Follow up: 76 Popular Apps Confirmed Vulnerable to Silent Interception of TLS-Protected Data

In February, I posted “76 Popular Apps Confirmed Vulnerable to Silent Interception of TLS-Protected Data” describing an alarming problem with some applications in the iOS App Store, discovered by surveying large portions of the App Store using the vulnerability detection and analysis system built into verify.ly.

As nearly 90 days has passed, I will disclose a portion of the medium and high risk applications which are affected by this class of vulnerability. But first, I would like to clear up some confusion caused by the last post regarding how this all works (Skip to “New Disclosures” section if you already understand how this class of vulnerability would be exploited by an attacker).

What is a man-in-the-middle attack?

This is an umbrella term referring to interception and/or manipulation of internet traffic at any point between your mobile phone and the server which you intend to interact with. It can be conducted by multiple parties:

• Anyone within Wi-Fi reception range of you and the network which you are connected to. If the attacker does not have the password required to connect, this process becomes more difficult due to an additional step they’d need to take in order to crack the password/PSK.
• Anyone with control of a device which is already connected to the Wi-Fi network you are connected to (This is most relevant to those who have an insecure Internet-of-Things device connected to their home network).
• VPN Providers, and/or an attacker who has gained privileged access to the VPN gateway which you’ve connected to. Of course, this only applies if you use a VPN service to protect your traffic.
• Internet Service Providers (This is allegedly how some Chinese users were infected with the YiSpecter malware for iOS in 2015).

The above list is absolutely not comprehensive, but the important takeaway is that a man-in-the-middle attack would be conducted by those who are able to get “in the middle” of the connection between your mobile phone and the destination server.

These days, it is more difficult than it used to be to conduct such an attack in a useful manner. Most servers utilize TLS (HTTPS) in order to protect the connection between your phone/tablet/computer and the destination server. Those who are in control of a server acquire a TLS Certificate from a Certificate Authority to confirm that they are indeed who they claim, similar to how one would acquires an identification card from a government authoirty to identify themselves in a commonly understood manner. Just as there are various checks to validate if a phsyical identification card was actually issued by a legitimate authority, a TLS certificate is normally validated (using cryptography) to ensure that the party presenting it is indeed the server which they claim to be.

Usually, this works great. A man-in-the-middle attack should not be very useful, because the “man-in-the-middle” would normally not have the ability to get a TLS certificate issued to themselves to verify that they are example.com (or “insert your bank’s name here”), as only the actual operator of that server is able to get such a certificate issued. The real problem arises when validation of this certificate is not handled properly, or is simply turned off by an app developer. This allows for a man-in-the-middle attacker to generate invalid TLS certificates for the servers which your device intends to connect to, not signed by a valid Certificate Authority, and applications affected by this class of vulnerability will happily accept the certificate, potentially relaying sensitive information to the attacker and allowing manipulation of data sent back to your device.

Please refer to the February post for some more information on this vulnerability class and potential remedies.

How likely is it for this attack to be used on me?

There is unfortunately not enough data to answer this question, mostly due to the nature of this issue. If your login credentials for a service are intercepted, it may be days/weeks/etc before an attacker actually uses them to breach your account (and/or another account which utilizes the same password). At this point, there would be no conclusive way to definitively prove the cause, causing the all-too-common “I got hacked!” panic without much direction regarding how the situation could be prevented in the future.

Action Items

• Review the “New Disclosures” list below, looking for any applications which are installed on your iOS device.
• If the vulnerability has now been fixed in an affected application, go to Settings > General > Storage & Cloud Usage > Manage Storage (the first one). Locate the application on this list, tap on it, and then look at the “Version” text next to the icon. Ensure the number is greater than or equal to the “fixed” version as noted below.
• If the vulnerability is not fixed in an affected application, it may be a good idea to limit usage of the application until a fix becomes available.

New Disclosures (27 Applications)

The following applications affected by this data-in-transit validation vulnerability were confirmed to transmit sensitive data, such as login credentials (Please note: The contents of login API calls were obfuscated in some cases). They have either been fixed now, have not listed security contact information on their websites, or have not responded to multiple contact attempts from myself (and CERT).

As previously mentioned, if you are a user of any application listed below, please update to the latest version as soon as reasonably possible.

