Intuit TurboTax App Vulnerability

Summary

Intuit's servers don't check the integrity of the Android TurboTax app when it connects to their servers. It is therefore easy to modify the app, adding trojan code that does malicious things. An attacker who can trick people into using the trojaned app can exploit them.

This vulnerability does not affect people who are using the genuine TurboTax app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.

The Proof of Concept code below merely logs the password, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that password, and all the other data the TurboTax app has, out over the Net.

Intuit should add integrity-checking to their server-side code.

Proof of Concept: Step by Step

Using the GenyMotion Android emulator, install the genuine TurboTax App from the Google Play Store, as shown below.

Pull the APK file from the device with adb, as shown below.

Decode the APK file with apktool, as shown below.

Use grep to locate interesting files as shown below.

The AuthorizationClient.smali file has the password conveniently placed in the paramater "p0", as shown below.

Edit the AuthorizationClient.smali file, as shown below, adding trojan code to log the password.

Build the APK and sign it, as shown below.

Drag the "dist/com.intuit.turbotax.mobile-1.apk" file and drop it on the emulator to install it.

Log in to TurboTax while monitoring the logs with Android Device Manager.

The password now appears in the log, as shown below:

Source

How do I get an apk file from an Android device?

Timeline

I notified Intuit on Feb. 6, 2015, as shown below.

Update 5-22-15

There's a new version:

I Trojaned it the same way:

It still works the same way: