“My Ooredoo Myanmar” – Insecure communications

1 September 2020

Users of Ooredoo, the Qatar owned telecommunications provider in Myanmar, are recommended to install the App “My Ooredo Myanmar” to manage their phone accounts with the operator. The application allows to “top up” their account and participate in draws.

Thanks to an initial analysis of the App by the Civilsphere Project from the Czech Technical University, using the Emergency VPN service, Qurium got to know that the Android application was exchanging user data without encryption. Further analysis shows that the app:

exchanges user identifiable information in plain text
requests permission to wide range of phone features/services
provides insecure payment portal
excessive data collection

This report focuses on the shortcomings and security vulnerabilities found in the My Ooredoo App.

Identifiable information in plain text

The app is exchanging identifiable information in plain text between the users and the Ooredoo server ecareapp.ooredoo.com{.}mm at 103.242.99{.}23.

The application sends data (POST) to the website using the URL:

/SelfcareAPI7.1/api/Authentication/chkHeader

The data, sent in plain text, includes a set of headers (X-IMI-xxx) including mobile phone model, OS version and other details that can help an eavesdropper to identify the presence of certain devices in the network.

 X-OS: Android
 X-IMI-App-Res: 1080x2030
 X-IMI-FORWARDIP: x.x.x.x
 X-IMI-App-OSVersion: 9
 X-IMI-DEVICESTATUS: 0
 X-IMI-App-OEM: Xiaomi
 X-IMI-DT: 2020-08-x xx:xx:xx
 X-IMI-LANG: 1
 X-IMI-USER: 0
 Content-Type: application/json
 X-IMI-HASH: x
 X-IMI-OAUTH: x
 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi Note 5 Build/OPM1.171019.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.91 Mobile Safari/537.36
 X-IMI-AUTHKEY: APPYMXXXXX
 X-IMI-VERSION: 7.4.1
 X-IMI-APP-USER-AGENT: IMImobile/Ooredoov2/7.4.1/46/Ooredoo
 X-IMI-ADID: x
 X-IMI-App-Model: Redmi Note 5
 X-IMI-App-OS: Android
 X-IMI-UID: x
 X-IMI-NETWORK: MOBILE
 Host: ecareapp.ooredoo.com.mm

App analysis

To better understand what the application is doing, Qurium downloaded a sample from Google Play and analyzed it using a Dex to Java decompiler.

f056cf5dda1aee6749a59d121102e59f  com.ooredoo.selfcare.apk

The first finding was that the application contained a certificate with the name IMICONTA.RSA issued by:

issuer=L = hyderabad, O = imicontainerapp, OU = imicontainerapp, CN = imicontainerapp

The certificate and multiple references in the code to “IMI” suggests that the App has been developed by IMIMobile, a software company with offices in Hyderabad, India.

IMImobile, presumed developer of My Ooredoo Myanmar.

Insecure permissions

When looking into the permissions of the App, Qurium found many permissions that did not seem adequate for the type of service offered by the application:

CAMERA
ACCESS_FINE_LOCATION
READ_CONTACTS
READ_EXTERNAL_STORAGE
RECORD_AUDIO
MICROPHONE

Unencrypted communications with Ooredoo’s customer servers

The application does not enforce encryption, and sends all the personal data in plain text:

AndroidManifest.xml:
<data android:scheme="http" android:host="ecareapp.ooredoo.com.mm" android:pathPrefix="/deeplinking"/>

Integrity based on flawed security

The application does not only fail to protect device identifiable information but also provides a payment page that can be easily tampered.

After an initial connection with the Ooredoo server, the App downloads the Payment Page from the URL

 "topuphtmldwn": "http://ecareapp.ooredoo.com.mm/selfcareapi7.1/topup/topup.zip"

The webpage is then rendered in the Mobile Phone so the users can “Top Up” their phone. The App lacks a secure mechanism to protect the integrity of the communications. The requests are authenticated using the header: X-IMI-HASH that computes a SHA512 hash function over the payload and includes as salt based on the X-IMI-OAUTH key.

Excessive data collection, – are all those device identifiable fields needed?

The Ooredoo Application sends 20 different X-IMI headers insecurely to their “Selfcare” server including sensitive data of the device. 16 of the headers do not affect the functionality of the application.

The excessive data collection of the Ooredoo SelfCare App and the lack of integrity and confidentiality of the data transfers require immediate action.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.