Maine EMS Apps Plaintext Data Transmission
Summary
The Maine EMS Android ans iOS apps send login credentials without
encryption.
What You Need
After completing the previous project,
you should have these things working:
- Genymotion set up with Google Play
- Burp running as a proxy
- The Genymotion networking configured to send traffic through Burp
Checking Proxy Settings
If you are routing traffic through
the Burp proxy, that will make
the Google Play store difficult or
impossible to use.
In your Genymotion emulated device,
open Settings. Click
Wi-Fi. Click and hold WiredSSID
until a box pops up.
Click "Modify network".
Check "Show advanced options".
Make sure the Proxy settings shows None.
Installing the Android App
In
Genymotion, install this
app:
Adjusting Proxy Settings
Start Burp listening on port
8080. Adjust the Android settings
to send traffic through that proxy.
Log In
Sending test credentials:
Harvesting them from Burp:
The http indicates that they
were sent without encryption.
iOS App
I installed the app on an
iPad and networked it through
a Mac computer, using this procedure:
Making an SSL Auditing Proxy with a Mac and Burp
Here's the app:
Sending test credentials:
Harvesting them from Burp:
Notification
I sent this message on 6-10-15:
The app was updated on 7-2-15 and
no longer has any login at all.
Posted 6-10-15 by Sam Bowne
Revised 7-12-15