HT app security audit

[khusmann]

The HT app has service that runs on startup, and connects to rpc.benshikj.com:800.

From the decompiled app, it looks like this is used for some of the team / channel sharing features, also for getting info on firmware updates. It uses google protocol buffers for its messages. So why does it need to continuously run on startup? What is it tracking?

Another concern I have is that if you copy text into your clipboard and then navigate into the HT app, you'll get a toast notification that "HT pasted from your clipboard". That's spooky. Is it grabbing your clipboard and sending it upstream?

Unfortunately I have not been able to mitm this traffic to see what other sorts of things it sends. I think the app may use cert pinning, or it's making the TCP / SSL connection in a way that the usual tutorials don't work with.

Perhaps someone with more security experience can jump in on this front?

[Ylianst]

Oh, good find. This is probably what they would call routine telemetry to see how many people use the app. However, like a lot of apps, they don't tell the users they are doing it unless you read the terms of service very carefully. The clipboard thing is NOT GOOD.

I use Home Assistant with AdGuard and just added benshikj.com to my list of blocked domains. I will see how the app behaves.

[khusmann]

@Ylianst for me, blocking it doesn't affect regular app usage, but does prevent it from checking for new firmware updates. Lmk if you see any different on your end...

[Ylianst]

Thanks. You just reminded me again how I should be monitoring outbound traffic a bit more. Yes, I am just blocking the DNS resolution and so far, no issues.