Straxis Technology Mobile Apps HTTPS Flaw (Now Fixed)
Summary
Straxis Technology makes mobile apps for the education
sector. Their apps are very pretty and work well,
and they have a lot of customers.
I found that most or all of the apps shared a common
flaw, failing to validate HTTPS certificates. I notified
Straxis, and they responded promptly and politely,
and fixed all their apps. I really appreciate
their professional attitude and efficiency, and I
think they deserve the trust their
clients have given them.
Android Apps
There are more than 110 mobile apps from Straxis in the
Google Play store:
For the whole list, go here:
https://play.google.com/store/apps/developer?id=Straxis%20Technology&hl=en
I tested several of these apps, and they all broke SSL
the same way, failing to validate SSL certificates.
Here are some of the detailed vulnerability reports
I sent:
iOS Apps
There are 108 iOS apps from Straxis in the
Apple App Store; I show the first 12 below.
I tested several of them and found the same problem
there.
To see the testing details, go to the bottom of the
US Air Force Academy Android App Fails to Validate SSL Certificates page.
Vendor Notification
I sent notifications about several of the Android apps
to the vendor and the customer, but when I saw that
it was a systematic problem across most or all of their
apps, I decided to contact the vendor to try to resolve
this all at once.
I sent this email to Straxis:
On 6-2-15, I spoke to a Straxis rep. on the phone,
and I was told that they are updating all
their apps, and to expect the Android apps to be fixed by 6-5 and the iOS apps by June 30.
Updated Android Apps
I tested these three apps:
Updated US Air Force Academy Android App
It was updated in June, and
now it refuses to make insecure HTTPS
connections, showng an error message.
Updated West Point AOG Android App
It was updated in June, and
now it refuses to make insecure HTTPS
connections, showng an error message.
Updated US Naval Academy Android App
It was updated in June, and
now it refuses to make insecure HTTPS
connections, showng an error message.
Updated iOS Apps
I tested these three apps:
Updated US Air Force Academy iOS App
It was updated in June, and
now it refuses to make insecure HTTPS
connections, showng an error message.
Updated West Point AOG iOS App
It was updated in June, and
now it refuses to make insecure HTTPS
connections, showng an error message.
Updated US Naval Academy iOS App
It was updated in June, and
now it refuses to make insecure HTTPS
connections, showng an error message.
Posted 7-1-15 by Sam Bowne