Blue Cross Blue Shield of North Carolina HIPPA and COPPA Violations

Update

The developer is great, and fixed both apps within two days. This is a good example more developers should follow.

NEW: Security Problems in Second App
Student Blue Connect leaks confidential data from the BCBSNC system, and also from Facebook, Twitter, and Google.

Background

The Blue Cross Blue Shield of North Carolina Android app has a serious security problem--it breaks HTTPS. Like many Android apps it fails to validate SSL certificates, rendering it vulnerable to man-in-the-middle attacks.

In my opinion, this is a violation of two federal laws: HIPAA and COPPA.

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Here's another page, which makes it clear that this app is intended to collect data about children, making this insecure transmission also a COPPA violation.

Without a real account, I cannot proceed further, but I expect the app to collect more information about the child being registered, and to send it using the same insecure method.

Here's their Privacy Policy; I doubt that transmitting data over broken SSL constitutes "safeguards that meet or exceed applicable law".

Notification

I sent this message on 5-20-15:

I also filled out their online "Fraud and abuse" form:

The developer replied politely and patched the app immediately.

Here's the update I got on 5-22-15:

Now it refuses to send any data through my proxy, correctly identifying it as an invalid certificate:

Posted 5-20-15 by Sam Bowne
Second app information added 2:06 PM 5-20-15
Updated with fix 5-22-15