Prey Anti-Theft for Android missing SSL certificate validation

1. Advisory Information

Title: Prey Anti-Theft for Android missing SSL certificate validation
Advisory ID: STIC-2014-0731
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-11
Vendors contacted: Fork Ltd. (developer of Prey Anti-theft))
Release mode: Coordinated release

2. Vulnerability Information

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Denial of service, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-PENDING

3. Vulnerability Description

Prey Anti-theft for Android is a free application that lets smartphone owners track and locate lost or stolen devices. It provides accurate geolocation of a missing device and allows users to remotely lock it, take pictures, play alarm sounds or display onscreen messages. The application features can be controlled from the Prey project's website or via SMS. As of November, 2014 the application had between 1 to 5 million installations worldwide according to Google Play statistics[1].

Although communication between the Prey application running on an Android device and the controlling web server is performed over HTTPS, the former does not validate the SSL certificate presented by the latter. As a result it is possible to completely subvert the anti-theft protection of Prey. To do so, an attacker simply needs to perform a Man-in-the-Middle attack on the communications between the Prey app running in the device (presumably stolen and locked with a user-provided password) and the web server, present a fake server SSL certificate and send a lock command with a password of the attacker's choosing to the device. The attacker can then unlock the device manually with her provided password. Other types of attacks are possible since all communications between the device and the website can be inspected and modified by an attacker.

4. Vulnerable packages

5. Vendor Information, Solutions and Workarounds

The vendor acknowledged the problem and committed to publish a new version of the application fixing the issue by November 11th, 2014.

In the meantime, users can uninstall the Prey Anti-theft application by opening the "Settings" panel on their devices, selecting the "Application Manager", clicking on "Prey" and "Uninstall". These step by step isntructions may vary depending on which version of the Andoird OS is running on the device.

6. Credits

This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC.

7. Technical Description

The vulnerability is found in the com.prey.net.HttpUtils class which instantiates an HttpClient to connect to Prey's server. The HttpClient uses a custom SSLSocketFactory named EasySSLSocketFactory to obtain socket objects used to communicate with the server. This class also calls the method setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) to accept as valid any hostname presented in the server certificate[2]. Furthermore, since the EasySSLCocketFactory implements a X509TrustManager with empty verifier methods [3], any SSL certificate presented by the server is considered valid by the application. This allows an attacker to mount a MITM attack to impersonate the Prey panel server with a self-made X509 certificate.

To unlock a stolen device, the attacker needs to spoof the lock command specifying a new password to gain control of the device. This could be done by modifying the server's response to the device request for commands at https://solid.preyproject.com/api/v2/devices/[DEVICE_ID].json to:

[+ full code]

The application tries to obtain new commands from the server by registering to listen multiple Android events such as changes in connectivity, battery level, accessing the airplane mode and even turning on and off the device.

8. Report Timeline

9. References

[1] https://play.google.com/store/apps/details?id=com.prey
[2] https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/HttpUtils.java
[3] https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/EasySSLSocketFactory.java

10. About Fundación Dr. Manuel Sadosky

The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar

11. Copyright Notice

The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/