Toyota Android Apps Fail to Validate SSL Certificates

Background

The Toyota Android apps have a serious security problem--they breaks HTTPS. Like many Android apps, they fail to validate SSL certificates, rendering them vulnerable to man-in-the-middle attacks.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:

FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Toyota Owners App

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Here's the Toyota Privacy Policy, which claims to use "secure socket layer."

Toyota Roadside Assistance App

Here's the app:

I configured a profile with personally identifiable information:

And the app sent them over the Internet insecurely:

In another part of the app, I entered my current address:

Which was also sent over the Internet insecurely:

Notification

I sent this message on 5-27-15:


Posted 5-27-15 by Sam Bowne