Original:
http://securityresearch.shaftek.biz/2015/12/goarro-and-other-taxi-hailing-apps-did-not-use-ssl.html

CERT Advisory:
https://www.kb.cert.org/vuls/id/439016

Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge)

Overview
Arro and possibly over 100 other Android taxi hailing apps did not SSL to secure communications between the application and its servers.

Background
Arro is a taxi hailing service allowing users to hail yellow taxis in New York from their smartphones. The service also allows users to pay for their ride via the application while they are in a taxi. The underlying technology is a white branded version of an application called Taxi Hail, made by a company called Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile Technologies, LLC (CMT) of New York, NY. Both are providers of technology solutions for the taxi industry. At least 100 other white branded taxi applications run on the same platform as Arro, with a link to a non-exhaustive list appearing later in this document.

Details
While monitoring network traffic from an Android smartphone, we observed that most communications between the Arro Android application and servers was unencrypted and did not use SSL. Instead, regular HTTP calls were being used. Further investigation showed that the underlying application and servers were a white branded version of TaxiHail, developed by Mobile Knowledge.

Information observed included:
Username and passwords for the users of the application
User profile including address and phone number
Credentials for various APIs and payment gateways used by the application
Latitude and longitude of the user requesting a taxi
Last four digits and expiration date of the user's credit cards on file
When adding a new credit card - full credit card information
Payments were made via a separate gateway that uses SSL and were not at risk. However, adding credit cards would be done without SSL. 

A secondary minor issue was also discovered. The GoArro app created a text log on the SD Card of the device being tested. This log, located in "/TaxiHail/errorlog.txt" contained GPS locations for the user, which would accessible to applications on the same phone without location access. This issue has also been fixed.


References
Arro website: https://www.goarro.com/ 
CERT/CC ID: VU# 439016

CMT website: http://creativemobiletech.com/
List of white branded apps: https://play.google.com/store/search?q=com.apcurium.MK&c=apps&hl=en
TaxiHail website: http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/

Credits
Thank you to Garret Wasserman of CERT/CC for helping to communicate with the vendors.

Timeline
2015-10-14: Arro notified
2015-10-14: Initial vendor response
2015-10-15: Followup communications to Arro, no response
2015-10-20: CERT/CC notified
2015-10-23: CERT/CC response
2015-11-06: Mobile Knowledge acknowledged the problem via CERT/CC
2015-11-30: Fix deployed by vendor
2015-12-01: Fix confirmed
2015-12-08: Public disclosure, coordinated with CERT/CC

Version Information
Version 3
Last updated on 2015-12-07