OptionsHouse SSL Certificate Validation Failure
Fixed After Two Years
Background
The OptionsHouse mobile app has a serious security
problem--it breaks HTTPS. Like many Android apps
it fails to validate SSL certificates,
rendering it vulnerable to man-in-the-middle
attacks.
This practice may be illegal in the USA.
Two American companies were sanctioned
by the FTC in 2014 for making this
same error:
FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security
Testing Method
I have Burp set up as a proxy for my
Genymotion Android emulator, without
the PortSwigger certificate installed,
so secure sites give a warning in
the default Web browser:
So no HTTPS connections should be
possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Notification
I sent this message on 5-18-15:
Retest on 5-16-17
Here's the app I tested, the newest version:
It still breaks SSL, the same as before.
Fixed
On 7-28-17 I tested the latest version,
2.1.814 Updated on July 14, 2017, and
this problem was finally fixed.
Posted 5-18-15 by Sam Bowne
Updated 5-16-17
Updated 7-28-17