Original: http://securityresearch.shaftek.biz/2015/12/goarro-and-other-taxi-hailing-apps-did-not-use-ssl.html
CERT Advisory: https://www.kb.cert.org/vuls/id/439016 Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge) Overview Arro and possibly over 100 other Android taxi hailing apps did not SSL to secure communications between the application and its servers. Background Arro is a taxi hailing service allowing users to hail yellow taxis in New York from their smartphones. The service also allows users to pay for their ride via the application while they are in a taxi. The underlying technology is a white branded version of an application called Taxi Hail, made by a company called Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile Technologies, LLC (CMT) of New York, NY. Both are providers of technology solutions for the taxi industry. At least 100 other white branded taxi applications run on the same platform as Arro, with a link to a non-exhaustive list appearing later in this document. Details While monitoring network traffic from an Android smartphone, we observed that most communications between the Arro Android application and servers was unencrypted and did not use SSL. Instead, regular HTTP calls were being used. Further investigation showed that the underlying application and servers were a white branded version of TaxiHail, developed by Mobile Knowledge. Information observed included: Username and passwords for the users of the application User profile including address and phone number Credentials for various APIs and payment gateways used by the application Latitude and longitude of the user requesting a taxi Last four digits and expiration date of the user's credit cards on file When adding a new credit card - full credit card information Payments were made via a separate gateway that uses SSL and were not at risk. However, adding credit cards would be done without SSL. A secondary minor issue was also discovered. The GoArro app created a text log on the SD Card of the device being tested. This log, located in "/TaxiHail/errorlog.txt" contained GPS locations for the user, which would accessible to applications on the same phone without location access. This issue has also been fixed. References Arro website: https://www.goarro.com/ CERT/CC ID: VU# 439016 CMT website: http://creativemobiletech.com/ List of white branded apps: https://play.google.com/store/search?q=com.apcurium.MK&c=apps&hl=en TaxiHail website: http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/ Credits Thank you to Garret Wasserman of CERT/CC for helping to communicate with the vendors. Timeline 2015-10-14: Arro notified 2015-10-14: Initial vendor response 2015-10-15: Followup communications to Arro, no response 2015-10-20: CERT/CC notified 2015-10-23: CERT/CC response 2015-11-06: Mobile Knowledge acknowledged the problem via CERT/CC 2015-11-30: Fix deployed by vendor 2015-12-01: Fix confirmed 2015-12-08: Public disclosure, coordinated with CERT/CC Version Information Version 3 Last updated on 2015-12-07
