Archive

Posts Tagged ‘App’

Insecure Data Request/Response from Quidco RPC

September 13, 2011 Leave a comment

I recently reported some Data Protection and Privacy issues with the Quidco app for Android, and wanted to have an in-depth look at the Client/Server data sent by the app.

Packet Capture

With the newly installed tcpdump facility, I was able to capture the network traffic from my handset and watch the Quidco app for Android send a request to the remote server and receive data back. This happens when you log-in, when you check-in, when the app wants to load your personal details and display your cash-back history.

Pretty standard stuff, nothing out of the ordinary, nothing unexpected.

The problem is not what’s being sent, but how. The communication between the server and the handset is not secured – the data is sent by the server over the internet as plain-text, and includes your email, postcode, real name, date of birth and IMEI.

JSON-RPC

JSON or JavaScript Object Notation, is a lightweight text-based open standard designed for human-readable data interchange.
The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application.

http://en.wikipedia.org/wiki/JSON

JSON allows the Quidco app to makes requests to the remote server in a defined way, through procedure calls. Such procedures observed in the analysis of the packet capture include getNearbyDeals and getUserDetails.

Wireshark Analysis

The capture file is loaded into Wireshark where it can be displayed and reconstructed.
One function has the ability to reorder and display in ASCII the request and response of a specific TCP stream.

Reconstruct A TCP Stream

Reconstruct A TCP stream with Wireshark

getNearbyDeals

getNearbyDeals

The function takes several arguments, including the users latitude and longitude, and returns data on the deals close-by.

getUserDetails

getUserDetails

Evil Twin Attack

Being a mobile app, designed to be used out and about, it’s a possibility the end user will connect to a WIFI hotspot, for example Openzone, when they want to check-in at a store or search for near-by deals.

An ‘Evil Twin’ is a hotspot with the same name as a legitimate one, but which is set-up by criminal entities to harvest personal data, log-in or banking details. The Guardian ran a story about it. It’s all to do with the way your handset will automatically connect to a WIFI network based on it’s SSID or name.

Firesheep was a proof of concept plug-in for the Firefox browser, which allowed trivial Facebook session hijacking on insecure networks. Now there is a native Android app, FaceNiff which claims to do a similar job.

Disclosure

The developers of the app were contacted regarding the insecure client/server communication and now the app has been updated to v1.0.4 to address this issue.

Wireshark analysis of traffic captured for version 1.0.4 shows all request/response traffic is made over https.

The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks

http://en.wikipedia.org/wiki/HTTP_Secure

Wireshark Analysis

v1.0.4 Application Traffic Secured with HTTPS

Quidco App for Android is out of Beta!

September 8, 2011 Leave a comment

The Quidco App for Android has finally lost it’s Beta status, and version 1.1.0 is now available from the Android Market or visit Quidco.com/app.
If you’re not already a Quidco member, read my post and sign up!

v1.1.0

Quidco app for Android is released!

So the Quidco app moves from this early Beta, to full release version, and quickly to v1.0.2 – although the Whats New tab on the web based android market says nothing has changed, the Recently Changed section on the mobile version of the market shows crash fixes.

Using The Quidco App

Sign Up Or Sign In

Load the app, and you will be asked to sign-in with your Quidco details, or to join the Quidco service.
The first time you sign-in, you will be asked to enable Location Sources –  both Network and GPS are required for full functionality.

Location

If you choose not to enable your location, you can still choose from a general list of places.

Device Association

Again, the very first time you run the app you will be asked to associate your device with your Quidco account.
You have to enter the code exactly – if you enter it incorrectly, you will be given several more attempts. If you appear to be stuck, make sure your keyboard doesn’t automatically capitalise the first letter.

If you sign out, it will not ask you to associate again when you sign-in.

Nearby Deals

Click Nearby to be shown a list of deals and in-store cashback offers ordered by distance from location.

At the top, select Map to be taken to a fully interactive Google map with each deal a pin in the map. Click one of the deals to be given it’s name, and again to view the full details.

The Pizza Hut deal for example is a discount voucher, which gives clear instructions for use, and T&C in the details tab.

Account Settings

Under the central option in the bottom bar, My Quidco allows you to view your most recent activity and change your account settings.

You can choose to hide Gambling offers, Hide 18+ offers, and modify your in-store cashback settings, and even register a card if you’re not yet set up.

 

Smart Shopping

With digital vouchers, and  in-store cashback, the Quidco mobile app is a convenient way to earn and to save money in the real world.
Download the app, try it out today!

 

Quidco App for Android Updated – v1.0.8

September 3, 2011 Leave a comment

A new version of the Quidco App for Android has been released to the Android market.

v1.0.8

Quidco App Updated

This update resolves the following issues.

  1. fixed crash when map location shown on Motorola devices
  2. fixed category icons not displaying on some devices
  3. fixed gender toggle style on settings page
  4. fixed gambling/adult style on settings page
  5. fixed error feedback messages on settings page
  6. fixed filters not retaining previously set state
  7. potential fix for crash when loading maps on some devices
  8. potential fix for crash when viewing vouchers on some devices
  9. added greyed out checkbox to filter page to make filters more clear
Categories: Android, Beta, Patch, Quidco, Software Tags: , , ,

Quidco App for Android Logs Username, Password, IMEI and Card Details Without Encryption

August 21, 2011 3 comments

Quidco App for Android v1.0.4 – Still Just A Beta Test

I installed the Quidco app for Android from the Market a few days back, and I thought it would be nice to do a review.
However, after a bit of poking around I found a log file – Qlog.txt – with my Quidco username and password stored plain-text.

Quidco Username & Password

A quick check revealed also the app was logging my quidco userID and my phones IMEI number.
The IMEI is unique to every handset, and doesn’t necessarily relate to any individual, the SIM does that through the IMSI.

Anyway, the quidco app gets your IMEI through the READ_PHONE_STATE permission, which is requested on installation. It is shown below as Read Phone Status and ID.

Quidco App Permissions

Store Card

The app gives you the opportunity to register a credit card, for earning in-store cash back.
I read through the terms and conditions first, to see what safe guards are in place to protect my data.

T&C Section 2

Great! My card details are only stored and processed in encrypted format..

Screen grab was made after bug found, to illustrate the problem, but log file is exact except redactions.

My Card 8888..

Logged Un-Encrypted

Data Protection Fail.
Please note, the screen grab of card number was made after the bug was found, to better illustrate the problem, but the log file is exact except redaction.

Further Development

This fault has been reported to Quidco, un-installing the app does not delete the log file.
My handset has root privileges, you may be able to view or delete you own log file without root.

Update; the Quidco response to this issue is

..that the android version of the Quidco app is only a test version and this is not meant for use at the moment.

We have not launched the android version of the app so any personal use of this is completely at your discretion as we are currently running our own tests on this to ensure everything is ready before our official release.

If you have any worries or concerns, contact the app developer or read the Information Commissioners Office guides;

Disclosure of personal information
If your personal information has been disclosed in a way that you did not expect you can complain to us.

http://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#disclosure

Security or loss of personal information
If your personal information has been lost or is not held securely you can complain to us.

http://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#security

I’m sure it’s possible a malicious program could be written to extract these details from your log, and gain full access your quidco.com account.
You do use a different username and password for all sites, don’t you?