John Layden on June 22, 2021 at 13:33 UTC
Updated: 22 June 2021 at 14:10 UTC
VerifyFitPro flaw is decidedly unhealthy for user privacy
Updates An Android fitness app with nearly 70,000 active users is transmitting sensitive information in clear text, potentially exposing passwords and other sensitive data.
An as yet unresolved flaw in VerifyFitPro was discovered by security researchers from Trovent.
Trovent’s team found that the VeriFitPro mobile application does all communication with the backend API via ClearText HTTP.
Trovant warns that all sensitive information, including login, registration and password change requests, is secret and open to interception because of the lack of encryption.
Trovert repeatedly contacted the developers of the app but without success after discovering the problem in May.
After failing to receive a response, Trovert went public with his findings in a technical blog post.
The post includes evidence of problems with the app, namely a TCP packet capture showing the login request including the password hash and username in clear text.
Get the Latest Android Security News
The Daily Swig Tried contacting Shenzhen DO Intelligent Technology – the China-based developers of VerifyPro – for comment, so far without success. We will update this story when more information is at hand.
In the absence of a security update, Trovert recommends using HTTPS only when sending sensitive data to and from applications.
A representative from Germany-based Trovert told The Daily Swig VeriFitPro’s issues were indicative of lax security practices in the wider wearables market.
“During our ongoing security research process we are exploring security and data privacy issues in health apps and devices (wearables),” explained Stefan Pietsch, team lead penetration testing at Trovert. “There are a whole bunch of applications that handle valuable health data and from our experience don’t meet security standards or get enough attention during the development (and software maintenance) process.”
The current (3.3.0) version of the Android app and it still sends data via plain HTTP without encryption, Trovert confirmed Tuesday.
Trovert. This story has been updated to add comments from security researchers.
related Intent redirection vulnerabilities in popular Android apps expose dynamic code loading