Project 11x: Stealing Credentials from an Android App with a SSL MITM Attack (15 pts.)

Background

The companies that make these apps were been notified long ago by CERT of this problem, but have failed to update their apps. This, in my opinion, makes them fair game for public humiliation.

Here are details of the CERT test and notification, from 9/3/2014:

Finding Android SSL Vulnerabilities with CERT Tapioca

This spreadsheet from CERT shows many vulnerable apps.

Android apps that fail to validate SSL

What You Need for This Project

The Android security auditing environment you prepared in Project 1x: a Genymotion virtual Android device with the Google Play Store running through the Burp proxy.

Background

Here we will perform a very simple MITM attack using the Burp proxy and an untrusted certificate.

In a sane world, we'd have to use a special, poorly-written test app to demonstrate such a serious vulnerability. However, we'll use a real app, from a company that was warned long ago about this by CERT and who just ignored the warning and continued to endanger their customers.

Task 1: Configuring a Normal HTTPS Proxy

Testing your Proxy

This page should load without any error messages. If you see errors saying the certificate is untrusted, install the PortSwigger certificate as explained in project 1x.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, you should see https://samsclass.info, as shown below.

Troubleshooting If you see no HTTP history entries at all, check Project 1x for the instructions to set a proxy server inside Genymotion. If you see some HTTP history entries, but not https://samsclass.info, make sure the "Filter" bar near the top of the Burp HTTP History window shows the "Showing all items" message. If it does not, click it and click the "Show all" button.

Task 2: Installing a Vulnerable App In your Genymotion Android device, open Google Play.

When I prepared this project, "Snap Secure" was vulnerable. However, in response to publicity about this class project, they fixed their app.

So choose one of these apps to install instead:

Start the app. Log in.

Enter these fake credentials, replacing "YOURNAME" with your own name. Don't use any spaces in your name.:

Email: YOURNAME@ccsf.edu

Password: YOURNAME-secret-password

The credentials are rejected, which is OK--what matters for us is how they were transmitted to the server.

In Burp, examine the HTTP History. You should find a GET request to a snapone.com server containing your username and password, as shown below.

This is normal HTTPS interception by a trusted proxy, and does not demonstrate any security problem.

Saving the Screen Image

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT

Save a screen image with the filename Proj 11xa from Your Name.

Task 3: Uninstalling the PortSwigger Certificate

The PortSwigger certificate appears, as shown below.

Click PortSwigger. A "Security certificate" page opens.

Scroll to the bottom and click the Remove button, as shown below. Click OK.

Click Home. Open the Web browser. In the URL bar, retype https://samsclass.info and press Enter.

A "Security warning" box appears, as shown below. This indicates that the browser is properly implementing SSL security and detecting the MITM attack that Burp is performing.

Task 4: MITM Attack

In the Genymotion device, in the vulnerable app, sign in again, using these credentials, replacing "YOURNAME" with your own name. Don't use any spaces in your name.:

Email: YOURNAME2@ccsf.edu

Password: YOURNAME2-secret-password

This is VERY WRONG. Burp is intercepting and opening HTTPS traffic with an untrusted certificate, and the app is ignoring it.

Saving the Screen Image

YOU MUST SUBMIT A FULL-DESKTOP IMAGE FOR FULL CREDIT

Save a screen image with the filename Proj 11xc from Your Name.

Turning in Your Project

Email the image to cnit.128sam@gmail.com with a Subject line of Proj 11x from Your Name.

Sources

Android apps that fail to validate SSL

snap secure