-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Fundación Dr. Manuel Sadosky - Programa STIC Advisory
		www.fundacionsadosky.org.ar

Prey Anti-Theft for Android missing SSL certificate validation

1. *Advisory Information*

Title: Prey Anti-Theft for Android missing SSL certificate validation
Advisory ID: STIC-2014-0731
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-11
Vendors contacted: Fork Ltd. (developer of Prey Anti-theft)
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Denial of service, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-PENDING

3. *Vulnerability Description*

    Prey Anti-theft for Android is a free application that lets
smartphone owners track and locate lost or stolen devices. It provides
accurate geolocation of a missing device and allows users to remotely
lock it, take pictures, play alarm sounds or display onscreen
messages. The application features can be controlled from the Prey
project's website or via SMS. As of November, 2014 the application had
between 1 to 5 million installations worldwide according to Google
Play statistics[1].

    Although communication between the Prey application running on an
Android device and the controlling web server is performed over HTTPS,
the former does not validate the SSL certificate presented by the
latter. As a result it is possible to completely subvert the
anti-theft protection of Prey. To do so, an attacker simply needs to
perform a Man-in-the-Middle attack on the communications between the
Prey app running in the device (presumably stolen and locked with a
user-provided password) and the web server, present a fake server SSL
certificate and send a 'lock command' with a password of the
attacker's choosing to the device. The attacker can then unlock the
device manually with her provided password. Other types of attacks are
possible since all communications between the device and the website
can be inspected and modified by an attacker.


4. *Vulnerable packages*

   . Prey Anti-theft for Android version 1.1.3 and below.

5. *Vendor Information, Solutions and Workarounds*

      The vendor acknowledged the problem and committed to publish a
new version of the application fixing the issue by November 11th, 2014.

      In the meantime, users can uninstall the Prey Anti-theft
application by opening the "Settings" panel on their devices,
selecting the "Application Manager", clicking on "Prey" and
"Uninstall". These step by step instructions may vary depending on
which version of the Android OS is running on the device.


6. *Credits*

This vulnerability was discovered and researched by Joaquín Manuel
Rinaudo. The publication of this advisory was coordinated by Programa
de Seguridad en TIC.

7. *Technical Description*

    The vulnerability is found in the 'com.prey.net.HttpUtils' class
which instantiates an HttpClient to connect to Prey's server. The
HttpClient uses a custom SSLSocketFactory named EasySSLSocketFactory
to obtain socket objects used to communicate with the server. This
class also calls the method
'setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)' to
accept as valid any hostname presented in the server certificate[2].
Furthermore, since the EasySSLCocketFactory implements a
'X509TrustManager' with empty verifier methods [3], any SSL
certificate presented by the server is considered valid by the
application. This allows an attacker to mount a MITM attack to
impersonate the Prey panel server with a self-made X509 certificate.

     To unlock a stolen device, the attacker needs to spoof the lock
command specifying a new password to gain control of the device. This
could be done by modifying the server's response to the device request
for commands at
'https://solid.preyproject.com/api/v2/devices/[DEVICE_ID].json' to:

/-----
        [
            {
                "command": "start",
                "options": {
                    "unlock_pass": "easy"
                },
                "target": "lock"
            }
        ]

- -----/

    The application tries to obtain new commands from the server by
registering to listen multiple Android events such as changes in
connectivity, battery level, accessing the airplane mode and even
turning on and off the device.


8. *Report Timeline*

. 2014-09-17:
          Request for security contact info filed in support page on
the Prey project's website.

. 2014-09-23:
          The vendor team asks Programa de Seguridad en TIC to send
the vulnerability report via unencrypted email to
security@preyproject.com.

. 2014-10-01:
          Technical details sent to the vendor.

. 2014-10-25:
	Programa de Seguridad en TIC requested an status update about the
issue and communicated an estimated release date of the advisory by
the 27th of October, 2014. Vendor requested to push back the release
due to an internal re-organization of the teams.

. 2014-10-27:
	Programa de Seguridad en TIC accepted to delay the advisory but only
on the basis in receiving details about the status of the issue and a
date commitment to release an updated version which fixes the problem.

