0

Recently I found a bug on a mobile app which claims to protect their users' privacy, however after connecting my phone with burp and installing a certificate I noticed that this app was sending a users' full first and last name + some other personally identifying information (other users' profiles, not just my own), however this isn't shown to the user directly.

I wanted to contact the vendor of the app, however after viewing their legal page I have my doubts as they state the following:

"reverse engineering of 'the software' is strictly prohibited and may result in legal action"

I've excluded the name of the app/company in question for obvious reasons

Currently I'm conflicted between responsibly disclosing this bug to them so they can fix this issue or simply not doing it at all since I'm not entirely sure if sniffing my own traffic between the app and server could be considered 'reverse engineering' and I simply don't want to get sued.

Does anyone know the legality of doing this? Is it considered 'reverse engineering'?

Paradoxis
  • 892
  • 7
  • 15

2 Answers2

1

First, a definition.

Reverse engineering, also called back engineering, is the processes of extracting knowledge or design information from anything man-made and reproducing it or reproducing anything based on the extracted information.
The process often involves disassembling something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) and analyzing its components and workings in detail. Source Wikipedia Reverse Engineering

So. is extracting data from a connection extracting knowledge or design information. The answer Yes it is.
However to be reverse engineering we need more . we also need to 'reproduce it or reproducing anything based on the extracted information.'.
And are we doing that. the answer is No. we are only checking data we receive over the line, for verification purposes. (we verify that the application is doing what it is supposed to do, not (re-)build an alternative implementation.

So. unless the legal definition in your area is different from the wikipedia definition there should be no grounds to claim reverse engineering.

Also you are not reverse engineering the software. You are analyzing the connection it uses. (even if you consider just the act reverse engineering, there is no intellectual property hat you can breach by analyzing the data on the wire. since it outside anyone's control.)

Since your just noting what you can see and not manipulating the connection in any other way you are not doing anything with the software they use. (in fact you are doing nothing more than any corporate firewall can do).

To be sure consult a lawyer, but on the face of it you should be fine.

LvB
  • 8,217
  • 1
  • 26
  • 43
  • Sounds reasonable to me, I think I'll try consulting a lawyer first since this seems like the type of company that will sue the shit out of me for just pointing this out; combine this with a judge that happens to have very limited technical knowledge and it's game over – Paradoxis Jul 07 '17 at 10:09
0

While I completely agree with LvB, I certainly would second the suggestion on the lawyer but also add that if someone really wanted to be a pain, having little ground legally doesn't exactly prevent someone from filing a lawsuit anyway to make a point.

However, your not reverse engineering anything IMO, but the possibility of a lawsuit, no matter how frivolous, would be present. That said, it may be best to contact the provider in a more anonymous manor if you are really paranoid about it.

zgwolfe
  • 1
  • 1