SSL Certificate Validation Problem Fixed in "snap secure"

Background

"Snap Secure" versions before 10.0, updated on 4-29-15, failed to validate SSL certificates, exposing sensitive data to a MITM attack.

CERT found this problem and reported it to them on or around 9/3/2014:

Finding Android SSL Vulnerabilities with CERT Tapioca

"Snap Secure" v. 9.5 appears on this spreadsheet from CERT, on the "Android App SSL Failures" tab, row 108:

Android apps that fail to validate SSL

Demonstration of Vulnerability

Here's what I observed on 4-26-15, using a Genymotion Android emulator and the Burp proxy.

I used Burp without the PortSwigger certificate installed, so HTTPS connections would fail. The default Android browser correctly reports this problem, as shown below.

Installing Snap Secure

I got it from Google Play:

Note: This is version 10.0; updated since CERT warned the company about this vulnerability before 9/3/2014. But they didn't fix the SSL problem.

I clicked "Sign In" and entered test credentials.

Burp revealed the username and password, as shown below, demonstrating the vulnerability.

Vendor Response

I was surprised to get this email today:

I looked in Google Play and there is indeed a new version of the app:

And when I connect the new version to Burp the same way, it just hangs on startup. It no longer allows the user to enter any data if it can't make a secure connection.

So I applaud Snap Secure for an efficient, dignified response!

References

Here's the complete list of apps I tested:

Popular Android Apps with SSL Certificate Validation Failure

Here's the Ars Technica article that got Snap Secure's attention:

Android apps still suffer game-over HTTPS defects 7 months later


Posted 4-30-15 8:28 pm by Sam Bowne