Technology

83831 readers

3642 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

199

Your Duolingo Is Talking to ByteDance: Cracking the Pangle SDK's Encryption (www.buchodi.com)

submitted 3 days ago by lemmydividebyzero@reddthat.com to c/technology@lemmy.world

15 comments fedilink hide all child comments

top 15 comments

sorted by: hot top controversial new old

[–] XLE@piefed.social 29 points 3 days ago (1 children)

ByteDance applies real cryptographic protection to the data valuable to their business: ad impressions, click attribution, revenue tracking. But the device fingerprints they harvest from users? Those get the key-taped-to-the-doorframe treatment.

Frankly I want the opportunity to peer into everything, or at least prevent all of it

[–] Lee@retrolemmy.com 3 points 2 days ago

It says it can't be decrypted with passive means due to a proper ECDH key exchange, but if they are not doing any sort of verification that theor server sent or created the key, then it would be possible to do an active attack like MITM that manipulates the key exhcnage. What I mean is, your MITM proxy would substitute the real key with one that you have the keypair to and hand that to the target application. The target application then encrypts using the key you provide, your MITM proxy decrypts and reencrypts with the real key and all seems legit from both sides.

If there are server validation of some sort, signature checks or whatever, then it would require extra work like patching out or otherwise modifying those checks in the application, extracting the key from the application's memory, or something like this.

I guess myvpoint is, if you're motivated enough, you can make it happen.

[–] lemmydividebyzero@reddthat.com 26 points 3 days ago

part 2: https://www.buchodi.com/your-duolingo-is-still-talking-to-bytedance-how-pangle-fingerprints-you-across-apps-after-you-said-no/

[–] LodeMike@lemmy.today 20 points 3 days ago* (last edited 3 days ago) (1 children)

Good thing I use pirated copies that give me paid features and remove these SDKs

[–] sad_detective_man@sopuli.xyz 3 points 3 days ago (1 children)

ayyyyyyy mines getting a little dated, I had to go back versions a bit to get one without the ads hard-coded in. are you using a version newer than 6.31.7?

[–] LodeMike@lemmy.today 4 points 3 days ago (3 children)

Yes. I visit mobilism about once a month and download the latest Baltan release.

[–] Squizzy@lemmy.world 2 points 2 days ago (1 children)

What are both of those things?

[–] LodeMike@lemmy.today 1 points 2 days ago

Forum.mobilism.org

[–] SchwertImStein@lemmy.dbzer0.com 2 points 2 days ago (1 children)

thank you so much

[–] LodeMike@lemmy.today 1 points 2 days ago (1 children)

No "thank you" posts allowed /j

[–] SchwertImStein@lemmy.dbzer0.com 2 points 2 days ago (1 children)

execution squad is heading for my house

[–] P1nkman@lemmy.world 1 points 2 days ago

I never expected the Spanish Inquisition!

[–] sad_detective_man@sopuli.xyz 2 points 3 days ago (1 children)

I'll go check his again. would you say there's any annoyances lately with the cracks?

[–] LodeMike@lemmy.today 2 points 3 days ago (1 children)

There's inconsistent behavior but nothing on the fault of the patches.

[–] sad_detective_man@sopuli.xyz 2 points 3 days ago

fair enough, ty!