Travelzoo Android and iOS Apps Fail to Validate SSL Certificates

Background

The Travelzoo Android and iOS apps have a serious security problem--they break HTTPS. They fail to validate SSL certificates, rendering them vulnerable to man-in-the-middle attacks.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:

FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security

Testing Method: Android

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Testing Method: iOS

I set up my MacBook Air as a Wi-Fi access point, sharing a cellular Bluetooth PAN Internet connection over Wi-Fi as explained here and here.

The MacBook Air is running Burp, a proxy listening on port 8080.

To test apps, I installed them on an iPad and connected it to the MacBook's wireless network. I configured the network settings to use the MacBook Air's IP address on port 8080 as an HTTP proxy.

I did not install the PortSwigger certificate on the iPad, so HTTPS connections give a warning in a properly-written app, such as the Travelocity app:

Here's the app I tested:

Sending test credentials:

Harvesting the data from Burp via MITM attack:

Notification

I sent this message on 6-6-15:

Posted 6-6-15 by Sam Bowne