. 2014-10-28:
         Vendor informed that a patch was already developed and
requested for advise as to how to avoid exposing clients running
versions the app that lacked an automatic update capability to
exploitation of the vulnerability.

. 2014-10-29:
	Programa de Seguridad en TIC asked the vendor to send a copy of the
patch so it could then confirm the security issue was addressed. The
vendor was advised to inform the users about the vulnerability and the
risk involved so clients would be encouraged to update the application
so as to minimize the vulnerability impact.

. 2014-10-30:
          Vendor sent the patched version  of the application to the
researcher and notified that the modification consisted in changing
the HostNameVerifier from 'ALLOW_ALL_HOSTNAME_VERIFIER' to
'STRICT_HOSTNAME_VERIFIER'.

. 2014-11-3:
	Programa de Seguridad en TIC informed the vendor that the patch did
not fix the problem since the application was still not verifying the
certificate chain and that the root CA was a valid one from the
Android CA store because they were using an empty TrustManager. Vendor
was also notified that the advisory would be published on November, 10th.

. 2014-11-10:
          Vendor acknowledged the problem and informed that an update
would be available in Google Play store by November 10th.


9. *References*

[1] https://play.google.com/store/apps/details?id=com.prey
[2]
https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/HttpUtils.java
[3]
https://github.com/prey/prey-android-client/blob/master/src/com/prey/net/EasySSLSocketFactory.java

10. *About Fundación Dr. Manuel Sadosky*

The Dr. Manuel Sadosky Foundation is a mixed (public / private)
institution whose goal is to promote stronger and closer interaction
between industry and the scientific-technological system in all
aspects related to Information and Communications Technology (ICT).
The Foundation was formally created by a Presidential Decree in 2009.
Its Chairman is the Minister of Science, Technology, and Productive
Innovation of Argentina; and the Vice-chairmen are the chairmen of the
country’s most important ICT chambers: The Software and Computer
Services Chamber (CESSI) and the Argentine Computing and
Telecommunications Chamber (CICOMRA). For more information visit:
http://www.fundacionsadosky.org.ar

11. *Copyright Notice*

The contents of this advisory are copyright (c) 2014 Fundación Sadosky
and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUY99KAAoJEOAj8IJkRx2rRMIP/RQXplzZFnLFVNQ6I40vfYK2
svRkCqzVt/qLGT6VBnDo5emW1oe84iz7vcoyPEkzxA6eQzFIC0Dk5dTfUD8rv7GJ
gvqu3ZeKd8VwADMwotOzydWjla0nJu9cEWuaT/EUdQ+5t+f7SIEeVa2N+38/Zjyo
pRCMvtEHnuoRlFMS0NI5njfPmVJa4NIGlFi8+I1eO4Z9dDZRRdAozmPFjSLogUa8
1gzDiEOLhETc1ugi5WXk1BySHbj6i15x87ne5n22KWkJd/bdveydVlcGXqkHQdEs
fBwZPAh94ktOCXjkdo0rkcPKVmxQVuV7XxqAlxjZcIpE0g8foJ0BfHaA+wszlhPb
B5ab7umcjCLD99r35YQqJ49wM5VAf+KxwxkBO6nb3rHTrTbtCpV7shZ2DoK9dy86
3MOQSJ7gXZR/6klrXnMICak/BAR4nRxMgen+Yqe6sLYUSsgePkxL9zku00D6gi12
wRW3z0JIEZPofI4nld1lJ/sPeiOEbanW0HaMcaKkaeJHNWvxa7m+hgfOfkRPcdam
g37ocuWDIMfE1THHrTO1OdH0OvwaKzT/zR+tUXISItQev7ea8F0RXmjIV44fMfTv
4zMVsMZwoC5C/NI3awOO+My+KAsnzIaRJdmAvi0B/K1kxWfsJ2622EcqVIan0LOC
ZetspgvcF+fNm5v1ah9b
=k6H1
-----END PGP SIGNATURE-----