I’ve been a Fitbit user for a few months now, and really love the product. Recently, I had been reading about Android apps that don’t do a great job of protecting user information on the device itself. Many Android apps store sensitive information in plain text, and rely on the Linux sandbox model to protect that information. The sandbox model works well, until the device is rooted, which allows access to all of the previously secured sandboxes.
I’ve been looking at the data stored by various apps on my rooted Galaxy S3 using Root Explorer looking for apps that fail to protect sensitive information. During one of these exercises, I discovered that the Fitbit Android app falls into this category.
In the application sandbox’s files directory, is a file called login_credentials.json. Inside this file are my Fitbit username and password in clear text:
If a user chooses to use the same password for the Fitbit.com service as other services (such as a bank account), the disclosure of the Fitbit.com password could be very detrimental to them. Of course, I’m able to see this information easily because my phone is rooted. On a non-rooted device, the application sandbox security model prevents other apps from seeing this data. However, there have been attacks on Android devices where malware first obtains root, and then uses root to enable other malicious behavior. If someone was determined enough, they could craft a similar malware bot that could first obtain root access and then discover other passwords on the system stored as plain text. If a thief steals an Android device, they could root the device and harvest passwords on the system.
I first disclosed this issue to Fitbit a few weeks ago, and after a few days they notified me that they were addressing the issue. Another day or two goes by, and the new update was already available in the Google Play store. After seeing the new update, I launched the app, and then Root Explorer to see if the this issue was fixed. In the new version, the login_credentials.json file was gone, and instead replaced with a file called authinfo_credentials.json.
This file contains what appears to be a base64-encoded encrypted blob, which likely contains my username/password. By encrypting my credentials, this fix prevents the scenario’s that I listed above.
Fitbit doesn’t list a security-related email address on their page for reporting these kind of issues. I had to open a trouble-ticket with support, and quickly had it escalated, in order to disclose this vulnerability. On the positive side, I was impressed that Fitbit took this issue seriously, and issued a fix within a week of my report. I continue to be a fan of their products, and am glad to see that they care about user security.
Also published on Medium.