharp/3/",
RIDERS
•Analytics, 3
rd
party sdk–Google, Amplitude, Flurry,
io.branch, MixPanel, Newrelic
•No useful backup data
•Network
•Credentials, Level & skills, Photo, Profile Info, Rider’s
photos
"photo":
"http://ucarecdn.com/b7e14a7e-641f-4a64-
9b35-16295b4c9bd9/-/quality/lighter/-
/sharp/3 /",
•Analytics, 3
rd
party sdk–Google, Amplitude, Flurry,
io.branch, MixPanel, Newrelic
•No useful backup data
•Network
•Credentials, Level & skills, Photo, Profile Info, Rider’s
photos
"photo":
"http://ucarecdn.com/b7e14a7e-641f-4a64-
9b35-16295b4c9bd9/-/quality/lighter/-
/sharp/3 /",
JOLLYTURNS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Network:
•No credentials are required to use it. Signing via Google,
Facebook, or Microsoft account (rarely)
•General resort info + non-resizable map
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Network:
•No credentials are required to use it. Signing via Google,
Facebook, or Microsoft account (rarely)
•General resort info + non-resizable map
•Examples on next slides
JOLLYTURNS
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Network: No credentials are required to use it. Signing
via Google, Facebook, or Microsoft account (rarely)
•General resort info + non-resizable map
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics
•No useful backup data
•Network: No credentials are required to use it. Signing
via Google, Facebook, or Microsoft account (rarely)
•General resort info + non-resizable map
FATMAP
•Analytics, 3
rd
party sdk–Google, Facebook,
io.branch, Appsflyer, Mixpanel, Flurry, Crashlytics
•Backup data
•\Documents\user_geo_json_341083.json –use geo
data
•\Documents\RCTAsyncLocalStorage_V1\manifest.json
–resort details
•Network
•Credentials & account info
•Also use a Strava account, however an account token
is stored out of backup
•Analytics, 3
rd
party sdk–Google, Facebook,
io.branch, Appsflyer, Mixpanel, Flurry, Crashlytics
•Backup data
•\Documents\user_geo_json_341083.json –use geo
data
•\Documents\RCTAsyncLocalStorage_V1\manifest.json
–resort details
•Network
•Credentials & account info
•Also use a Strava account, however an account token
is stored out of backup
AVALANCHE
•No Analytics, 3
rd
party sdk
•No useful backup data
•Full name & email
•Network –no useful network data
•No Analytics, 3
rd
party sdk
•No useful backup data
•Full name & email
•Network –no useful network data
WORKOUTS SPORT CATEGORY
•Workouts++,
•Running,
•Gymatic,
•Gymnotize,
•MuscleBooster,
•Fitnessbuddy,
•Centr,
•Bodyweight,
•AsanRebel,Training(Adidas,Runtastic)
•Workouts++,
•Running,
•Gymatic,
•Gymnotize,
•MuscleBooster,
•Fitnessbuddy,
•Centr,
•Bodyweight,
•AsanRebel,Training(Adidas,Runtastic)
WORKOUT++
•No analytics & 3
rd
party sdk
•No local data in backups
•No network data
•No analytics & 3
rd
party sdk
•No local data in backups
•No network data
RUNNING
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Twitter, Mopub,
•Backup Data
•\Shared\AppDomainGroup-
group.com.grinasys.runningforweightlosspro\state.archive–basic
workout progress & general measures
•\Documents\ *.sqlite–details training & measures
•No useful network data until paid?
•Analytics, 3
rd
party sdk–Google, Facebook, Crashlytics,
Twitter, Mopub,
•Backup Data
•\Shared\AppDomainGroup-
group.com.grinasys.runningforweightlosspro\state.archive–basic
workout progress & general measures
•\Documents\ *.sqlite–details training & measures
•No useful network data until paid?
GYMATIC
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry,
Crashlytics
•No useful backup data
•No useful network data
•Analytics, 3
rd
party sdk–Google, Facebook, Flurry,
Crashlytics
•No useful backup data
•No useful network data
GYMNOTIZE
•Analytics, 3
rd
party sdk–Facebook
•No useful network data
•Backup Data
•iCloud stored data
•\Documents\ CoreDataUbiquitySupport\mobile~A0A01221- 82A6- 4647- 8965-
3072588EEB84\ persistentStore_ICLOUD\B71A3BF1- A6F3-4405- B3AF-
EDD12321A4E8\ store\persistentStore_ICLOUD
•Also Documents\ persistentStore_LOCAL& persistentStore_SEEDcontains training data incl. username
•Analytics, 3
rd
party sdk–Facebook
•No useful network data
•Backup Data
•iCloud stored data
•\Documents\ CoreDataUbiquitySupport\mobile~A0A01221- 82A6- 4647- 8965-
3072588EEB84\ persistentStore_ICLOUD\B71A3BF1- A6F3-4405- B3AF-
EDD12321A4E8\ store\persistentStore_ICLOUD
•Also Documents\ persistentStore_LOCAL& persistentStore_SEEDcontains training data incl. username
MUSCLE BOOSTER
•Analytics, 3
rd
party sdk –Google, Facebook,
Amplitude, Crashlytics, Appsflyer,
•Backup Data
•Video & Audio tracks of watched training plan -
\Documents\Downloads\*
•Plus, URLs in file
[\Library\Preferences\com.musclebooster.plist]
•User info
