Weight Wellness Android App Fails to Validate SSL Certificates
Background
The Weight Wellness Android app has a serious security
problem--it does not properly protect network traffic,
exposing confidential data.
This practice may be illegal in the USA.
Two American companies were sanctioned
by the FTC in 2014 for making this
same error:
FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security
Testing Method
I used an Android emulator connected to the
Burp proxy.
Here's the app I tested:
Sending personal data which should be encrypted:
Harvesting the data from Burp via MITM attack:
Notification
I sent this email on 9-18-2025:
Posted 9-18-2025 by Sam Bowne