Unofficial Spirit Airlines App Fails to Validate SSL Certificates

Summary

The Spirit Airlines Android app has a serious security problem--it fails to vaildate SSL certificates, and is therefore vulnerable to man-in-the-middle attacks.

As you will see below, this app was not created by Spirit Air, but by "Convenientfriendlyapps@gmail.com" -- that company seems to have no website, and does not reply to emails.

In my opinion, Spirit Airlines should tell Google Play to remove this app, but they don't seem interested in doing that.

App Removed! (Update 6-9-15)

I just got this message from Spirit Airlines:

Testing Method

I have Burp set up as a proxy for my Genymotion Android emulator.

Here's the app:

Sending test credentials:

Harvesting them from Burp:

Notification

On 5-24-15, I emailed Spirit and the developer, but the emails to Spirit bounced and the email to the developer was not answered.

I tried to use the Spirit online customer support form, but it refused to accept anything from me without a valid conformation number.

By chance, I flew on Spirit Airlines recently and I found a valid confirmation number in my old email, which made it possible to submit the form.

Spirit replied to me telling me that they didn't make that app:

I flagged the app as inappropriate in the Google Play store--perhaps that will do some good.

Also, during all the correspondence mentioned above, I erroneously described the problem as "plaintext data transmission" rather than "failure to validate SSL certificates". I fixed the content of this page to the correct vulnerability on 5-31-15.

I don't think there's any reason to delay publication of this any longer.

Posted 5-24-15 by Sam Bowne
Updated 5-31-15 with replies from Spirit and my flagging of the app
Published 6-1-15
Updated with app removal email 6-9-15