CBC Gem Android & iOS Applications - Unencrypted Analytics
--
https://www.info-sec.ca/advisories/CBC-Gem.html

Overview

"Watch hundreds of shows on demand and stream live news and sports, all 
for free. With CBC Gem, you can stream current episodes and past seasons 
of comedies, dramas, documentaries and more."

(https://play.google.com/store/apps/details?id=ca.cbc.android.cbctv)
(https://apps.apple.com/ca/app/cbc-gem/id422191503)

Issue

The CBC Gem Android & iOS applications (Android version 9.24.0 and 
below, iOS version 9.24.0 and below) sends potentially sensitive 
information such as device model & resolution, mobile carrier, days 
since first use, days since last use, total number of app launches, 
number of app launches since upgrade, and previous app session length, 
unencrypted to both first and third party sites (Adobe Marketing Cloud, 
ScorecardResearch).

Impact

An attacker who can monitor network traffic could capture potentially 
sensitive information about the user's device and viewing habits without 
their knowledge.

Timeline

October 7, 2019 - Provided additional information about my research on 
unencrypted analytics to Apple via product-security@apple.com
October 17, 2019 - Attempted to obtain a security contact via a CBC 
support form
October 17, 2019 - CBC provided a contact for the mobile application
October 17, 2019 - Provided the details to CBC
October 17, 2019 - CBC confirmed receipt of the information
October 29, 2019 - Asked CBC if they were able to confirm the issue
October 31, 2019 - CBC confirmed the issue and stated that they are 
working on a fix

Solution

Upgrade to Android version 9.24.1 or iOS version 9.26.0