AIG MobileGuard Android App Vulnerabilities

Summary

The description on the Google Play Store says "AIG Mobile Guard is part of your mobile insurance with AIG. As soon as you activate it on your phone, you're covered against loss or theft."

I did not test this app's functionality for locating and locking a phone.

But I tested how it is coded, and how it handles data, and found these issues:

  1. PIN posted to the Android log
  2. App signature not verified by server
  3. Code not obfuscated at all
  4. Local storage of unencrypted sensitive data

Confidential Data in Log

During the setup of the application, AIG Mobile Guard selects a PIN, as shown below.

I ran it about 8 times while testing, and got the pin 0000 twice, so I suspect their random number generator isn't much good.

The PIN appears twice in the logfile, as easily seen with the command ./adb logcat

There's also a password in the log, which seems to be automatically generated by the app, not collected from the user. I'm not sure what it's used for, but it probably doesn't belong in the log either.

Vulnerability to App Modification

AIG Mobile Guard's servers don't check the integrity of their Android app when it connects to their servers. It is therefore easy to modify the app, adding trojan code that does malicious things. An attacker who can trick people into using the trojaned app can exploit them.

This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.

The Proof of Concept code below merely logs the email, account number, and password, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.

AIG MobileGuard should add integrity-checking to their server-side code. Obfuscating their smali code would also be an improvement, with a powerful obfuscator like DashO, not the worthless ProGuard.

Proof of Concept: Step by Step

Using the GenyMotion Android emulator, I installed the genuine App from the Google Play Store.

I pulled the APK file from the device with adb, and decoded the APK file with apktool, as shown below.

Finding Vulnerable Code

Since the code is not effectively obfuscated, it was easy to find vulnerable code using grep. As you can see below, there are variables with obvious names like "email" and "password".

I modified the CreateUpdateUserScreen.smali file as shown below.

I rebuilt the APK and signed it, as shown below.

Installing the Modified App

I dragged the APK file from the dist/ directory and dropped it on the emulator to install it.

I entered a test email, account number, password, and other data into the login form.

The email, account number, and password are in the logs, as shown below.

Data Transmission

I used Burp to test how the data was sent to the server, and it used HTTPS, which is the correct thing to do.

Local Storage of Sensitive Data

I used Android Device Monitor to copy the locally stored data to my host system.

In the "SuperheroPrefsFile.xml" file, I found my security question (My mothers maiden name) and the correct answer (Slartibartfast) twice, as well as two copies of the device PIN (3362).

In the "tempData.xml" file I found my account number, email, and phone number as shown below.

Such storage is an unnecessary risk. PINs should be hashed, and the rest of it should be encrypted.

Additional Inhance Products Tested

Inhance has nine apps in the Google Play Store, as shown below.

Two of the apps seem to be obsolete and unusable on my Android emulated phone:

"CTX" does something quite different, and I can't test it without a customer ID. I requested a free trial on 3-8-15.

"Pier Mobile Superhero" doesn't log the PIN, so in that regard it's better than the AIG MobileGuard app tested above.

The other four products all seem nearly identical to AIG MobileGuard. They all log the PIN, as shown below. I did not test them for the other vulnerabilities, but I expect them to be vulnerable the same way.

Here are screenshots showing those four apps logging the PIN, and "Pier Mobile Superhero" NOT logging the PIN.

Mobile Superhero

Virgin Mobile Rescue

Rebound

Rebound Mobile Security

Pier Mobile Superhero

Here's Pier NOT logging the PIN :)

Timeline

I notified AIG MobileGuard on Mar. 8, 2015, as shown below.

I also notified yougetitback.com, as shown below.

I notified yougetitback.com about the additional four vulnerable products, on Mar. 9, 2015:

Vendor Response

I got this response on 3-27-15, saying that these problems have been fixed.

Update: 5-23-15

I tested the latest version of these products and they were still logging the PIN, contrary to the vendor's statement.

References

Inhance Technology Android Apps on Google Play

https://aig.yougetitback.com/mobileFAQs

AIG home page


Originally posted 3-8-15 by Sam Bowne
Revised 3-9-15 with AIG's response and additional affected products from Inhance.