what you don't know can hurt you

Arro Insecure Transit

Arro Insecure Transit
Posted Dec 10, 2015
Authored by Shaftek Security Research

The Arro taxi hailing application failed to use SSL for transit of secrets.

tags | advisory
SHA-256 | 8dcf2660cdb2ece0a5f125068e93da61a9d85afaf0af734dda03f2a9dbb76927

Arro Insecure Transit

Change Mirror Download
Original:
http://securityresearch.shaftek.biz/2015/12/goarro-and-other-taxi-hailing-apps-did-not-use-ssl.html

CERT Advisory:
https://www.kb.cert.org/vuls/id/439016

Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge)

Overview
Arro and possibly over 100 other Android taxi hailing apps did not SSL to secure communications between the application and its servers.

Background
Arro is a taxi hailing service allowing users to hail yellow taxis in New York from their smartphones. The service also allows users to pay for their ride via the application while they are in a taxi. The underlying technology is a white branded version of an application called Taxi Hail, made by a company called Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile Technologies, LLC (CMT) of New York, NY. Both are providers of technology solutions for the taxi industry. At least 100 other white branded taxi applications run on the same platform as Arro, with a link to a non-exhaustive list appearing later in this document.

Details
While monitoring network traffic from an Android smartphone, we observed that most communications between the Arro Android application and servers was unencrypted and did not use SSL. Instead, regular HTTP calls were being used. Further investigation showed that the underlying application and servers were a white branded version of TaxiHail, developed by Mobile Knowledge.

Information observed included:
Username and passwords for the users of the application
User profile including address and phone number
Credentials for various APIs and payment gateways used by the application
Latitude and longitude of the user requesting a taxi
Last four digits and expiration date of the user's credit cards on file
When adding a new credit card - full credit card information
Payments were made via a separate gateway that uses SSL and were not at risk. However, adding credit cards would be done without SSL.

A secondary minor issue was also discovered. The GoArro app created a text log on the SD Card of the device being tested. This log, located in "/TaxiHail/errorlog.txt" contained GPS locations for the user, which would accessible to applications on the same phone without location access. This issue has also been fixed.


References
Arro website: https://www.goarro.com/
CERT/CC ID: VU# 439016

CMT website: http://creativemobiletech.com/
List of white branded apps: https://play.google.com/store/search?q=com.apcurium.MK&c=apps&hl=en
TaxiHail website: http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/

Credits
Thank you to Garret Wasserman of CERT/CC for helping to communicate with the vendors.

Timeline
2015-10-14: Arro notified
2015-10-14: Initial vendor response
2015-10-15: Followup communications to Arro, no response
2015-10-20: CERT/CC notified
2015-10-23: CERT/CC response
2015-11-06: Mobile Knowledge acknowledged the problem via CERT/CC
2015-11-30: Fix deployed by vendor
2015-12-01: Fix confirmed
2015-12-08: Public disclosure, coordinated with CERT/CC

Version Information
Version 3
Last updated on 2015-12-07
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close