RCEMS Field Guide Android and iOS App Security Flaws
Summary
The RCEMS Field Guide Android and iOS apps have serious security
problems: the Android app improperly
implements SSL, and the iOS app sends
confidential data over the
Internet with no encryption at all.
Android App
The Android app has a serious security
problem--it breaks HTTPS. Like many Android apps
it fails to validate SSL certificates,
rendering it vulnerable to man-in-the-middle
attacks.
This practice may be illegal in the USA.
Two American companies were sanctioned
by the FTC in 2014 for making this
same error:
FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security
Testing Method
I have Burp set up as a proxy for my
Genymotion Android emulator, without
the PortSwigger certificate installed,
so secure sites give a warning in
the default Web browser:
So no HTTPS connections should be
possible through the proxy.
Here's the app:
Sending test credentials:
Harvesting them from Burp via MITM attack:
iOS App
RCEMS Field Guide Plaintext
Here's the app:
Collecting confidential data:
Transmitting it insecurely:
Notification
I sent this message on 6-10-15:
Posted 6-10-15 by Sam Bowne