22 June 2021 at 13:33 UTC
Up to date: 22 June 2021 at 17:10 UTC
VeryFitPro flaw decidedly unhealthy for consumer privateness
UPDATED An Android health app with practically 10 million downloads is transmitting delicate info in clear textual content, probably leaving passwords and different delicate knowledge uncovered in consequence.
The as-yet unresolved flaw in VeryFitPro was found by safety researchers at Trovent.
Trovent’s workforce found that the VeryFitPro mobile software performs all communication with the backend API through cleartext HTTP.
All method of delicate info together with login, registration, and password change requests are open to eavesdropping and interception due to this lack of encryption, Trovent warns.
Trovert contacted the builders of the app repeatedly however with out success after discovering the difficulty in Could.
After failing to get a response, Trovent went public with its findings in a technical blog post.
The put up consists of proof of the problems with the app, specifically a TCP packet seize exhibiting a login request together with password hash and username in clear textual content.
The Each day Swig tried to contact Shenzhen DO Clever Expertise – the China-based builders of the VeryFitPro – for remark, to this point with out success. We’ll replace this story as and when extra info comes handy.
Within the absence of a safety replace, Trovert recommends solely utilizing HTTPS when sending delicate knowledge to and from the applying.
A consultant of Germany-based Trovent advised The Each day Swig that points with VeryFitPro have been indicative of lax safety practices within the wider wearables market.
“Throughout our ongoing safety analysis course of we’re in search of safety and knowledge privateness points in well being apps and gadgets (wearables),” Stefan Pietsch, workforce lead penetration testing at Trovent defined. “There’s a entire bunch of purposes that deal with priceless well being knowledge and from our expertise safety requirements are usually not met or do not obtain adequate consideration in the course of the improvement (and software program upkeep) course of.”
The present (3.3.0) model of the Android app and it nonetheless sends the info through plain HTTP with out encryption, Trovent confirmed on Tuesday.
This story has been up to date to appropriate the variety of downloads determine and so as to add remark from safety researchers at Trovent