Lumosity iOS App Broken SSL (Now Fixed)

Background

Lumosity is a San Francisco company that makes video games intended to make people smarter. I know of them because they support NPR, and I'm generally suspicious of the benefits of their products because doctors seem to denounce them. However, when I found a security problem in their app, they responded in a very intelligent manner. In fact, they were far smarter than any company I have contacted this year. I did not have to explain to them what a vulnerability report was--they understood the situation, asked me to keep quiet for a reasonable time period, fixed it promptly, and sent me some swag!

So I cannot deny that Lumosity is a very smart company! Perhaps they are so smart because they use their own products.

The Vulnerable App

The Lumosity iOS app has a serious security problem--it breaks HTTPS. It fails to validate SSL certificates, rendering it vulnerable to man-in-the-middle attacks.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making this same error:

FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security

Testing Method

I set up my MacBook Air as a Wi-Fi access point, sharing a cellular Bluetooth PAN Internet connection over Wi-Fi as explained here: https://samsclass.info/128/proj/MacBurpWifi.htm

The MacBook Air is running Burp, a proxy listening on port 8080.

To test apps, I installed them on an iPad and connected it to the MacBook's Bluetooth network.

I did not install the PortSwigger certificate on the iPad, so HTTPS connections give a warning in a properly-written app, such as the Travelocity app:

Here's the app I tested--"Lumosity for iPad":

Sending test credentials:

Harvesting the data from Burp via MITM attack:

Notification

I found a contact email here:

I sent this message on 6-21-15:

The contact link says you can submit a comment without making an account, but then requires you to make an account. I didn't want to make an account, so I tried Twitter:

I got no response, so I created a Lumosity account and submitted a ticket:

I got this response:

Update 7-7-15

Lumosity sent me a T-shirt, a pair of sunglasses, and a car air freshener--my first Bug Bounty!

There are two Lumosity apps, one for the iPad and one for the iPhone, and they both have new versions numbered 4.8.

I tested the revised iPad app:

It's still vulnerable, which is not suprising since it was dated June 25, 2014, only a couple of days after I reported the problem to them.

Fixed in Version 4.9!

Version 4.9 came out on July 10, 2015:

The problem is fixed! It detects the MITM attack and shows the user an accurate and informative error message.

I also tested "Lumosity Mobile" for the iPhone, version 4.9. It's also fixed, displaying a similar error message :)

Posted 6-21-15 by Sam Bowne
Lumosity ticket added 6-22-15
Response from Lumosity added 6-26-15
Fixed version images added 7-25-15