Easilydo Android App Fails to Validate SSL Certificates
Now Fixed; Details at Bottom
Background
The Easilydo Android app has a serious security
problem--it breaks HTTPS. Like many Android apps
it fails to validate SSL certificates,
rendering it vulnerable to man-in-the-middle
attacks.
This practice may be illegal in the USA.
Two American companies were sanctioned
by the FTC in 2014 for making this
same error:
FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security
Testing Method
I have Burp set up as a proxy for my
Genymotion Android emulator, without
the PortSwigger certificate installed,
so secure sites give a warning in
the default Web browser:
So no HTTPS connections should be
possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Notification
I sent this message on 6-20-15:
Fixed!
EasilyDo told me they fixed it:
I installed the new version:
And it's fixed! Now HTTPS connections
through a MITM proxy result in this
error message:
Posted 6-20-15 by Sam Bowne
Updated 6-29-15 with fix