OptionsXpress SSL Certificate Validation Failure (Now Fixed)

Background

The OptionsXpress mobile app has a serious security problem--it breaks HTTPS. Like many Android apps it fails to validate SSL certificates, rendering it vulnerable to man-in-the-middle attacks.

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator, without the PortSwigger certificate installed, so secure sites give a warning in the default Web browser:

So no HTTPS connections should be possible through the proxy.

Here's the app:

Sending test credentials:

Harvesting them from Burp via MITM attack:

Notification

I had the correct security contact for Charles Schwab from a previous report, which I got from the CEO via Twitter.

I sent this message on 5-18-15:

Note that the previous vulnerability I reported was a code modification vulnerabilty, which many other financial companies also have and refuse to fix, as detailed here:

Android Apps Vulnerable to Code Modification

Update 7-1-15: Fixed!

I never got any reply from Schwab, but they fixed the app!

Here's the updated version:

Now it refuses to run at all when an MITM attack is underway, with an error message.

Sent to vendor 5-18-15 by Sam Bowne
Posted publicly with fixed app 7-1-15