Advisory Title: mChek 3.4 Information Disclosure
Advisory ID: FSSA-2009-0401
Author: Gursev Kalra (gursev.kalra@foundstone.com)
Vendor Contact Date: 4/21/2009 (Vendor notified by email)
Release Date: 07/21/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low (Information Disclosure)
Vendor Status: Version 3.8 fixes this problem

Overview: mChek application stores Credit/Debit Card numbers and bank name without protection

Application: mChek 3.4 by http://www.mchek.com/ 
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low

Details:
mChek is an E-commerce application which allows users to store multiple credit/debit cards in the phone and use them when required. mChek (Version 3.4) application stores multiple Credit Card numbers and corresponding bank account information to phone storage without protection. It also provides a feature to Link Bank Accounts to this application. mChek application writes all this information to a file on the phone file system. Upon inspection, it was observed that credit card number and corresponding bank name was written in cleartext to mobile phone storage.  It was also observed that after a credit card is deleted from mCheck’s user interface, the credit card number continues to exist in the phone file system. If the phone is lost/stolen or any other phone user is able to read phone’s file system, the stored credit/debit card numbers and Bank name can be compromised. 

Vendor Response: 
mChek Version 3.4 is an older version of the product. The current version is 3.8. In this version, cardnumber, bankname and phonenumber are not stored in clear text and using encrypted  storage. When the credit card information is deleted by the user, it’s deleted from the application DB as well but the behavior is not same in all phone make and models. We are providing enough protection to the sensitive data stored and the security is not dependent on the user ability to read the file system of the phone. 
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.

Recommendation:
Upgrade to version 3.8 or above.

For questions and comments please send an email to:
research@foundstone.com

Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories