CBC Gem Android & iOS Applications - Unencrypted Analytics (CVE-2019-19464)

Overview

"Watch hundreds of shows on demand and stream live news and sports, all for free. With CBC Gem, you can stream current episodes and past seasons of comedies, dramas, documentaries and more."

(https://play.google.com/store/apps/details?id=ca.cbc.android.cbctv)
(https://apps.apple.com/ca/app/cbc-gem/id422191503)

Issue

The CBC Gem Android & iOS applications (Android version 9.24.0 and below, iOS version 9.24.0 and below) sends potentially sensitive information such as device model & resolution, mobile carrier, days since first use, days since last use, total number of app launches, number of app launches since upgrade, and previous app session length, unencrypted to both first and third party sites (Adobe Marketing Cloud, ScorecardResearch).

Impact

An attacker who can monitor network traffic could capture potentially sensitive information about the user's device and viewing habits without their knowledge.

Timeline

October 7, 2019 - Provided additional information about my research on unencrypted analytics to Apple via product-security@apple.com
October 17, 2019 - Attempted to obtain a security contact via a CBC support form
October 17, 2019 - CBC provided a contact for the mobile application
October 17, 2019 - Provided the details to CBC
October 17, 2019 - CBC confirmed receipt of the information
October 29, 2019 - Asked CBC if they were able to confirm the issue
October 31, 2019 - CBC confirmed the issue and stated that they are working on a fix

Solution

Upgrade to Android version 9.24.1 or iOS version 9.26.0

CVE-ID:

CVE-2019-19464

Questions?

Contact Information