PMF Bancorp - Credit Report iOS App Transmits Passwords Insecurely

Background

The PMF Bancorp - Credit Report iOS app has a critical security problem--it transmits passwords without encryption over the Internet.

I tested this app:

Insecure Transmissions

Apple says that apps must use TLS encryption for iOS 9.0 and later, so I don't know how this app is even usable anymore.

Testing Method for Network Transmission

I have Burp set up as a proxy for my iPhone.

A login message is shown below, with the password exposed.

I used a jailbroken iPhone running iOS 12.4.4 with no passcode.

Notification

I sent this message on 1-12-2020:


Posted 1-12-2020 by Sam Bowne