Baptiste Robert Profile picture
🇫🇷 Ethical Hacker. Fight disinformation at @PredictaLabOff. For business inquiries my email is below👇
Aug 30, 2018 10 tweets 3 min read
Let's see how #WhatsApp is encrypting your attachments 1/n In a #WhatsApp conversation, I sent a TTF file 2/n
Jul 28, 2018 13 tweets 5 min read
The phone number linked to this #Aadhaar number is 9958587977 According to an official @nicmeity circular, this phone number is the number of your secretary documents.doptcirculars.nic.in/D3/D03ppw/PPWE….
Jul 13, 2018 10 tweets 4 min read
Hi @KamalAditi,

Challenge accepted!

Please find below the first flaw of #Kimbho app 2.0 aka how to get the online status of #Bolo users First thing first, we are talking about this app "Bolo Messenger - Secure Chat, Voice & Video Calls" which is the new version of the #Kimbho app play.google.com/store/apps/det…
May 2, 2018 6 tweets 2 min read
People are stupid... A Youtube account called "DIGISEVA CENTER" showed how to bypass ECMP software in this video Of course if you like the video you can donate to the Paytm account 7041704604
Apr 13, 2018 9 tweets 7 min read
Time for a new thread. The #android #application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
Apr 8, 2018 13 tweets 6 min read
Apr 6, 2018 8 tweets 1 min read
Yesterday, I spent part of my day learning about Martin Luther King Jr's life, John Lewis, activists around them, about the 60's America, the Selma March. Following this, I have thousands of questions about America today, my country France and more generally about the world today When I think about the current situation, the political landscape of my country, France, I do not see any equivalent to these extraordinary people, to these heroes. These women, these men, of all races and all religions have marked History by their pacifist fight.
Apr 4, 2018 8 tweets 5 min read
Last time I checked this website, on Jan 7, 291 #android #apps were available. @GoDaddy is it possible to shutdown this website? Several occurrences of the website jikutate.com can be found in the apps. Jikutate means shaft in Japanese.
Mar 29, 2018 12 tweets 4 min read
Tutorial: How to capture network packets and record them on your #Android phone

1/ Install Packet Capture #android app

play.google.com/store/apps/det… 2/ Follow the setup wizard of Packet Capture
Mar 29, 2018 8 tweets 3 min read
1/ People asked me if this tweet is true or not. Let's talk about this app. 2/ Every time, I open the app I have this pop up: "Internet speed is too slow". As a consequence, I was unable to make a dynamic analysis and so confirm the tweet above.
Mar 26, 2018 6 tweets 5 min read
1/ In this request, the @narendramodi's #Android #application sends silently and without the user's consent, his IP address and a unique identifier of his phone.
This personal data is sent to the website api.narendramodi.in which is located in the US. 2/ As the application is available in Europe, it must comply with the European regulation called #GDPR. Since an IP address is considered as a personal data, the user must give his consent and must be able to opt out from this data collection.
Mar 26, 2018 4 tweets 3 min read
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to membership.inc.in. Come on! HTTP?! I'm sure you are able to rectify this and use HTTPS instead.
Mar 23, 2018 7 tweets 6 min read
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called in.wzrkt.com. This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden.
Jan 30, 2018 19 tweets 7 min read
<Thread> China spies on fellow citizens with the help of private enterprise. Here is an example. 1/18 In July, 2017, @mashable and @fossbytes14 published an article explaining that the Chinese authorities are forcing its Muslim minority population in Xinjiang to install spyware on their smartphones. 2/18
mashable.com/2017/07/21/chi…
Jan 25, 2018 15 tweets 8 min read
The @OnePlus #clipboard app contains a strange file called badword.txt 🤔

In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...

pastebin.com/kfvJWKJB This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files:
- badword.txt
- brackets.txt
- end.txt
- follow.txt
- key.txt
- start.txt
Jan 17, 2018 18 tweets 14 min read
1. I'm tweeting a lot these last days, let make a quick recap 2. @Gioneeglobal, a Chinese phone maker who sell his phone in the US under the name @BLU_Product, made a phone for #NorthKorea. Afaik, they didn't make a public statement.

Jan 14, 2018 6 tweets 5 min read
Hi @UIDAI 👋! Do I have to explain you how real #Android developers are working?

On his official #Playstore account. @UDAI published today an app called "NewTest" with blank screenshot and testingtestingtesting[...] as description 🤦‍♂️

#AadhaarFail They also have a 3rd app called "testBeta (Unreleased)" 🤦‍♂️. Yes, they called an "Unreleased" an app released on the PlayStore 🤦‍♂️...

@UIDAI maybe your interns can read this link support.google.com/googleplay/and… to know how to set up an alpha/beta tests...
Jan 12, 2018 10 tweets 8 min read
The @KhoslaLabs and @UIDAI developers don't know how to generate a #android app certificate correctly 🤦‍♂️

They keep the default owner and issuer: Google. This is funny, technically, Google is the owner and issuer of #Aadhaar 😂😬🤦‍♂️ As stated by the official documentation, developer.android.com/studio/publish…
"A public-key certificate, also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as some other metadata identifying the owner of the key"
Jan 11, 2018 5 tweets 3 min read
Hi @KhoslaLabs, @UIDAI 👋! Let me show you the power of git.

If an Android dev want to integrate AadhaarBridge in his #android app, he will visit this page: aadhaarbridge.com/products.html

Because he is curious, he will click on the "SDK For Android" and the "Sample Application" But oops! You removed the sample application (apk file) and the library (jar file) from the repo. I guess you want to discuss before giving him the info
Jan 10, 2018 12 tweets 10 min read
Hi #Aadhaar 👋! Can we talk about the #BenefitsOfAadhaar for the #India population?

I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...🤦‍♂️

play.google.com/store/apps/det… The #Aadhaar #android app is saving your biometric settings in a local database which is protected with a password. To generate the password they used a random number with 123456789 as seed and a hardcoded string db_password_123 🤦‍♂️
Jan 9, 2018 7 tweets 7 min read
1. Hi @makemytrip 👋! Why are you retrieving user data without their consent?

Your #android app is making an http🤦‍♂️ request to metric.makemytrip.com with the following unencrypted 🤦‍♂️ data:
- email
- device name
- phone build version
- OS version
- network type
- ... 2. This is the nice tracker package you have here...