On August 21, the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University released a MiTM analysis system called CERT Tapioca. CERT/CC is now using this tool to help address a rapidly growing problem many researchers have been taking note of, including myself.
There are many Android applications putting personal data in jeopardy due to improper SSL validation. SSL implementation problems exist in apps of all shapes, sizes and function, ranging from those with little sensitive data and few users to apps with millions of active users handling some of our most sensitive data, such as financial transactions and account login information.
There are in fact too many applications for even a well-staffed team of researchers to manually identify and report all of these issues in a reasonable time frame. Will Dormann, a CERT/CC researcher involved with Tapioca has responded to this problem by developing an automated process using CERT Tapioca along with a virtualized Android environment to simulate application use and identify whether communication channels are at risk.
His work has led to a spreadsheet listing several libraries and hundreds of applications prone to various SSL implementation problems. Deep in the list of vulnerable apps is one I rate as an extremely critical risk. The PHONE for Google Voice & GTalk application (com.moplus.gvphone) is a useful app which I had been using for more than a year before March 2014 when I noticed Google account credentials showing up in the logs from my VPN based SSL MiTM environment.
As it turns out, although parts of this application do in fact validate SSL certificates, the very critical piece of code which requests Google SID tokens did nothing to verify that it received a legitimate Google certificate prior to sending credentials. This means that an attacker could intercept Google credentials, as well as returned session ID values, giving an attacker access to any data associated with the account. Fortunately (for me), the compartmentalized approach to security I employ meant that the credentials for my ‘real’ Gmail account were never exposed.
In general, I won’t use applications if they expect me to enter Google account credentials, since it is difficult to guarantee that the credentials are not uploaded to some shady developer. However, sometimes an app offers functionality I cannot find elsewhere, so I create a new Gmail account just for the app. This protected me but it may not be the case for the million plus other users who have downloaded the app.
Upon discovering this issue, I reached out to Mitre and the app developer (Mo+), but only received a response from Mitre who assigned CVE-2014-2566 on March 21, 2014. I later flagged the application in the Google Play store but to date I have not received a response from Mo+ or Google regarding the app, which according to CERT/CC was still vulnerable as of September 3, 2014.
Now that it is listed in the CERT/CC spreadsheet, the cat is out of the bag regarding this popular calling app. So, I would urge caution to anyone using the Mo+ PHONE for Google Voice and GTalk app. Due to the security risks, consumers should either remove or avoid the application entirely or limit use to ‘trusted’ networks only. Attackers can easily exploit this vulnerability with a pineapple WiFi or equivalent rogue access point.
I would also encourage anyone who is interested in testing the safety of a specific app to take a look at my VPN based SSL testing strategy documented here.
- Configuring an SSL MITM Test Lab for Android
- Put Your Critical Data on Ice: Using Cold Storage
- Security Solutions that Fight for the Same Resources
- Lessons Learned from the OpenSSL Hack
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock