OptionsXpress SSL Certificate Validation Failure (Now Fixed)
Background
The OptionsXpress mobile app has a serious security
problem--it breaks HTTPS. Like many Android apps
it fails to validate SSL certificates,
rendering it vulnerable to man-in-the-middle
attacks.
Testing Method
I have Burp set up as a proxy for my
Genymotion Android emulator, without
the PortSwigger certificate installed,
so secure sites give a warning in
the default Web browser:
So no HTTPS connections should be
possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
Notification
I had the correct security contact for
Charles Schwab from a previous report,
which I got from the CEO via Twitter.
I sent this message on 5-18-15:
Note that the previous vulnerability
I reported was a code modification vulnerabilty,
which many other financial companies also
have and refuse to fix, as detailed here:
Android Apps Vulnerable to Code Modification
Update 7-1-15: Fixed!
I never got any reply from Schwab, but they
fixed the app!
Here's the updated version:
Now it refuses to run at all when
an MITM attack is underway, with an
error message.
Sent to vendor 5-18-15 by Sam Bowne
Posted publicly with fixed app 7-1-15