Price Tracker for Amazon Android App Fails to Validate SSL Certificates

Background

The Price Tracker for Amazon Android app has a serious security problem--it breaks HTTPS. Like many Android apps it fails to validate SSL certificates, rendering it vulnerable to man-in-the-middle attacks.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:

FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Here's the app:

When the app is launched, after clicking through the introductory screens, it invites the user to "Sign in securely" to Amazon:

When the user logs on, the credentials are exposed to the MITM attacker, as shown below.

Notification

I sent this message on 4-20-17:

I got an immediate response from Amazon.

Within 24 hours, I also got a response from the developers of PriceTracker:

Here's the linked article:

Chrome bug triggered errors on websites using Symantec SSL certificates

We had this discussion:


Posted 4-20-17 by Sam Bowne
Updated 4-21-17