Timeline

June 7, 2019

  • We had identified 2,700+ android apps which were potentially vulnerable.
  • We began in-depth analysis of these 2700+ apps, and classified 236 apps as “actually risky”.

June 8, 2019, 09:00

  • We sent a notification to each developer of the vulnerable apps, and also notified that we would release the list of vulnerable apps through this site after 2 weeks.

June 18, 2019

  • Through the in-depth analysis, 247 apps were classified as actually risky. (11 apps added to the list of previously classified actually risky apps.)

June 19, 2019, 10:00

  • We reported the vulnerability details and the list of vulnerable Korean apps to KISA(Korea Internet & Security Agency), NSR(National Security Research Institute) and FSI(Financial Security Institute).

June 21, 2019, 03:37

  • Among the developers we contacted, only 3 developers contacted us again, so we had to take another measures.
  • We contacted to security team of cloud service provider(CSP) such as AWS, and asked them to help each app developer take an action.

June 21, 2019, 16:23

  • We had the first response from the security team of CSP.

June 22, 2019, 10:56

  • We sent to CSP a PoC document on the most popular app, and decided to delay publishing the list for 7 more days.

June 23 - 24, 2019 03:28

  • We had the second response from the security team of CSP.
  • They asked us the full list of vulnerable apps.

June 24 - 25, 2019 01:22

  • As CSP’s request, we sent them the entire list of vulnerable apps, which were classfied as actually risky by soFrida.

June 25, 2019

  • Through the in-depth analysis, 253 apps were classified as actually risky. (6 apps added to the list of previously classified actually risky apps.)

June 27, 2019 18:42

  • CSP asked us to hold publishing the list of vulernable apps.
  • As their request, we finally decided to delay publishing the list until they took enough action.

June 28, 2019

  • Our automated mobile cloud app analysis tool, “soFrida”, was accepted to DEFCON Demo Labs 2019!