“HipChat — Free group chat for teams & business” by HipChat, Inc. (CVE-2017–8058)

Version 3.16.1 allowed a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to both api.hipchat.com/v2/authenticate/ and likeabosh.hipchat.com/http-bind/ during the login process.

The vulnerability was fixed in version 3.16.2 and above. However, during login, the user e-mail address still appears to be transmitted to api.hipchat.com over an insecure connection (Password is safe now at least).

“Foxit PDF — PDF reader, editor, form, signature” by Foxit Corporation (CVE-2017–8059)

Versions 5.2.1 and 5.3.2 allowed a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to cws.connectedpdf.com/cpdfapi/ in multiple API calls. Data confirmed as vulnerable to interception includes: e-mail address, password, and authentication token if user is logged in (This uses a “userID.userEmail” format, so this can very likely allow authenticated API calls to be made by an attacker on behalf of the user).

This vulnerability is fixed in version 5.4 and above.

“Panda Mobile Security” by Panda Security, S.L. (CVE-2017–8060)

Version 1.1 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to accounts.pandasecurity.com, rol.pandasecurity.com, and wsmy.pandasecurity.com. Due to lack of a login for this service, no further APIs (beyond login) could be tested.

The vulnerability has not yet been fixed.

“Think Mutual Bank — Mobile Banking App” by Think Mutual Bank (CVE-2017–3213)

Version 3.1.5 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to thinkbank.secure-mobileaccess.com. Username and password has been confirmed as vulnerable to interception.

The vulnerability has not yet been fixed.

“Space Coast Credit Union Mobile” by Space Coast Credit Union (CVE-2017–3212)

Version 2.2 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to sccuolb.sccu.com/OnlineBanking/Signin.aspx. Username and password has been confirmed as vulnerable to interception.

The vulnerability has not yet been fixed.

“Emirates NBD” and “Emirates NBD KSA” by Emirates NBD Bank P.J.S.C (CVE-2017–5915)

Versions 3.10.0 through 3.10.4 (UAE) and 2.0.1 through 2.1.0 (KSA) allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to login.banknetpower.net. Username and password has been confirmed as vulnerable to interception in the Saudi version, while the UAE version utilizes an additional custom layer of encryption (It is likely that an active man-in-the-middle attacker would be able to access the credentials with additional by manipulating data during this process).

The vulnerability has not yet been fixed. I had a phone call with some folks on the Emirates NBD Information Security team recently, and they assured me that Emirates NBD is working to get a fix out as soon as possible. I was also informed that the vulnerability is a low risk because it would be much more difficult to exploit in the UAE due to a difference in how Wi-Fi networks are usually configured (I would be very interested to understand more about how that would work, if anyone from the UAE happens to be reading this post).

“State Bank Anywhere” by State Bank of India (CVE-2017–5901)

Version 5.1.0 allowed a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to m.onlinesbi.com/middleware/MWServlet. Data confirmed as vulnerable to interception includes: username, as well as the password in the form of both an MD5 hash and a SHA1 hash.

The most recent version of the application has made it difficult to fully verify whether the vulnerability has been fixed or not, due to lack of a valid login. This may be investigated further in the future.

“Dollar Bank Mobile” by Dollar Bank (CVE-2017–5905)

Version 2.6.3 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to online.dollarbank.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“Great Southern Mobile Banking” by Great Southern Bank (CVE-2017–5907)

Version 3.0.1 allowed a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to gsbmobile.com. Data confirmed as vulnerable to interception includes username and password.

This vulnerability is fixed in version 4.0.4 and above.

“PayQuicker” by PayQuicker (CVE-2017–5902)

Version 1.0.0 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to mobileapi.payquicker.com/account/summary/. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“EFS Mobile Driver Source” by Electronic Funds Source LLC (CVE-2017–5909)

Version 2.5 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to tch.com/axis2/services/CardManagementWS. Data confirmed as vulnerable to interception includes card number and PIN.

The vulnerability has not yet been fixed.

“Diabetes in Check: Blood Glucose & Carb Tracker” by Everyday Health, Inc (CVE-2017–5906)

Version 3.4.2 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to secure.agoramedia.com/AuthenticationService/Auth.svc/AccountLogin. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“Supermóvil” by Banco Santander Mexico SA — Mexico (CVE-2017–5911)

Versions 3.5 through 3.7 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to supermovil.mx. Data confirmed as vulnerable to interception includes a parameter which translates as “client key” and is assumed to be sensitive, but this is inconclusive due to a language barrier (This application is in Spanish).

