SIK-2017-049

Title:

All traffic via HTTP in Girlfriend Cell Tracker App

Report ID

SIK-2017-049

Summary:

Vendor: SoftSquare InfoSoft
Product: Girlfriend Cell Tracker (Package-Name: com.omrup.cell.tracker)
Affected Version: v1.20
Severity: Medium
Short summary: All requests (including to the API) are made via HTTP, making the communication vulnerable to man-in-the-middle attacks.

Details:

The app uses HTTP for all communications. All communications, including username, password, received SMS messages, are not secured and vulnerable to man-in-the-middle attacks.

Workaround

None.

Suggested Mitigation

Use HTTPS.

Timeline

2017-07-26: Vulnerability discovered
2017-08-29: First Email sent to developer
2018-08-11: Published