Delhaize Android Apps Password Exposures


The Delhaize Android app transmits the user's password with broken SSL, puts it into the log, and stores it on the phone with insecure encryption, exposing it to theft.

These are the #2 and #3 most important security flaws, according to OWASP.

As discussed here, passwords should not be stored on the phone at all. Because users re-use passwords, they are very sensitive information and handling them carelessly is a disservice to your customers. Locally stored passwords could be stolen by malware on the phone, or by simply stealing the phone itself. Instead, a random cookie should be stored on the phone, which is useless at any other company.

Detailed Tests

Here's the app I tested:


When I log in:

The data can be stolen via a MITM attack, because the SSL certificate is not verified.

Here's the password appearing in the log:

Here's the data stored on the phone, in the /data/data/be.delhaize/shared_prefs/DelhaizePreferences.xml file:

Here's how the password can be extracted from that data, using the values highlighted in the matching colors in the figure above.


I sent this message on 5-14-17:

Posted 5-14-17 by Sam Bowne