M 107: GenieMD Broken SSL (15 pts + 40 extra)

What You Need for This Project

You need one of thest two systems:


The GenieMD Android app sends login credentials over broken HTTPS, without verifying the SSL certificate.

This is such a serious security flaw that the FTC punished Fandango and Credit Karma for doing the same thing in 2014.

Preparing an Android Emulator and Burp

You need an Android emulator running traffic through the Burp proxy, which you should have already set up in previous projects.

If your host machine uses Mac or Linux, use Genymotion.

If your host system runs Windows, use Burp and Nox.

Use Android 5

On Jan 28, 2020, students had trouble installing GenieMD in modern Android versions. I found that a Google Nexus 5 machine running Android 5.0 worked, as shown below. I could not find GenieMD in the Play Store on that device, but I was able to install the archived copy linked below.

Installing the GenieMD Android App

Open Google Play and search for geniemd.

Install the "Harvard Health Info" app, as shown below.


If Google Play won't connect, you are probably using the proxy.

In Settings, tap Wi-Fi, and adjust the networking to use a proxy of None.

Archived App

If the app is unavailable, use this archived copy:


Adjusting Android Networking to Use the Burp Proxy

On your Android device, in Settings, tap Wi-Fi and adjust your proxy settings to route traffic through Burp, as shown below.

On your Android device, click SAVE.

At the bottom center of the device, click the round Home button.

Observing the HTTPS Traffic

On your Android device, open the Harvard... app.

Click "Sign in" and enter test credentials, as shown below.

Click "SIGN IN".

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to /GenieMD.Com/resources/Email/SignIn.

The username and password appear in Burp, as shown below:

If you have been doing these projects in order, and you are using a Mac, this is not a security problem, because you have the PortSwigger certificate installed--your Android device has been told to trust Burp.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, right-click any entry and click "Clear history". Click Yes.

Removing the PortSwigger Certificate (Mac or Linux Only)

If you are using Nox on Windows, skip this step.

If you are using a Mac or Linux host, do this:

On your Android device, in Settings, click "Security & location", Advanced, "Encryption & credentials", "Clear credentials".

Click OK.

Enter your PIN.

Testing HTTPS Connections

On your Android device, open Chrome. Go to https://bowneconsulting.com.

You should see an error message, as shown below.

(When I did this on an Android 9.0 Genymotion device, the green padlock remained visible, even though the page would not load; another Android bug.)

No valid HTTPS connections can be made from your device now, because it no longer trusts Burp.

Logging In Again

On your Android device, open Harvard... again.

Click "Sign in" and enter test credentials, including your name, as shown below.

Capturing Credentials in Burp

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to /GenieMD.Com/resources/Email/SignIn.

The username and password still appear in Burp, as shown below:

This is a big problem--the MITM attack is allowed. GenieMD exposes its users to this attack, because they don't bother to validate SSL certificates.

M 107.1: Finding the Flag (15 pts)

In Burp, in the lower pane, click the Response tab.

The flag is the text covered by a green box in the image below.

M 107.2: Find the Server (5 pts extra)

Uninstall the original app and install this app instead:


Execute a login request. The flag is the domain name of the server it sends a POST request to.

M 107.3: Registration (15 pts extra)

Use the same A31.2.apk app. Launch the app. Click "Join Now".

It asks for a registration code, as shown below.

On your Kali machine, execute this command to unpack the app:

apktool d A31.2.apk
Find the registration code. Use it in the app to see the flag, as shown below.

M 107.4: Registration (20 pts extra)

Examine the code-signing certificate for the A31.2.apk app. The company name is in leetspeak. That company name is the flag.
Links to previous setup projects removed 6-1-19
Points labeled "extra" 1-13-2020
Challenge 3 cleaned up and images added 1-24-2020
A31.2 specified for M 107.4
Note re: Android 5 added 1-28-2020