viaForensics has recently tested the popular Any.DO mobile app for Android and discovered multiple security vulnerabilities.
Responsible disclosure: We contacted the developer in accordance with our responsible disclosure policy via multiple channels including email and twitter, several times over the preceding six weeks (see section 2.6). Receiving no response, we are releasing our security findings so that consumers can take steps to protect their data if they so choose.
Security Findings: Any.DO for Android
Versions Tested: v2.25, v2.26
Significant Findings (OWASP Mobile Top Ten, MITRE CWE):
- Vulnerable to Man-in-the-Middle attack (M3, 295)
- Stores password in plain text (M1, 256)
- Stores sensitive user data in plain text (M1, 313)
All testing was completed using viaLab, which enables accelerated mobile app security analysis. viaLab tested all data transmitted and stored by Any.DO to identify any sensitive data at risk. Data exposure in a mobile application can place consumers at risk for financial or identity theft.
The following sections provide additional details on our testing process.
1. Overview of the Any.DO application
Any.DO is a mobile application for both the iOS and Android platforms and can be found in both the App Store and the Play Store.
Any.DO is a business and personal calendar tool which allows users to input tasks to be completed. Those tasks can include locations of where the tasks are (e.g. a specific grocery store or restaurant), time and date stamps, and contacts that are invited to the task, among others.
The application has over one million downloads in the Google Play store with a four and a half out of five star rating on nearly 50,000 reviews. It also has nearly 2,500 reviews in the iTunes store with an overall rating of four and a half stars as well.
Any.DO versions 2.25 and 2.26 were tested on a Google Nexus running Android 4.0.4. (For analysis purposes the Android is rooted, though not all of the tests executed require escalated device privileges.)
The Any.DO application allows a user to either create an account with Any.DO or sign in with Facebook. After signing in, a user can create tasks, set dates, times, and locations for those tasks, invite friends and contacts to those tasks, sync their data with Google Chrome, and more. Below is the Any.DO login screen on our test iPhone.
2. Security Testing Any.DO
There are a number of ways to attack a mobile application due to the extensive mobile attack surface. viaForensics has extensive experience performing mobile security testing on behalf of clients, and also for purposes of research and public benefit. An example of our prior research can be found in our 2011 Mobile App Security Study.
We have recently accelerated the process of mobile app security testing with the creation of viaLab, which provides low-level analysis, security test automation and reporting. viaLab was used for all testing reported in this disclosure.
The following sections will walk through the process of testing Any.DO for Android using viaLab, as well as the security findings discovered.
2.1 Any.DO Setup
The same data was populated on both the iOS and Android versions of Any.DO, including the username, password, keywords, and tasks created. That data is as follows:
- Username: viaforensics513test
- Email: [email protected]
- Password: t3$t1ng5522##
- Keywords:juice, Brian, kids, 3:00, Oak
This data was entered during data population portion of the viaLab testing, as seen in the figure below. viaLab then searched data recovered during the various tests for this data. Results will be shown below.
2.2 Application Data Recovered
The application was then used to login as a registered user. After logging into the applications, user data was populated, including the tasks “Get juiceî at 7:00 PM, “Pick up the kidsî at 5:00 PM, and “Stop by BrianÍs – 1000 lake st. oak parkî at 3:00 PM.
RESULT: Forensic data analysis is able to locate app data stored on the mobile device. In this analysis of Any.DO for Android, viaLab found the username, password, and keywords in the /databases/data folder.
2.3 Network Security Testing of Any.DO
Network Data Capture
While populating this data, viaLab was actively capturing all network traffic transmitted to and from the device. We then use viaLab to search the traffic for the username, password, and keywords in the resulting pcap files. In addition to plain text, viaLab is also able to locate encoded or hashed versions of the search terms.
RESULT: Significant data was not discovered in the regular packet capture of the Any.DO login on Android, which demonstrated that the app is encrypting the traffic.
During a Man-in-the-Middle (MITM) attack, traffic is intercepted and a spoofed certificate is presented to the client to impersonate the server. When successful, the MITM attack can convince the client to disclose login credentials (username/password) and other data to the attacker, since the attack allows communication between client and server to be intercepted and read unencrypted. The MITM attack is executed on a controlled Wi-Fi network access point, and during the attack network traffic is captured for analysis.
RESULT: Any.DO failed the MITM attack on Android. The screenshot below from the viaLab report shows the username and password that were intercepted. A plain text username, password, keyword, or combination of those were found in the packets captured during the MITM attack test.
Using the “Log in with Facebookî option on the Android version of Any.DO, the application passed a MITM attack, as no significant data was recovered.
SSL Strip Attack
SSL Strip is a tool which is based on the MITM attack, and attempts to downgrade all HTTPS links to HTTP in order to allow the encrypted data to be viewed in plain-text. Using this method, sensitive information passed through the application could potentially be recovered.
RESULT: The SSL Strip attack against app login did not intercept sensitive user data (username, password, and keywords). Likewise, using the “Log in with Facebookî option on the Android version of Any.DO, the application passed a SSL Strip attack, as no significant data was recovered.
2.4 Memory Analysis
viaLab performs analysis of device memory (RAM) and exposure of sensitive data related to the target app.
RESULT: In this case the userÍs Any.DO username, password, and keywords were discovered in memory. The screenshot below contains a sample of the data recovered from the Android memory dump.
2.5 Summary of Any.DO Security Testing
The most significant findings in this analysis are the failure to properly validate SSL, which leaves the user vulnerable to Man-in-the-middle attacks, as well as the storage of user passwords in plain text. The data discovered in plain text in the Any.DO application – usernames, tasks, dates, times, emails, task data, and especially passwords – can also present a significant security risk to users. The specific weaknesses found are related above to both OWASP Mobile Top Ten and MITRE CWE risks.
The security tests described in this analysis, including network capture, Man-in-the-middle, forensic data analysis and memory analysis, are all automated in viaLab. Companies can protect their users and their reputation by properly assessing the security of mobile apps they develop, as well as third-party apps in use by their enterprise.
2.6 Disclosure Timeline
2013-01-30: Initial vulnerabilities discovered
2013-02-11: Confirmed all findings internally
2013-02-11: Emailed feedback [at] any [dot] do (17:12 CST)
2013-02-11: Emailed Any.DO CEO Omer (21:55 CST)
2013-03-08: Tweet to @AnyDO (13:08)
2013-03-08: Emailed Any.DO Feedback and CEO (17:38 CST)
2013-03-26: Public disclosure by viaForensics