Straxis Technology Mobile Apps HTTPS Flaw (Now Fixed)

Summary

Straxis Technology makes mobile apps for the education sector. Their apps are very pretty and work well, and they have a lot of customers.

I found that most or all of the apps shared a common flaw, failing to validate HTTPS certificates. I notified Straxis, and they responded promptly and politely, and fixed all their apps. I really appreciate their professional attitude and efficiency, and I think they deserve the trust their clients have given them.

Android Apps

There are more than 110 mobile apps from Straxis in the Google Play store:

For the whole list, go here:

https://play.google.com/store/apps/developer?id=Straxis%20Technology&hl=en

I tested several of these apps, and they all broke SSL the same way, failing to validate SSL certificates. Here are some of the detailed vulnerability reports I sent:

US Air Force Academy Android App Fails to Validate SSL Certificates

West Point AOG Android App Fails to Validate SSL Certificates

US Naval Academy Android App Fails to Validate SSL Certificates

iOS Apps

There are 108 iOS apps from Straxis in the Apple App Store; I show the first 12 below.

I tested several of them and found the same problem there.

To see the testing details, go to the bottom of the US Air Force Academy Android App Fails to Validate SSL Certificates page.

Vendor Notification

I sent notifications about several of the Android apps to the vendor and the customer, but when I saw that it was a systematic problem across most or all of their apps, I decided to contact the vendor to try to resolve this all at once.

I sent this email to Straxis:

On 6-2-15, I spoke to a Straxis rep. on the phone, and I was told that they are updating all their apps, and to expect the Android apps to be fixed by 6-5 and the iOS apps by June 30.