State Bank Anywhere: SSL Certificate Validation Failure

Background

CERT tested many Android apps in 2014, and notified the authors of SSL certificate validation vulnerabilities. I found that "snap secure" was still vulnerable to a trivial MITM attack, and wrote a homework project for my students. I decided to test more apps on the CERT list, just to see what I could find.

Here are details of the CERT test and notification, from 9/3/2014: Finding Android SSL Vulnerabilities with CERT Tapioca. This spreadsheet from CERT, shows "Android App SSL Failures": Android apps that fail to validate SSL

State Bank Anywhere

This is an Indian bank, apparently. I found their Android app in the Google Play store. They have 1 million downloads!

It's been updated today!

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

However, when I log in with test credentials:

It doesn't notice the bad SSL certificate and lets the MITM attack work!

The password is hashed with MD5 and SHA-1, apparently with a salt, because I wasn't able to crack it immediately.

However, even with the password hashed, failure to validate the SSL certificate is a serious error. And ignoring CERT security notifications is not a small matter either!

Posted 4-26-15 2:36 pm by Sam Bowne