Hacking Mandated Apps – Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ]

This blog post series describes identified flaws in Smart Sheriff, a mandated app, see Intro for background. Please note this work was coordinated with human right activists, vulnerabilities reported to the vendor, etc. Previous blog posts you might have missed and maybe you would like to read first for background:

The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V5: Network Communication Requirements, as follows:

MSTG‑NETWORK‑2: The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.

Detailed information and steps to test for this kind of issue can be found in the OWASP Mobile Security Testing Guide:

How did MOIBA fix the lack of SSL / TLS?

As we saw in the previous blog post, the first time we tested the application it was not using TLS at all, all communications were clear-text HTTP, on an app supposed to protect children.

So, what did we find the second time?

File:

smartsheriff/ui/m.java

Affected Code:

public final void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError)
{
paramSslErrorHandler.proceed();
}

File:

smartsheriff/d/c.java

Affected Code:

final class c
implements HostnameVerifier
{
public final boolean verify(String paramString, SSLSession paramSSLSession)
{
return true;
}
}

So, now we have:

1: An onReceivedSslError handler that proceeds regardless of the SSL error

2: A hostname verifier that always returns true, regardless of the hostname in an SSL certificate.

This means that, even though the application was using SSL now, it was ignoring all SSL certificate errors! Effectively this is almost the same as using clear-text HTTP: An attacker with a self-signed certificate would be able to MitM network communications.

This finding corresponds to the second round of testing we did on Smart Sheriff:

SMS-02-008​​ ​​Mobile​​ ​​app​​ ​​error​​ ​​handlers​​ ​​are​​ ​​setup​​ ​​to​​ ​​ignore​​ ​​all​​ ​​SSL​​ ​​errors​​ ​​​​(High)

Hack Smart Sheriff to pieces with us!

NOTE: Attendants will get lifetime access to our training portal with:
– Unlimited course updates & Step-by-step lab video recordings
Lots of real-world apps to practice with, such as:
  + Government-mandated and police apps in various countries
  + Many other excitingly vulnerable real-world apps!
  + IoT apps controlling Toys, Drones, etc.

Cannot make it? ping sales@7asecurity.com for training portal access.

Recorded Talk 4: DeepSec

I believe the fourth time Fabian and myself presented this was at DeepSec. As this was after the summer, at this stage Fabian had done more research about Smart Dream and other similar apps at Citizen lab and more information was public by then:

Next blog post:

Hacking Mandated Apps – Part 5: RCE in WebView [ MSTG-PLATFORM-7 ]