Being that the Android version of Yik Yak does not currently support proxy configurations nor Tor integration through other means, and Orbot, a Tor client for Android, requires root access to enable a transparent proxy, it appears that there is no working Yik Yak over Tor configuration without flashing the phone. This means that, by default, the Internet Protocol Address for the phone is transmitted and logged on Internet Service Provider and Yik Yak servers with each message that is submitted. This can be used to identify the source phone and perhaps even to provide a means of unauthorized access to the phone, should the database ever be compromised. Additional information may be needed from the carrier if Network Address Translation is being utilized.
In addition, phone confirmation type attacks/verification can be used by default, even when the device is wiped clean; this is unless the IMEI/MEID/ESN is updated, the Subscriber identity module (SIM) is switched out, the ro.serialno value is changed (device serial number) or the mac address for the Wifi is modified. This is because the user identification is based upon a manipulated MD5 hash of these values. Given access to the phone, these values can be verified and a user identification produced, which will match the Yik Yak database if the phone is left unmodified, therefore confirming with almost absolute certainty that the phone was used to submit posts on Yik Yak. These values can be spoofed and/or updated with root access and additional applications on the phone, or simply switching the SIM chip will cause the a different user identification to be computed.
No comments:
Post a Comment