A well-run bug bounty program allows us to crowdsource cyber security knowledge from some of the best in the field and is just one of the many ways we put Clean Master security measures to the test. We believe incentivizing top researchers benefits the product, and, ultimately, our customers.   

Here are a few recent product improvements that are now live, as a result of the bug bounty program in the second half of 2018.   

The Security Reports  

1 Requiring explicit user approval before filling unknown apps 

The report: As a result of working with researchers from the University of Genoa, Italy, and EURECOM, we were able to find a malicious iOS application that was able to trick Clean Master into auto-filling the username and password for other legitimate iOS apps. It was also discovered that malicious apps with package name beginning with the reverse of the target domain name, such as com.facebook, would autofill credentials as well. This makes phishing attacks on mobile easier and also harder to detect. see more: magic cleaner

The fix: While continued efforts from the web and iOS communities will also be required, we have already implemented changes to our Clean Master iOS app to mitigate and minimize the risk of the potential attack detailed in this report. Our app now requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.  

#2 Using a reliable source to determine the URL for websites on iOS 

The report: A malicious web site opened in iOS Safari could send a URL different from its actual URL when a user tries fills the login form using the Clean Master mobile app. This could trick users to enter credentials of a different web site.  

The fix:  The Clean Master app now determines the URL using a data source that cannot be manipulated by the website. 

#3 Authentication bypass on iOS 

The report:  In certain instances, users of the Clean Master iOS mobile app were able to bypass the fingerprint authentication and gain access to their account. This scenario was only applicable if the user locked the Clean Master app; if the user was logged out properly, the bypass would not occur. The bypass presented risk if a malicious third party were to gain physical control over a user’s mobile device.

The fix: The Clean Master engineering teams changed how the fingerprint authentication prompted itself to ensure that the authentication window appears immediately when the app is opened. This prevents the user from accessing the account before re-verifying through fingerprint. 

Making Clean Master Stronger 

We strive to make Clean Master as secure as possible with the help of this bug bounty program —this level of scrutiny makes Clean Master a better, stronger product. This batch of reports has resulted in several key improvements to the Clean Master security architecture, and performance improvements, too. We want to express our gratitude to the researchers for their responsible disclosure, and for their time and effort working with us on seeing these improvements through.  

As we said last time, we are committed to regularly sharing the most important bug bounty reports that our team investigated and fixed with our users. So, if you haven’t already, please subscribe to the blog to keep up with these reports. And if you are a security researcher, we welcome you to report any findings through our BugCrowd profile.