SomNote Android and iOS Apps Fail to Validate SSL Certificates

Background

The SomNote Android and iOS apps have a serious security problem--they break HTTPS. They fail to validate SSL certificates, rendering them vulnerable to man-in-the-middle attacks.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:

FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security

Testing Method: Android

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

SomNote for Android (1 Million Downloads)

Here's the app:

I logged in with test credentials, and harvested them from Burp via MITM attack. Note that the HTTPS certificate is not validated, so the username is visible, but since the app uses hashing the password is not visible.

Testing Method: iOS

I set up my MacBook Air as a Wi-Fi access point, sharing a cellular Bluetooth PAN Internet connection over Wi-Fi as explained here and here.

The MacBook Air is running Burp, a proxy listening on port 8080.

To test apps, I installed them on an iPad and connected it to the MacBook's wireless network. I configured the network settings to use the MacBook Air's IP address on port 8080 as an HTTP proxy.

I did not install the PortSwigger certificate on the iPad, so HTTPS connections give a warning in a properly-written app, such as the Travelocity app:

iOS App

Here's the app I tested:

Sending test credentials:

Harvesting the data from Burp via MITM attack exposes the username. The HMAC hashing still provides a layer of protection for the password, as in the Android app.

Notification

I sent this message on 6-4-15:


Posted 6-4-15 by Sam Bowne