Maine EMS Apps Plaintext Data Transmission

Summary

The Maine EMS Android ans iOS apps send login credentials without encryption.

What You Need

After completing the previous project, you should have these things working:

Checking Proxy Settings

If you are routing traffic through the Burp proxy, that will make the Google Play store difficult or impossible to use.

In your Genymotion emulated device, open Settings. Click Wi-Fi. Click and hold WiredSSID until a box pops up.

Click "Modify network".

Check "Show advanced options".

Make sure the Proxy settings shows None.

Installing the Android App

In Genymotion, install this app:

Adjusting Proxy Settings

Start Burp listening on port 8080. Adjust the Android settings to send traffic through that proxy.

Log In

Sending test credentials:

Harvesting them from Burp:

The http indicates that they were sent without encryption.

iOS App

I installed the app on an iPad and networked it through a Mac computer, using this procedure:

Making an SSL Auditing Proxy with a Mac and Burp

Here's the app:

Sending test credentials:

Harvesting them from Burp:

Notification

I sent this message on 6-10-15:

The app was updated on 7-2-15 and no longer has any login at all.


Posted 6-10-15 by Sam Bowne
Revised 7-12-15