UPDATED An Android fitness app with nearly 70,000 active users is transmitting sensitive information in clear text, potentially leaving passwords and other sensitive data exposed as a result.
The as-yet unresolved flaw in VeryFitPro was discovered by security researchers at Trovent.
Trovent’s team discovered that the VeryFitPro mobile application performs all communication with the backend API via cleartext HTTP.
All manner of sensitive information including login, registration, and password change requests are open to eavesdropping and interception because of this lack of encryption, Trovent warns.
No response
Trovert contacted the developers of the app repeatedly but without success after discovering the issue in May.
After failing to get a response, Trovert went public with its findings in a technical blog post.
The post includes evidence of the issues with the app, namely a TCP packet capture showing a login request including password hash and username in clear text.
The Daily Swig attempted to contact Shenzhen DO Intelligent Technology – the China-based developers of the VeryFitPro – for comment, so far without success. We’ll update this story as and when more information comes to hand.
In the absence of a security update, Trovert recommends only using HTTPS when sending sensitive data to and from the application.
A representative of Germany-based Trovert told The Daily Swig that issues with VeryFitPro were indicative of lax security practices in the wider wearables market.
“During our ongoing security research process we are looking for security and data privacy issues in health apps and devices (wearables),” Stefan Pietsch, team lead penetration testing at Trovert explained. “There is a whole bunch of applications that handle valuable health data and from our experience security standards are not met or don’t receive sufficient attention during the development (and software maintenance) process.”
The current (3.3.0) version of the Android app and it still sends the data via plain HTTP without encryption, Trovert confirmed on Tuesday.
This story has been updated to add comment from security researchers at Trovert
Source: https://portswigger.net/daily-swig/zero-encryption-zero-day-android-fitness-app-caught-sending-data-in-clear-text
