SIK-2017-005

Title:

ADB Backup Allowed in Lufthansa App

Report ID

SIK-2017-005

Summary:

Vendor: Deutsche Lufthansa AG
Product: Lufthansa App
Affected Version: 5.6.1
Severity: high
Short summary:

The Lufthansa app can be backed up using adb. Together with SIK-2017-003, this allows an attacker to fully extract the user’s login credentials.

Details:

The attacker can create a backup of the app using „adb backup“. This backup contains the app’s private data directory in which the app stores the user credentials in an encrypted format. Together with the attack SIK-2017-003, the attacker can circumvent the encryption and fully reconstruct the user’s username and password.

Workaround

Always make sure to logout from the app to ensure that no credentials are left one the phone. Disable USB debugging.

Suggested Mitigation

Do not allow app backups.

Timeline

2017-01-18: Vulnerability Discovered
2017-02-15: Reported
2017-05-17: Vulnerability Fixed