Santander Bank: SSL Certificate Validation Failure

Background

CERT tested many Android apps in 2014, and notified the authors of SSL certificate validation vulnerabilities. I found that "snap secure" was still vulnerable to a trivial MITM attack, and wrote a homework project for my students. I decided to test more apps on the CERT list, just to see what I could find.

Here are details of the CERT test and notification, from 9/3/2014: Finding Android SSL Vulnerabilities with CERT Tapioca. This spreadsheet from CERT, shows "Android App SSL Failures": Android apps that fail to validate SSL

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Santander Bank

There are several apps for different countries.

Supermovil Santander Mexico: VULNERABLE

Here's the app I installed. It has 500,000 downloads.

It was updated 4-24-15, but unfortunately it still doesn't implement HTTPS properly.

I entered test credentials into the app:

Here they are in two requests captured by the proxy, despite its lack of a trusted certificate:

Santander US -- NOT VULNERABLE

Santander UK -- NOT VULNERABLE

Santander Espana -- NOT VULNERABLE

Minha Conta (Santander Brazil) -- VULNERABLE

Here's the app I installed. It has 1 million downloads.

It was updated 4-13-15.

To test this, I needed a CPF number (like a US SSN). I found the algorithm here and a working example is 123.456.789-09.

When I sent that to the server, it sent an HTTPS GET with a lot of data in an incomprehensible binary format:

But I think that binary stuff contained the CPF number, because the Portuguese message I got:

Translates to "Registration not found".

So it appears that the MITM attack works.

Posted 4-26-15 2:36 pm by Sam Bowne