In my last post I wrote a very brief how-to on how to Capture Traffic from Smart Devices with Fiddler by making it a network proxy. I did just that and the results for a few app’s have upset me. Mainly because it exposes not only my password and user id, it exposed the content that I upload or download. Not Good!
Above is me logging into an application, later followed by my download of content stored on the device. What was shocking at first is that the log on process is all over HTTP, along with all of the communication between my smartphone and the remote server. A man in the middle would love this.
In the /auth_client URL my password along with my email address (user id) was exposed and could be seen clear as day
And then we have the image I downloaded could be captured by the network peeping Tom.
So thinking about this more… How many of us use the same passwords for various services online. If one is captured the would be ‘smart guy’ hacker could use the information they gathered here: email address (log on info) and password and attempt to use them for other known sites. If you are one to use the same password and user id’s then you would have been compromised along with your data
I am not a app developer but I do read up on the guidelines and its clear that many developers are not taking this into consideration when pumping out their app’s to the market place for us to use.
And while SSL helps, the application needs to also validate the SSL Certificate, as some applications do require SSL to be used however they don’t necessarily care if its theirs or the self signed certificate of a would be hacker. The true test is to force the application to take a SSL cert that isn’t an authoritative it knows (self signed). If it rejects this then your good to go, otherwise you are taking a big risk in using that application on networks unknown to you.
More so, if you want security then perhaps you (I included) need to use VPN technology on the smart device to ensure the security, and the integrity of the data we value.
This is just one of a few examples I have found. I hope this sparks you to look for others as I have and perhaps reach out to the developers to make the necessary change to protect us all