"Ask a Lawyer: Legal Help" Password Exposures

Summary

The "Ask a Lawyer: Legal Help" Android and iOS apps store the user's password locally without encryption. This is the #2 most important mobile app vulnerability, according to OWASP.

They also transmits passwords over the Internet without encryption. This is the #3 most important mobile app vulnerability, according to OWASP.

AB Mobile Apps

I tested several more apps from this developer and they all had similar, serious security flaws, as detailed on this page:

https://samsclass.info/128/proj/abapps.htm

I notified the developer on 1-7-17 and got no response.

Detailed Test: Android

Here's the app I tested:

 

I registered an account, and saw the Privacy Policy;

 

Here's the password stored locally without encryption:

Here's the password being sent over the Internet without encryption:

Notification

I sent this email:

Detailed Test: iOS

Here's the app I tested:

 

I registered an account with the password topsecret1:

 

I connected using SSH over USB and used Unix commands to find the app's local storage directory.

These Unix commands search the local file storage for the Unicode string "topsecret", and find it.

These Unix commands search the local file storage for the Unicode string "topsecret", and find it.

I executed these commands to dump out the local file storing the password in hex.

cd /var/mobile/Applications/0377613C-9B98-4841-A78C-4207316BAC47/Library/WebKit/LocalStorage

ls -l

xxd file__0.localstorage

Here's the password stored locally without encryption.

I set up an SSL suditing proxy as explained here and captured the login request.

Here's the password being sent over the Internet without encryption:

Posted 1-2-17 by Sam Bowne
iOS App and link to "AB Mobile Apps" added 3-6-17