SIK-2017-049


Title:

All traffic via HTTP in Girlfriend Cell Tracker App

Report ID

SIK-2017-049

Summary:

  • Vendor: SoftSquare InfoSoft
  • Product: Girlfriend Cell Tracker (Package-Name: com.omrup.cell.tracker)
  • Affected Version: v1.20
  • Severity: Medium
  • Short summary: All requests (including to the API) are made via HTTP, making the communication vulnerable to man-in-the-middle attacks.

Details:

The app uses HTTP for all communications. All communications, including username, password, received SMS messages, are not secured and vulnerable to man-in-the-middle attacks.

Workaround

None.

Suggested Mitigation

Use HTTPS.

Timeline

  • 2017-07-26: Vulnerability discovered
  • 2017-08-29: First Email sent to developer
  • 2018-08-11: Published