Project 6: Stitcher Caesar Cipher (10 pts. + 10 pts. extra)

What You Need for This Project

Purpose

Stitcher demonstrates another common security problem: custom "encryption". Every developer should use well-tested and trusted encryption routines such as HTTPS and AES. Whenever they invent their own, trouble results. Stitcher uses a modified Caesar cipher to protect passwords in transit instead of HTTPS. This was military-grade encrption before the birth of Christ, but now children's comic strips use better encryption.

Responsible Disclosure

I notified Stitcher about this flaw and some others in 2015. I also demonstrated it at DEFCON and many other conferences in 2015. I just tested the newest version, updated Dec 6, 2016, and they've made it even less secure. It used to use a different Caesar offset for each character--now it uses the same offset all the time--a straight Caesar cipher. It's clear that they don't care.

If I were Google, I wouldn't let an app offer in-app purchases with this outrageously poor security. Perhaps at some point they will be humiliated enough to demand that.

Installing the App

Start your Android emulator. Connect it directly to the Internet--not through a proxy.

Open Google Play and search for Stitcher. Install it, as shown below.

The version I used was 3.8.0, but I greatly doubt they'll bother fixing this problem any time soon.

Archived Copy of the App

If you can't get it from Google Play, download it here:

com.stitcher.app-1.apk

Starting Wireshark

If you don't have Wireshark, get it here:

https://www.wireshark.org/

Start Wireshark. Begin sniffing on the interface that goes to the Internet on your computer.

In the filter bar, enter this:

frame contains stitcher
Press Enter. Wireshark runs, showing no packets visible, as shown below.

Logging in to Stitcher

On your Android device, open Stitcher. At the home page, click the "Have an account? Log in" button.

Enter test credentials containing your name, as shown below. Click Done.

Wireshark shows an HTTP GET request going to /Service/CheckAuthentication.php, as shown below.

In Wireshark, from the menu bar, click Capture, Stop. Right-click that GET request and click Follow, "TCP Stream".

The request contains the email address in plaintext, and the password as a long series of letters and numbers, as shown below. The password is sent in the "epx" parameter, obscured in some manner, but is it really properly encrypted?

Restart Wireshark capturing, and log in with an email containing your name and a one-character password of:

a
Capture the login in Wireshark, as shown below.

Saving a Screen Image

Make sure you can see YOUR NAME and an epx value that is two characters long, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 6", replacing "YOUR NAME" with your real name.

Extra Credit

Testing Short Passwords

Repeat the process for these short passwords, and record the "epx" parameter Stitcher sends.
Passwordepx
a2x
b2y
c2z
aa2x2x
ab2x2y
ac2x2z
aaaaaa2x2x2x2x2x2x
Do more examples as required to figure out the algorithm, and find the password I sent from the network capture shown below.

Put the correct password in the body of your email message.

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 6 from YOUR NAME
Revised 3-8-17