2024-kujath-analyzing
findings extracted from this paper
-
Chivo Wallet posts logs of every in-app event to NewRelic ('log-api.newrelic.com'), including keystrokes — DUI national ID numbers, phone numbers, and passwords — without privacy-policy disclosure. Separately, MiTelcel (76% Mexican mobile market share, 10M+ downloads) leaks users' phone numbers and emails to five distinct third-party servers via the HTTP 'referer' field on every 'Experiencias' tab click.
-
The Chivo Wallet app — the official El Salvador government Bitcoin wallet with 1M+ downloads — uses Microsoft CodePush to check 'codepush.appcenter.ms' for JavaScript/HTML/CSS updates each time it opens, bypassing Google Play Store review entirely. This allows the government of El Salvador to push arbitrary behavioral changes to all users' devices without any app store vetting or user notification.
-
In Latin America, censorship predominantly takes the form of targeted surveillance coupled with physical threats rather than network-level blocking. Mexico had documented Pegasus infections on journalists and activists between 2019–2022, at least 25 private spyware vendors sold surveillance tools to Mexican federal and state police, and at least 119 journalists have been killed in Mexico since 2000. Dynamic analysis of 8 widely-used LATAM apps (combined 100M+ downloads) found security failures across all three assessed categories: cleartext traffic, undisclosed PII exfiltration to third parties, and unvetted external code update mechanisms.
-
MiClaro Colombia sends device latitude and longitude to multiple third-party servers without user disclosure, in violation of its own privacy policy. Among the four Movistar country variants, the Argentina app requests access to all phone-call-related permissions while the Uruguay app requests none — demonstrating that third-party SDK inclusion, background receivers, and dangerous permissions vary substantially by country version of the same ostensibly unified telco app.
-
The SAT Móvil app (Mexico's official tax service, 1M+ downloads) consistently fetches its 'Chat' page over cleartext HTTP, exposing citizen ID numbers (CURP, RFC), passwords, and tax documents to any in-path attacker. None of the four major Latin American telco apps (MiTelcel, MiTigo, MiClaro, MiMovistar) implement HSTS on SMS-delivered external links, making all of them uniformly vulnerable to SSL strip downgrade attacks.