Plaintext Communication in GPS Location Tracker App
- Vendor: SeeBetaApp
- Product: Track My Family (Package-name: com.betaapp.myfamilylocator)
- Affected Version: 2.6
- Severity: high
- Short summary: SQLi in Login form breaks authentication
Every communication between app and its backend uses HTTP connections. HTTP is a plain text protocol, which is not encrypted nor integrity protected. A man-in-the-middle adversary can eavesdrop and modify every traffic between an app user and the backend (e.g. tapping login credentials).
Use a VPN connection when using this app.
Use HTTPs for communicating between app and backend.
- 2017-08-09 Vulnerability Discovered
- 2017-08-10 Contaced developer
- 2018-08-11 Published