Title:

Plaintext Communication in CoupleVow App

Report ID

SIK-2017-044

Summary:

• Vendor: 애펙스 주식회사
• Product: Couple Vow (Package-Name: com.ms.coupleobserver)
• Affected Version: 3.0.2
• Severity: medium
• Short summary: Communication for the login between app and its backend uses HTTP

Details:

The login process is realized via an HTTP connection. HTTP is a plain text protocol, which is not encrypted nor integrity protected. A man-in-the-middle adversary can eavesdrop login credentials when a user logs in and use these credentials at a later time. After login, the communication makes use of HTTPS, which is the correct way and should have been used for the login process as well.

Workaround

Use a VPN connection when using this app.

Suggested Mitigation

Use HTTPs for communicating between app and backend.

Timeline

• 2017-08-09 Vulnerability Discovered
• 2017-08-09 Contacted developer
• 2018-08-11 Published