This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.
The Proof of Concept code below merely logs the user id and password, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.
Nationwide should add integrity-checking to their server-side code. Obfuscating their smali code would also be an improvement, with a powerful obfuscator like DashO, not the worthless ProGuard.
I pulled the APK file from the device with adb, and decoded the APK file with apktool, as shown below.
I modified the x.smali file in two places as shown below.
I rebuilt the APK and signed it, as shown below.
I entered a test username and password into the login form.
The user id and password are in the logs, as shown below.
The Nationwide contact page had no email addresses, but it had a phone number.
I called at 12:00, and by 12:03 a friendly agent named had understood my request and politely put me on hold to find out who I should notify.
However, at 12:06 she returned without success. There is no entry in their directory that could cover this, and she wanted me to wait until Monday and call 1-800-882-2822.
From Google, I found some actual email contact forms!
But the same Trojan still works:
