hotwire Android App Fails to Validate SSL Certificates
Background
The hotwire Android app has a serious security
problem--it breaks HTTPS. Like many Android apps
it fails to validate SSL certificates,
rendering it vulnerable to man-in-the-middle
attacks.
Testing Method
I have Burp set up as a proxy for my
Genymotion Android emulator, without
the PortSwigger certificate installed,
so secure sites give a warning in
the default Web browser:
So no HTTPS connections should be
possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Notification
I sent this message on 5-24-15:
Hotwire uses a defense I haven't
seen before: they claim
Android itself is at fault.
As demonstrated at the very top
of this page, the default browser
doesn't have this problem, so it's
clearly not caused by Android.
I regard this as all the vendor response
I am likely to get, so there's no point
in delaying public disclosure any longer.
Later I got this message from Qualys:
Posted 5-24-15 by Sam Bowne
Revised 5-25-15 with email reply
Revised 5-26-15 with hotwire's reply blaming Google