Mobile (in)Security Series: Application "MyFitnessPal" Data Leaking

February 19th, 2021: The security issues were communicated to MyFitnessPal via email.

February 24th, 2021: Answer received from MyFitnessPal security team: “Thank you for contacting us about these issues. The webview.myfitnesspal.com domain is currently redirecting HTTP->HTTPS to ensure those communications are done securely. While we are sending lat/lon data we only do so with 2 decimals of precision (~1km). Additionally, many of our advertisers do not provide an HTTPS option and so it is not something we can control.”

February 25th, 2021: We communicated to MyFitnessPal that i) a redirection is not good enough as the data gets leaked in the first request, ii) other applications using the same advertisers do not leak data, iii) there is no good reason why to send such precise GPS location to advertisement servers.

Summary

During a security assessment with the Emergency VPN our researchers found two issues: i) first, we found that the application MyFitnessPal for iOS was leaking the user email address in plain text over the network, and ii) second, advertisings are loaded through insecure connections leaking more data collected from the mobile device.

About the Application

MyFitnessPal is a health application designed to track exercise and food providing nutritional values. According to their Apple Store information, the service is used for more than 200 million users world-wide to lose weight, create better habits, and stay healthy. It is unclear how many installations the application has, however at the time of writing, there are 1.2 million ratings in the AppStore.

INFORMATION LEAKED

The majority of the communication generated by the application is encrypted. However our researchers identified two sources of data leaking that will be described in more detail next.

Email Address Leak

The email address is leaked as part of a HTTP request to webview.myfitnesspal.com. The specific request that uses HTTP without encryption. Data is being sent in plain text including user ID, mobile locale, features, and email address. The HTTP request is shown in Figure 1.

Figure 1. HTTP request performed by 'MyFitnessPal' iOS application.

DATA LEAKED VIA ADVERTISEMENT

The free (non-premium) version of the application is supported by advertisements. The ads show in several places in the application. In our analysis, we saw advertisements being loaded from two different servers: ads.nexage.com and ads.aerserv.com. Each advertisement gathers different data from the mobile device.

Advertisement Server: ads.nexage.com

These requests as shown in Figure 2, are unencrypted and to different IPs. These requests are quite aggressive, we saw roughly 10 requests per minute to this server. The fields sent in the URL are:

  • dcn=, pos=, grp=, req(loc)=, loctype=, d(id24)=, dnt=1, sdk=mopub, of=

Figure 2. Unencrypted advertisement requests sent to ads.nexage.com.

Advertisement Server: ads.aerserv.com

The requests to aerserv.com are more intrusive and collect much more data from the device. These requests as shown in Figure 3, are unencrypted and in this case only one IP was observed.

We observed roughly 4 requests per minute to this server. The fields sent in the URL are:

  • plc=, key=, cb=, lat=, long=, adid=, make=, model=, os=, osv=, type=, carrier=, network=, ua=

Note the fields associated with latitude, longitude, make and model of the phone, operating system and version, mobile carrier, and network. While someone could argue these values are valuable for advertisement servers, they are traveling through the network unencrypted violating users privacy.

Figure 2. Unencrypted advertisement requests sent to ads.aerserv.com.

CONCLUSION

We firmly believe that this type of data leaking could put at-risk users, users that are under digital surveillance, more at risk jeopardizing their safety. We hope this information will help users stay safe, and we are collaborating with MyFitnessPal to make the application more secure.