Android App Vulnerabilities Disclosed at DEF CON 25

Password Stored with Reversible Encryption

Home Depot Notified 4-19-17; automated reply, no fix as of 7-28-17
Kroger Notified 4-24-17; no reply; still vulnerable as of 7-28-17
Safeway Notified 4-21-17; no reply; changed but probably still vulnerable as of 7-28-17
Walgreens Notified 5-3-17; no reply; still vulnerable as of 7-28-17

Broken SSL

Amazon Price Tracker
   Not from amazon.com
Notified 4-20-17; no update as of 7-28-17

Plaintext Password Storage

Ace HardwareNotified 5-16-17; no reply; still vulnerable as of 7-28-17
McDonald'sNotified 5-13-17; no reply; still vulnerable as of 7-28-17
MenardsNotified 5-20-17; no reply, still vulnerable as of 7-28-17

Plaintext Login

7-Eleven MexicoNotified 5-20-17; no reply, still vulnerable as of 7-28-17
Trader Joes FanNotified 5-20-17; no reply, no update as of 7-28-17 (Last updated in 2014)

Multiple Vulnerabilities

DelhaizePassword in log, broken SSL, and insecure local encryption
Notified 5-14-17; no reply, still vulnerable as of 7-28-17
Publix Plaintext Password Storage and Broken SSL
Notified 5-13-17; no reply, still vulnerable as of 7-28-17

Fixed

Golf GalaxyBroken SSL, and insecure added encryption
Notified 5-21-17 -- FIXED
JP Morgan ChasePassword Exposed in Log
Notified 5-10-17; no reply, but fixed as of 7-28-17
OptionsHouse by ETradeBroken SSL
Fixed more than two years after notification

Posted 7-28-17 by Sam Bowne
Tidied and icons added 1-16-19