The vulnerability has not yet been fixed.

“FOREXTrader for iPhone” by FOREX.com (CVE-2017–5912)

Versions 2.9.12 through 2.9.14 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to prodweb2.efxnow.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“TradeKing Forex for iPhone” by TradeKing (CVE-2017–5913)

Version 1.2.1 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to prodweb2.efxnow.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“Banque Zitouna” by DOT IT (CVE-2017–5914)

Version 2.1 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to www.banquezitouna.com/mobilebanking/. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“America’s First FCU Mobile Banking” by America’s First Federal Credit Union (CVE-2017–5916)

Version 3.1.0 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to command.onlinebank.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“BCR Móvil” by Banco de Costa Rica (CVE-2017–5918)

Version 3.7 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to movil.bancobcr.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“21st Century Insurance” by 21st Century Insurance (CVE-2017–5919)

Version 10.0.0 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to ws.farmersinsurance.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

”Indiana Voters” by Quest Information Systems (CVE-2017–XXXX)

Version 1.1.24 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to insvrs-websvc.questis.com/MobileVoterReg/VoterRegistrationService/.

Due to the sensitive nature of this application, no testing was conducted to confirm the exact information vulnerable to interception/manipulation.

The vulnerability has not yet been fixed.

“Dolphin Web Browser –Fast Private Internet Search” by MoboTap Inc. (CVE-2017–XXXX)

Version 9.23.0 through 9.23.2 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to sen.dolphin-browser.com/api/2/user/auth. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“Yo.” by Life Before Us, LLC (CVE-2017–XXXX)

Version 2.5.8 allows a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to api.justyo.co. Data confirmed as vulnerable to interception includes username, password, authentication token, as well as potentially sensitive data sent to their API (such as contact information).

The vulnerability has not yet been fixed.

“Radio Javan” by RADIO JAVAN INC. (CVE-2017–XXXX)

Versions 9.3.4 through 9.6.1 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to rjvnapp.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“ellentube” by Warner Bros. (CVE-2017–XXXX)

Versions 3.1.1 through 3.1.3 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to api.ellentube.com. Data confirmed as vulnerable to interception includes username and a SHA1 hash of the password.

The vulnerability has not yet been fixed.

“Zipongo — Healthy Recipes and Grocery Deals” by Zipongo, Inc. (CVE-2017–XXXX)

Versions 6.1 and 6.2 allowed a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to api.zipongo.com. Data confirmed as vulnerable to interception includes username (e-mail address) and password.

This vulnerability is fixed in version 6.3 and above.

“Interval International” by Interval International (CVE-2017–XXXX)

Versions 3.3 through 3.5.1 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to mobservices.intervalintl.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

“ShopWell — Healthy Diet & Grocery Food Scanner” by YottaMark, Inc. (CVE-2017–XXXX)

Versions 5.3.7 through 5.4.2 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to www.shopwell.com. Data confirmed as vulnerable to interception includes username (e-mail address) and password.

Also worth noting: If the user is logged in, username and password are automatically transmitted upon the app being opened.

The vulnerability has not yet been fixed.

“PUMATRAC” by PUMA AG (CVE-2017–XXXX)

Version 3.0.2 allow a physically proximate attacker and/or an attacker in a privileged network position to intercept data transmitted to pumatracbackend.puma.com. Data confirmed as vulnerable to interception includes username and password.

The vulnerability has not yet been fixed.

Conclusion

Reporting these issues has been a mixed bag. It was disappointing to not hear back from a few companies after spending considerable time trying to hunt down contact details (Very difficult in some cases). However, some did send fast responses and the issue was addressed very quickly.

As I have looked further into the issue of data-in-transit integrity within mobile applications, and as I have now personally tested and confirmed over 250 apps in the App Store which are affected by this, I am not so sure if testing and reporting each is an effective solution to this growing problem. An app-based solution (including a 100% free version) is in the works in attempt to mitigate this class of vulnerability and others, leveraging our analysis system and dataset, as we have been able to automatically flag which specific apps are vulnerable with very decent accuracy. Stay tuned, and feel free to add your e-mail address here if you have interest in this.

As always, feel free to ping me via twitter (chronic) regarding any questions about this post, or via e-mail (will.strafach@sudosecuritygroup.com) for business inquiries.