Meeting SDK Type and Version
MobileRTC MeetingsSDK v5.16.6.11260
Init with context domain = “zoom.us”
Description
Hello! Our iOS application utilizes the ZoomSDK for an in-app Zoom integration. However, that SDK appears to be communicating traffic to zoom.com.cn, a Beijing-based server. This has our security-minded customers highly concerned about data privacy.
Why is the SDK communicating to China, or how can we disable this? Thank you!
How To Reproduce
Using dynamic analysis from security software Quokka, the following was found:
Critical, Exploitable issue – App communicates with high-risk locations. CVSS Score: 9.1. CWE-668. The application connects to servers located in a country deemed high risk. These countries are determined by the list of US sanctioned countries. OWASP: M3: Insecure Communication. User or organizational data that is sent to these locations may be considered compromised. This has the potential for a large impact to brand reputation, user trust, and general user and organizational harm from the data impacted by the requests.
High-Risk Connection: CN 221.122.63.49
Solution??
Why is Zoom reaching out to China from different geo regions? Can this be disabled?