M 107: GenieMD Broken SSL (55 pts)

What You Need for This Project

You need one of thest two systems:

Summary

The GenieMD Android app sends login credentials over broken HTTPS, without verifying the SSL certificate.

This is such a serious security flaw that the FTC punished Fandango and Credit Karma for doing the same thing in 2014.

Preparing an Android Emulator and Burp

The emulator options are different for different operating systems. Follow the appropriate instructions below:

A31a: Burp and Genymotion on Mac or Linux

A31b: Burp and Nox on Windows

Installing the GenieMD Android App

Open Google Play and search for geniemd.

Install the "Harvard Health Info" app, as shown below.

Troubleshooting

If Google Play won't connect, you are probably using the proxy.

In Settings, tap Wi-Fi, and adjust the networking to use a proxy of None.

Archived App

If the app is unavailable, use this archived copy.

Adjusting Android Networking to Use the Burp Proxy

On your Android device, in Settings, tap Wi-Fi and adjust your proxy settings to route traffic through Burp, as shown below.

On your Android device, click SAVE.

At the bottom center of the device, click the round Home button.

Observing the HTTPS Traffic

On your Android device, open the Harvard... app.

Click "Sign in" and enter test credentials, as shown below.

Click "SIGN IN".

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to /GenieMD.Com/resources/Email/SignIn.

The username and password appear in Burp, as shown below:

If you have been doing these projects in order, and you are using a Mac, this is not a security problem, because you have the PortSwigger certificate installed--your Android device has been told to trust Burp.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, right-click any entry and click "Clear history". Click Yes.

Removing the PortSwigger Certificate (Mac or Linux Only)

If you are using Nox on Windows, skip this step.

If you are using a Mac or Linux host, do this:

On your Android device, in Settings, click "Security & location", Advanced, "Encryption & credentials", "Clear credentials".

Click OK.

Enter your PIN.

Testing HTTPS Connections

On your Android device, open Chrome. Go to https://bowneconsulting.com.

You should see an error message, as shown below.

(When I did this on an Android 9.0 Genymotion device, the green padlock remained visible, even though the page would not load; another Android bug.)

No valid HTTPS connections can be made from your device now, because it no longer trusts Burp.

Logging In Again

On your Android device, open Harvard... again.

Click "Sign in" and enter test credentials, including your name, as shown below.

Capturing Credentials in Burp

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to /GenieMD.Com/resources/Email/SignIn.

The username and password still appear in Burp, as shown below:

This is a big problem--the MITM attack is allowed. GenieMD exposes its users to this attack, because they don't bother to validate SSL certificates.

M 107.1: Finding the Flag (15 pts)

In Burp, in the lower pane, click the Response tab.

The flag is the text covered by a green box in the image below.


M 107.2: Find the Server (5 pts)

Uninstall the original app and install this app instead:

A31.2.apk

Execute a login request. The flag is the domain name of the server it sends a POST request to.


M 107.3: Registration (15 pts)

Use the same A31.2.apk app. Launch the app. Click "Join Now".

It asks for a registration code.

On your Kali machine, execute this command to unpack the app:

apktool d A31.2.apk
Find the registration code. Use it in the app to see the flag. Use the same app: A30.2.apk. Explore the app and find the second flag.

M 107.4: Registration (20 pts)

Examine the code-signing certificate for the A30.2.apk app. The company name is in leetspeak. That company name is the flag.
Posted 4-11-19