BCBSNC "Student Blue Connect" HIPPA Violation and More

Update

The developer is great, and fixed both apps within two days. This is a good example more developers should follow.

Background

The Blue Cross Blue Shield of North Carolina "Student Blue Connect" Android app has a serious security problem--it breaks HTTPS. Like many Android apps it fails to validate SSL certificates, rendering it vulnerable to man-in-the-middle attacks.

In my opinion, this is a violation of federal HIPAA law.

In addition, this app exposes the user's login information for Twitter, Facebook, and Google by using its own insecure browser to send them with broken HTTPS.

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Next, let's start at the home screen and click Twitter:

On the next page, click"Log in".

Now I send fake credentials to Twitter:

And the app transmits them insecurely to the proxy, defeating SSL:

Next, from the home screen, click Enrollment:

The "Follow" section at the bottom has icons to reach Facebook and YouTube.

If I log in to Facebook:

Those credentials are exposed.

If I click the YouTube button, I see the BCBSNC channel. I clicked Subscribe.

This takes me to a normal-looking Google login page. Unfortunately, this is not a properly-written browser, but some inferior custom part of the app that breaks SSL.

My Google credentials are also exposed.

Notification

I sent this message on 5-20-15:

The developer replied politely and patched the app immediately.

Here's the update I got on 5-22-15:

Now it refuses to send any data through my proxy, correctly identifying it as an invalid certificate:


Posted 5-20-15 by Sam Bowne
Updated with fix 5-22-15