•{"name":"YuryChemerkin
","goal":"muscle_gain","weight":88.23,"is_paid":false,"
user_id":"87564","units":"metric","workouts_completion
":{"total_completed":0,"target":28},"height":184,"fitnes
s_level":"advanced","date_of_birth":"1988-06-05
00:00:00","is_trial":false,"gender":"male","email":"Yur
[email protected]"}
•Network
•No credentials if no premium account, goals, body
measures, workout plan + audio & video content
•Analytics, 3
rd
party sdk –Google, Facebook,
Amplitude, Crashlytics, Appsflyer,
•Backup Data
•Video & Audio tracks of watched training plan -
\Documents\Downloads\*
•Plus, URLs in file
[\Library\Preferences\com.musclebooster.plist]
•User info
•{"name":"YuryChemerkin
","goal":"muscle_gain","weight":88.23,"is_paid":false,"
user_id":"87564","units":"metric","workouts_completion
":{"total_completed":0,"target":28},"height":184,"fitnes
s_level":"advanced","date_of_birth":"1988-06-05
00:00:00","is_trial":false,"gender":"male","email":"Yur
[email protected]"}
•Network
•No credentials if no premium account, goals, body
measures, workout plan + audio & video content
FITNESS BUDDY
•Analytics, 3
rd
party sdk–Google,
Facebook, Crashlytics, io.branch,
Appsflyer, Mopub, Flurry
•No useful backup data
•Basic info : Full Name, email, gender,
birthday, body measures in json & plist files
of \Library\folder
•Network
•profile info, avatar, ‘stolen’ facebookID
•Goal, body measures, credentials
•Analytics, 3
rd
party sdk–Google,
Facebook, Crashlytics, io.branch,
Appsflyer, Mopub, Flurry
•No useful backup data
•Basic info : Full Name, email, gender,
birthday, body measures in json & plist files
of \Library\folder
•Network
•profile info, avatar, ‘stolen’ facebookID
•Goal, body measures, credentials
CENTR
•Analytics, 3
rd
party sdk–Google, Facebook,
Crashlytics, Appsflyer
•No useful backup data
•Network
•credentials + token, workout plan after premium with
details of exercises done
•Analytics, 3
rd
party sdk–Google, Facebook,
Crashlytics, Appsflyer
•No useful backup data
•Network
•credentials + token, workout plan after premium with
details of exercises done
BODY WEIGHT
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•No useful network data
•Analytics, 3
rd
party sdk–Google, Facebook,
•No useful backup data
•No useful network data
ASAN REBEL
•Analytics, 3
rd
party sdk–Google,
Crashlytics, Amplitude, Facebook, Flurry
•Network
•Profile info, device & environment details,
Credentials, Music preferences, workout
general data
•Avatar on AWS publicly available
https://rebelyoga-production-frankfurt.s3.eu-
central-1.amazonaws.com/0dd3dcf8-dfc3 -
4508-8931 -23da6c5982a3/440B20D6-
E9A0-4194-A6DD-7CCAE58709C1.jpg
•Analytics, 3
rd
party sdk–Google,
Crashlytics, Amplitude, Facebook, Flurry
•Network
•Profile info, device & environment details,
Credentials, Music preferences, workout
general data
•Avatar on AWS publicly available
https://rebelyoga-production-frankfurt.s3.eu-
central-1.amazonaws.com/0dd3dcf8-dfc3 -
4508-8931 -23da6c5982a3/440B20D6-
E9A0-4194-A6DD-7CCAE58709C1.jpg
ASAN REBEL
•Analytics, 3
rd
party sdk–Google, Crashlytics, Amplitude,
Facebook, Flurry
•Backup data
•Device details, basic bio & body measures -
\Library\Preferences\ com.asanayoga.asanarebel.plist
•Downloaded content (text, video, etc.) in
\Documents\ Downloads\ *
•Analytics, 3
rd
party sdk–Google, Crashlytics, Amplitude,
Facebook, Flurry
•Backup data
•Device details, basic bio & body measures -
\Library\Preferences\ com.asanayoga.asanarebel.plist
•Downloaded content (text, video, etc.) in
\Documents\ Downloads\ *
ADIDAS TRAINING (RUNTASTIC)
•Analytics, 3
rd
party sdk–Google, Twitter, Facebook, Flurry,
mopub, io.branch
•Backup data
•Avatar in \ Shared\AppDomainGroup-
group.com.runtastic.results.lite\Library\Preferences\ group.com.runta
stic.results.lite.plist
•Network
•credentials, Avatar, basic info, body measures
•Examples on next slides
•Analytics, 3
rd
party sdk–Google, Twitter, Facebook, Flurry,
mopub, io.branch
•Backup data
•Avatar in \ Shared\AppDomainGroup-
group.com.runtastic.results.lite\Library\Preferences\ group.com.runta
stic.results.lite.plist
•Network
•credentials, Avatar, basic info, body measures
•Examples on next slides
ADIDAS TRAINING (RUNTASTIC)
BREAKINGSMART.
H
ACKINGHEALTH, WEARABLEAND
SMARTAPPSTOPREVENTLEAKING
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN
SEND A MAIL TO:[email protected]
H
ACKINGHEALTH, WEARABLEAND
SMARTAPPSTOPREVENTLEAKING
HOW TO CONTACT ME ?
ADD ME IN LINKEDIN:
HTTPS://WWW.LINKEDIN.COM/IN/YURYCHEMERKIN
YURY CHEMERKIN
SEND A MAIL TO:[email protected]
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 23
- Slides 130
- Age 503 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views