IdeaDesktop / Lenovo is spying you

Introduction

Today I had some free time, so I turned on HTTP Server Proxy on computer and then connected my Lenovo A820 phone to this proxy.

Except Google requests I found something interesting. When I uninstalled application, POST request was sent to fsr.lenovomm.com/reaper/server/report

Request Details

Investigation

So I made query to Whois server, here a result:

Domain Name: LENOVOMM.COM
Updated Date: 2011-10-25 14:16:03
Creation Date: 2009-09-02 01:57:25
Expiration Date: 2016-09-02 01:57:25
Registrant Name: Zhang Joan
Registrant Organization: 联想(北京)有限公司 Lenovo (Beijing) Ltd.

It proves this domain is owned by the Lenovo company. That started to be interesting for me.
I’ve looked at POST request, what was exactly sent, here RAW data:

ctx=1.9.2!0!RT3N00LZP3B8!null!34f026042e4ea305!417780254
!540×960!1999422605!1408440981081!1411986938695!1411986940362
!1411987204942!73!2!sn!0123456789ABCDEF!bu!!
&evt=LeLauncher!L02!com.lenovo.ideatool!1!

As you can see it sent info like:

  • API version (?): ctx=1.9.2
  • install unique ID : 34f026042e4ea305
  • screen resolution: 540×960
  • timestamp: 1411986940362 = Mon, 29 Sep 2014 13:01:29 GMT
  • phone serial number: 0123456789ABCDEF (for security reason I replaced it)
  • event info: evt=LeLauncher!L02!com.lenovo.ideatool

I started wondering if it sends some other info, so I did some actions like rebooting phone, installing app or uninstalling app.

As you can guess it of course sends some data. After that I started looking for source and when I wanted to change the wallpaper the request was sent again with event name LeLauncher!L11!!1!.
I’ve got you! The source/app of this data is IdeaDesktop (v1.2.8)

I’ve looked at the setting if I enabled something with sending usage data:
IdeaDesktop Setting Screenshots
But as you can see on the screenshot above, I didn’t enable anything and this option with red border allows sending usage data, but it’s disabled.

List of some events which it sends to the Lenovo and what does it means:

  • Starting phone : __INITIAL__!initial!!0! and __INITIAL__!upload!test!0!
  • Installing APP : LeLauncher!L01!APP_BASENAME!1!
  • Uninstalling APP : LeLauncher!L02!APP_BASENAME!1!
  • Searching for APP : LeLauncher!L26!SearchQuery!1!
  • Adding something to the desktop : LeLauncher!L10!!1!
  • Changing wallpaper : LeLauncher!L11!!1!
  • Changing theme : LeLauncher!L12!!1!

Full list with events you can find here: http://pastebin.com/zcKPZw8V/

Usually the response header is:

HTTP/1.1 503 Service Unavailable: Back-end server is at capacity
Content-Length: 0
Connection: Close

then the requests to API server are stacking in the POST data, separated by the new line until it reach the 200 OK response header:

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 11:12:07 GMT
Server: nginx/1.2.7
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Length: 0
Connection: Close

Summary

First of all, Lenovo without your permission is gathering information about you even if you disabled sharing data and  it sends data through HTTP (not HTTPS) protocol, so transmission can be easily intercepted.

What Lenovo knows about you:

  • when you turned on the phone,
  • when and what apps have you installed, uninstalled or searched for,
  • and some not confidential information like changing desktop settings.

I’m using this app, what can I do?

If you have rooted phone you can add these records to the hosts file simply using Host Editor application:

127.0.0.1       fsr.lenovomm.com
127.0.0.1       lds.lenovomm.com
127.0.0.1       susapi.lenovomm.com

Or just install DroidWall application, which is kind of firewall app for Android, so you can choose which apps are allowed to use internet connection.

Tested on: Lenovo A820 S150 with Lambda ROM v2.4.1, IdeaDesktop v1.2.8

Advertisements

2 thoughts on “IdeaDesktop / Lenovo is spying you

  1. Pingback: Telefony Lenovo dzwonią do centrali czy tego chcesz, czy nie | Zaufana Trzecia Strona

  2. Found this on my Lenovo P780 as well.. 😦

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s