“My Ooredoo Myanmar” mobile application fails to ensure integrity and confidentiality

September 22, 2020

The Qatar owned telecommunications company Ooredoo Myanmar Limited fails to provide a secure mechanism to protect the integrity and confidentiality of data collected from its users in Myanmar. Users of Ooredoo Myanmar are recommended to install the mobile App “My Ooredoo Myanmar” to manage their phone accounts with the operator. An analysis of the application shows that excessive data is collected and that integrity and confidentiality of data sent between users and the Ooredoo servers are not ensured.

Thanks to an initial analysis of the Ooredoo App by the Civilsphere Project from the Czech Technical University, using the Emergency VPN, Qurium was informed that “My Ooredoo Myanmar” was exchanging data with the Ooredoo server without encryption. Within the plain text data sent between the users and Ooredoo servers, were mobile phone model, OS version and other sensitive information of the devices.

Additionally, the application requested many permissions that were not needed for the type of service it offered. According to Qurium “the App lacks a secure mechanism to protect the integrity and confidentiality of the communications”.

Qurium forensics report: “My Ooredoo Myanmar” – Insecure communications

Digital forensics: Tord Lundström, Qurium Media Foundation t@virtualroad.org
Media: Clara Zid, Qurium Media Foundation info@virtualroad.org