Dissecting into IoT Based Android Application

BeeFaauBee
Feb 4, 2019 · 4 min read

[Redacted] is one of the largest seller in Air Conditioners in Middle East, China, North America, South America and Asia. With the rapid change in technology [Redacted] decided to provide an application which will be connected to the Internet and for customer’s ease they can manage their Air Conditioner from application.

Image for post
Image for post

Sounds great news? Well it is. You can manage different profiles from your single application. For example, In summers while you’re leaving for home and you want to turn on your room air conditioner so you don’t have to come home and manually start it, All you need is few clicks and voila!

The application has brought ease to some extent. But, for once did anyone thought of privacy or application security as how all of this would be managed since the application will be exposing your Air conditioner over the internet?

Image for post
Image for post

Having instinct to really look into application security which involves customer’s private data, I found certain modules worth concerning for somebody like me to dig down and find out how the application architecture works and how does it conceals/protects customer’s data. A Basic enumeration brought me to the point that all the devices/air conditioners registered via application are presented to the back-end administrator on a dashboard which further is divided according to the region. For instance, if someone from North America has registered their device through app, the back-end panel administrator would easily be able to view the details and activity.
(Screenshot attached, removed private data as I don’t want to expose customer’s confidential data in public).

Image for post
Image for post

So my device is being monitored/watched by the [Redacted] authorities? YES you’re right. This CMS provide an insight about the user’s location, IP address and other critical details that pertained to customer.

While in all of this, I forgot to mention the android application uses insecure methodologies for data communication i.e. the APIs are travelling over HTTP with no SSL pinning. Anyone with malicious intentions can intercept or read the traffic going to and from the application and can get credentials easily. Wait? Is it for real, YES it is. All you need is the token and you can modify details. Just in the example below an attempt was made to modify Nickname

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

This is not limited to only mentioned above. If you want to delete your account, you’re asked for current password. Sadly, it doesn’t validate current password entered, hence deleting account without authorization.

Oh yeah, The signatures for example dataVC and all, here’s the snippet of code that generates signatures to validate requests.

Image for post
Image for post

With a little enumeration of their web server, I was able to find directory of IIS hosting web application.

Image for post
Image for post

The mentioned vulnerabilities were reported to [Redacted]. Since no response received till date, I approached CVE and generated ID for the subject vulnerability in order to educate public about the intensity of it.
CVE-2018–20582.

Note : [Redacted]

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store