Popular Android Apps with SSL Certificate Validation Failure

Vulnerable Android Apps

AppVulnerability
PicsArt (100 Million Downloads)SSL MITM; still vulnerable 5-23-15
ASTRO File Manager with Cloud (50 Million Downloads)SSL MITM
ES File Explorer File Manager (100 Million Downloads)SSL MITM
CityShop - for Craigslist (10 Million Downloads)SSL MITM
Truecaller - Caller ID & Block (50 Million Downloads)Plaintext PII Transmission
Instachat (5 Million Downloads)SSL MITM; still vulnerable 5-23-15
Phone for Google Voice & GTalk (1 Million Downloads)SSL MITM
OkCupid (5 Million Downloads)SSL MITM; fixed as of 5-23-15
Safeway (1 Million Downloads)SSL MITM
DISH Anywhere (5 Million Downloads)SSL MITM
SomNote (1 Million Downloads)SSL MITM, but hashing reduces the harm
Supermovil Santander Mexico (500,000 Downloads)SSL MITM
Minha Conta (Santander Brazil) (1 Million Downloads)SSL MITM
State Bank Anywhere (1 Million Downloads)SSL MITM
Snap Secure (100,000 Downloads) SSL MITM FIXED 4-30-15
AMC Security (5 Million Downloads)SSL MITM
Amway (100,000 Downloads)SSL MITM
Ask (1 Million Downloads)SSL MITM
Band (10 Million Downloads)SSL MITM
Club Personal (1 Million Downloads)SSL MITM
DailyFinance from AOL (100,000 Downloads)SSL MITM
DMV NOW (California DMV) (500,000 Downloads)SSL MITM
Equifax (100,000 Downloads)SSL MITM
Floating Browser (100,000 Downloads)SSL MITM; exposes all credentials entered into the browser
Foxit MobilePDF - PDF reader (1 Million Downloads)SSL MITM; exposes DropBox, Box, Microsoft, and Google credentials (fixed 5-18-15)
GittiGidiyor (eBay) (1 Million Downloads)SSL MITM
IM+ (100,000 Downloads)SSL MITM; exposes Google credentials
InstaG (1 Million Downloads)SSL MITM
InstaMessage (1 Million Downloads)SSL MITM
KickSend (500,000 Downloads)SSL MITM
Kid Mode (1 Million Downloads)SSL MITM
Lyoness (100,000 Downloads)SSL MITM
Mini Online Shopping (1 Million Downloads)SSL MITM; password hashed
NBA (5 Million Downloads)SSL MITM
InstaPost (1 Million Downloads)SSL MITM
Pizza Hut (5 Million Downloads)SSL MITM

Vulnerable Medical Android Apps

HIPAA Requirements

In my opinion, all the apps below fail to comply with HIPAA

EyeXam (5000 Downloads)SSL MITM
Garland & Associates (10 Downloads)SSL MITM
GenieMD (10,000 Downloads)
UPDATED with Vendor Response
SSL MITM
Liver Health - Hepatitis C (500 Downloads)SSL MITM
LowestMed Corporate Rx (1000 Downloads)SSL MITM
Order Mvi (50 Downloads)SSL MITM
Pain Timer (50 Downloads)SSL MITM
Pharmacy Health Connect (1000 Downloads)SSL MITM
Pulsara (100 Downloads)SSL MITM
RCEMS Field Guide (1000 Downloads)SSL MITM
RCP Sacramento (500 Downloads)SSL MITM
Rx Refills (1000 Downloads)SSL MITM
T-Res Fast Clinical Logging (1000 Downloads)SSL MITM
UCLA eIBD (100 Downloads)SSL MITM
UCLA Health (1000 Downloads)SSL MITM
Virtual Physician's Network (1 Download)Plaintext HTTP authentication

Background

CERT tested many Android apps in 2014, and notified the authors of SSL certificate validation vulnerabilities. I found that "snap secure" was still vulnerable to a trivial MITM attack, and wrote a homework project for my students. I decided to test more apps on the CERT list, just to see what I could find.

Here are details of the CERT test and notification, from 9/3/2014: Finding Android SSL Vulnerabilities with CERT Tapioca. This spreadsheet from CERT, shows "Android App SSL Failures": Android apps that fail to validate SSL

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.


PicsArt (100 Million Downloads)

Here's the app:

CERT notified the author about the SSL vulnerability on 8-27-14, and the app was updated on 3-13-15, but it's still vulnerable.

Sending test credentials:

Harvesting them from Burp via MITM attack:


ASTRO File Manager with Cloud (50 Million Downloads)

Here's the app:

CERT notified the author about the SSL vulnerability on 9-11-14, and the app was updated on 4-24-15, but it's still vulnerable.

Sending test credentials to connect a Microsoft OneDrive account:

Harvesting them from Burp via MITM attack:


ES File Explorer File Manager (100 Million Downloads)

Here's the app:

The app was updated on 4-16-15, but it's still vulnerable.

Sending test credentials to connect a SugarSync account:

Harvesting them from Burp via MITM attack:


CityShop - for Craigslist (10 Million Downloads)

Here's the app:

The app was updated on 3-20-15, but it's still vulnerable.

Sending test credentials:

Harvesting them from Burp via MITM attack:


Truecaller - Caller ID & Block (50 Million Downloads)

Here's the app:

The app was updated on 4-21-15.

The app doesn't use SSL at all. Instead, it sends the user's private data (email, name, and phone number, which is redacted in the image below) in plaintext each time the user clicks "FAQ":

That is a strange thing to do, since the Privacy settings mislead the user into imagining that he or she has control over who can see profile data:


Instachat (5 Million Downloads)

Here's the app:

The app was updated on 2-27-15, but it's still vulnerable.

Sending test credentials:

Harvesting them from Burp via MITM attack:


Phone for Google Voice & GTalk (1 Million Downloads)

Here's the app:

The app was updated on 2-10-15, but it's still vulnerable.

Sending test credentials:

It gives a connection error:

But it sends the credentials to the attacker anyway:


OkCupid (5 Million Downloads)

Here's the app:

This is droll--it tries to place the blame on the user for its broken HTTPS implementation. I decided to use Wi-Fi anyway.

Sending test credentials:

Harvesting them from Burp via MITM attack:


Safeway (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


DISH Anywhere (5 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


SomNote (1 Million Downloads)

Here's the app:

I logged in with test credentials, and harvested them from Burp via MITM attack. Note that the HTTPS certificate is not validated, so the username is visible, but since the app uses hashing the password is not visible.


AMC Security (5 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Note that the password is hashed or encrypted so that it cannot be trivially captured, even though AMC broke HTTPS. Three cheers for defense in depth!


Amway (100,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Ask (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Band (10 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Club Personal (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


DailyFinance from AOL (100,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


DMV NOW (California DMV) (500,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Equifax (100,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Floating Browser (100,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Foxit MobilePDF - PDF reader (1 Million Downloads)

Foxit MobilePDF - PDF reader (1 Million Downloads)SSL MITM; exposes credentials Here's the app:

It offers to connect to several cloud services:

And it leaks credentials for every one I tested: DropBox, Box, Microsoft, and Google.

Harvesting them from Burp via MITM attack:

On 5-23-15 I noticed that there's a new version:

And the problem is indeed fixed!


GittiGidiyor (eBay) (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


IM+ (100,000 Downloads)

Here's the app:

It offers to connect to several services:

Most aren't vulnerable to an MITM attack, but Google is. Sending test credentials:

Harvesting them from Burp via MITM attack:


InstaG (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


InstaMessage (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


KickSend (500,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Kid Mode (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Lyoness (100,000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Mini Online Shopping (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


NBA (5 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


InstaRepost (1 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Pizza Hut (5 Million Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Vulnerable Medical Android Apps

The fact that these apps are in use implies (but does not prove) HIPAA violations, since they break HTTPS and expose their data.

The designers have chosen to leave the apps insecure months after CERT warned them of the insecurity.


AirStrip ONE (100 Downloads)

This app gathers sensitive medical data from multiple sources and and presents it to clinicians. Each instance of the app apparently exposes the medical data of multiple patients.

Sending test credentials:

Harvesting them from Burp via MITM attack:

I wasn't able to test the actual transmission of medical data, but it is presumably also exposed to a MITM attack.


DCGA Medicals (500 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Sending a medical question:

Harvesting personal medical data via MITM attack:


Epiclinic (5 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Medical Apps


EyeXam (5000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Garland & Associates (10 Downloads)

Here's the app:

You put your personal medical data in here:

And an attacker in the middle gets it here:


GenieMD (10,000 Downloads)

Vendor Response

GenieMD Tweeted me, saying HIPAA does not apply to them.:

Here are the rules. GenieMD may be correct, it's not clear to me.

Here's the app:

You are supposed to enter in personal medical data.

It hasn't been updated since last year:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Liver Health - Hepatitis C (500 Downloads)

This is a very strange app from the NYC Department of Health. It breaks HTTPS, but seems not to send any data that makes sense through the broken HTTPS.

It has a questionnaire asking very sensitive questions:

It then sends the questions, but not the answers, up to the server insecurely, so the MITM attacker can see them.

It asks you to search for a clinic, entering your address:

It sends a latitude and longitude, which the MITM attacker can see:

However, the latitude and longitude is far away from the address I entered:


LowestMed Corporate Rx (1000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Order Mvi (50 Downloads)

Here's the app--it explicitly claims to be HIPAA compliant!

Sending test credentials:

Harvesting them from Burp via MITM attack:


Pain Timer (50 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Pharmacy Health Connect (1000 Downloads)

Here's the app:

Sending test PII:

Harvesting them from Burp via MITM attack:

Sending a prescription number:

Harvesting the data from Burp via MITM attack:


Pulsara (100 Downloads)

Here's the app:

You'll be glad to know this app is "HIPAA compliant"!

Sending test credentials:

Harvesting them from Burp via MITM attack:


RCEMS Field Guide (1000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


RCP Sacramento (500 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


Rx Refills (1000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


T-Res Fast Clinical Logging (1000 Downloads)

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:


UCLA eIBD (100 Downloads)

Here's the app:

Patients are expected to use this app for "messaging your healthcare team" and other actions using private healthcare information:

Sending test credentials:

Harvesting them from Burp via MITM attack:


UCLA Health (1000 Downloads)

Here's the app:

This app is intended for patients to use to "access your health records":

Entering sensitive data into the app:

Harvesting it from Burp via MITM attack:


Virtual Physician's Network (1 Download)

Here's the app:

It explicitly claims to be HIPAA compliant:

Sending test credentials:

Harvesting them from Burp is to easy--this app uses HTTP with no encryption at all!


Posted 4-26-15 5:16 pm by Sam Bowne
More apps added 4-26-15 11:43 pm
More apps added & Somnote explanation changed from OAuth to hashing 4-27-15 1:54 am
On 4-29 at 6:44 PM I added several new items, alphabetically, from AMC through Instamessage (approximately).
Note that Snap Secure fixed the problem added 4-30-15 8:33 pm
Medical apps added 2:33 pm 5-1-15
GemieMD response added 5-2-15 6:53 am
FixIT fix added 5-23-15 12:05 pm
Incorrect Somnote image removed 6-4-15
Missing images added to Pharmacy Health Connect 6-9-15