Project 11x: Stealing Credentials from an Android App with a SSL MITM Attack (15 pts.)

Background

This project demonstrates the poor security of an Android app using fake credentials in a controlled virtual environment. No real user credentials are stolen in the project below.

The companies that make these apps were been notified long ago by CERT of this problem, but have failed to update their apps. This, in my opinion, makes them fair game for public humiliation.

Here are details of the CERT test and notification, from 9/3/2014:

Finding Android SSL Vulnerabilities with CERT Tapioca

This spreadsheet from CERT shows many vulnerable apps.

Android apps that fail to validate SSL

What You Need for This Project

Background

Many Android apps don't bother to verify SSL certificates. Normal users won't notice any problem, but they are left open to MITM (man-in-the-middle) attacks.

Here we will perform a very simple MITM attack using the Burp proxy and an untrusted certificate.

In a sane world, we'd have to use a special, poorly-written test app to demonstrate such a serious vulnerability. However, we'll use a real app, from a company that was warned long ago about this by CERT and who just ignored the warning and continued to endanger their customers.

Task 1: Configuring a Normal HTTPS Proxy

Follow the steps in Project 1x to get your Genymotion virtual Android device sending traffic through the Burp proxy without errors. This will require you to install the PortSwigger certificate, as explained in Project 1x.

Testing your Proxy

In your Genymotion device, open a Web browser and go to https://samsclass.info as shown below.

This page should load without any error messages. If you see errors saying the certificate is untrusted, install the PortSwigger certificate as explained in project 1x.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, you should see https://samsclass.info, as shown below.

Troubleshooting

If you see no HTTP history entries at all, check Project 1x for the instructions to set a proxy server inside Genymotion.

If you see some HTTP history entries, but not https://samsclass.info, make sure the "Filter" bar near the top of the Burp HTTP History window shows the "Showing all items" message. If it does not, click it and click the "Show all" button.

Task 2: Installing a Vulnerable App

In your Genymotion Android device, open Google Play.

When I prepared this project, "Snap Secure" was vulnerable. However, in response to publicity about this class project, they fixed their app.

So choose one of these apps to install instead:

Start the app. Log in.

Enter these fake credentials, replacing "YOURNAME" with your own name. Don't use any spaces in your name.:

Click "Sign In".

The credentials are rejected, which is OK--what matters for us is how they were transmitted to the server.

In Burp, examine the HTTP History. You should find a GET request to a snapone.com server containing your username and password, as shown below.

This is normal HTTPS interception by a trusted proxy, and does not demonstrate any security problem.

Saving the Screen Image

Make sure you can see the YOURNAME in the User name and password, as shown above.

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT

Save a screen image with the filename Proj 11xa from Your Name.

Task 3: Uninstalling the PortSwigger Certificate

In Genymotion, click Home, Circle, Settings, Security, "Trusted credentials", USER.

The PortSwigger certificate appears, as shown below.

Click PortSwigger. A "Security certificate" page opens.

Scroll to the bottom and click the Remove button, as shown below. Click OK.

Click Home. Open the Web browser. In the URL bar, retype https://samsclass.info and press Enter.

A "Security warning" box appears, as shown below. This indicates that the browser is properly implementing SSL security and detecting the MITM attack that Burp is performing.

Task 4: MITM Attack

In Burp, right-click in the HTTP History list and click "Clear history". Click Yes.

In the Genymotion device, in the vulnerable app, sign in again, using these credentials, replacing "YOURNAME" with your own name. Don't use any spaces in your name.:

In Burp, examine the HTTP History. You should find your username and password, as shown below.

This is VERY WRONG. Burp is intercepting and opening HTTPS traffic with an untrusted certificate, and the app is ignoring it.

Saving the Screen Image

Make sure you can see the YOURNAME in the User name and password, as shown above.

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT

Save a screen image with the filename Proj 11xc from Your Name.

Turning in Your Project

Email the image to cnit.128sam@gmail.com with a Subject line of Proj 11x from Your Name.

Sources

Finding Android SSL Vulnerabilities with CERT Tapioca

Android apps that fail to validate SSL

snap secure


Posted 4-26-15 12:40 pm by Sam Bowne
Updated with additional vulnerable apps 5:35 pm 4-26-15
Revised because Snap Secure is no longer vulnerable 8:45 pm 4-30-15