May 4, 2021
For the past months, the mobile application OKPAR App has been advertised as the official social application in Myanmar. Qurium decided to look into the application as we were curious about its inner workings.
The application seems to be created by Nyein Minn from TANZ IT Solutions and Digital Marketing. A presentation of the application is available in Facebook in the channel GG Ent MM. The application is advertised in the Google Play Store as :
“An easy-to-use official social application in Myanmar. Okpar is a official Myanmar social’s application and one of the simple social application and easy to use.”Source: https://play.google.com/store/apps/details?id=org.okpar
OKPar is all-in-one App, combining a news hub (Feeds), an IM chat (Chats), Health (Fit), Collect and Exchange Gits (Red Packets) and a credit/reputation system (Points).
Forensics analysis of OKPar
OKPar has been advertised with security and privacy in mind, and encryption is supposed to be implemented End-to-End.
Qurium downloaded the App (afa637d068f189c9c2427077518c87441fbe4087 OKPar_v1.3.1.apk) to analyze it.
In order to analyze the application we used a Dex to Java de-compiler and installed the App in a controlled environment where we could make dozens of packet captures.
Qurium’s initial findings are presented below.
1. A mix of development frameworks
- The application uses the Chinese WeChat development framework. The code include several references to http://open.weixin.qq.com where Weixin is the mainland infrastructure of WeChat.
- The application uses the Xianliao SDK calling to updrips.com.
- The application uses the classes org.sugram, 加密安全簡潔 – Sugram=Su+Gram 為每個用戶提供超級安全的網絡消息報文能力
2. Proprietary Encryption and data leaks
- The application leaks the username (NickName) in plain text when connecting to http://feedback.okpar.com:85/cnc/getSupportParam
- Uses specific User-Agent with the string OKParMessenger/1.3.1 NetType/WIFI
- The application also leaks sensitive information when connecting to the server http://applog.okpar.com/applog/uploadAppload
- The application tries to obtain the external public IP connecting to http://2018.ip138.com/ic.asp
- Chat Messages are exchanged using port numbers 11000-11001 using a proprietary protocol. The first 16 control bytes between the client and server have a distinctive pattern 0x53 – 0x99 / 0x43 – 0x99
- The confirmation code of account is sent from: firstname.lastname@example.org Yong Hu Zhuce is 用户注册 User Registration in Chinese.
What is XianLiao Updrips ?
– The App used by online gamblers
When searching for the company behind xianliao updrips.com domain we found that the webpage of the App is no longer online and the company 深圳市小水滴网络科技有限公司 behind the App Shenzhen Xiaodihui Network Technology Co., Ltd. Guangdong ICP No. 17040639 was suspended in December 2019. The case, which got lots of media attention in China, started when users of the App had their money frozen. According to the different media reports, Xian Liao was accused of supporting gambling online and the Chinese policy suspended their services.
How are OKPar, Xian Liao and Sugram App related?
Our first review of the code and internals of the three applications show that OKPar is closely related to XianLiao and Sugram Apps from China. All Apps claim on their websites “end-to-end encryption and maximum privacy and security”. Sugram for example claims “five-layers end-to-end”.
OKPar was released as a beta version in October 2018 based in another completely different infrastructure and development framework but later in late 2019 (OKPar 1.2.6) was based on XianLiao/Sugram.
While the OKPar application is advertised as privacy friendly and with support for end-to-end encryption (E2EE), our findings illustrates serious data leaks that will allow anyone with access to the network infrastructure to track the location of any identity (Nickname).
The application seems to be based on an App from the Chinese firm (XianLiao) that in December 2019 was accused to support online Gambling. While the domain name of the company (updrips.com) is no longer reachable, parts of the infrastructure remain online.
Qurium has reached OKPar by email (29 April 2021) to share our findings and ask for clarifications. OKPar has not responded to our concerns. The contact address email@example.com is unreachable and no response has been obtained from firstname.lastname@example.org and email@example.com.
Until a thorough audit of the application is conducted, data leaks are fixed and the security protocols have been studied by third parties, OKPar App should be considered insecure and privacy and security claims should be considered unsustained.