Options : Stock Option Center iOS App Plaintext Authentication

Background

The Options : Stock Option Center iOS app has critical security problems--it transmits passwords without encryption over the Internet, and stores passwords without encryption on the phone.

Apple says that apps must use TLS encryption for iOS 9.0 and later, so I don't know how this app is even usable anymore.

Storing passwords without encryption is unacceptable for any app, according to the OWASP https://github.com/OWASP/owasp-masvs, specifically, this item:

2.1 MSTG-STORAGE-1: System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys.

The Mobile Top 10 2016-M4-Insecure Authentication explanation says:

"...mobile applications should never store a user’s password on the device; Ideally, mobile applications should utilize a device-specific authentication token..."

In 2018, the German chat platform Knuddels.de was fined €20,000 for storing user passwords in plain text.

Testing Method: Network Transmissions

I have Burp set up as a proxy for my iPhone, without the PortSwigger certificate installed, so secure sites give a warning in the default Safari Web browser:

No HTTPS connections should be possible through the proxy.

Here's the app:

Creating an Account

I created an account in the app:

The network traffic sent all the data with no encryption over the Internet:

Password Exposures

The password was stored locally, as shown below.

Notification

I sent this message on 12-30-19:

Posted 12-30-19 by Sam Bowne