Tag Archives: android security problems

Fitbit Android App and Password Security Issue

Android 3.0 047/365I’ve been a Fitbit user for a few months now, and really love the product.  Recently, I had been reading about Android apps that don’t do a great job of protecting user information on the device itself.  Many Android apps store sensitive information in plain text, and rely on the Linux sandbox model to protect that information.  The sandbox model works well, until the device is rooted, which allows access to all of the previously secured sandboxes.

I’ve been looking at the data stored by various apps on my rooted Galaxy S3 using Root Explorer looking for apps that fail to protect sensitive information.  During one of these exercises, I discovered that the Fitbit Android app falls into this category.

In the application sandbox’s files directory, is a file called login_credentials.json.  Inside this file are my Fitbit username and password in clear text:

{“password”=”<my password>”,”login”:”[email protected]”}

If a user chooses to use the same password for the Fitbit.com service as other services (such as a bank account), the disclosure of the Fitbit.com password could be very detrimental to them.  Of course, I’m able to see this information easily because my phone is rooted.  On a non-rooted device, the application sandbox security model prevents other apps from seeing this data.  However, there have been attacks on Android devices where malware first obtains root, and then uses root to enable other malicious behavior.  If someone was determined enough, they could craft a similar malware bot that could first obtain root access and then discover other passwords on the system stored as plain text.  If a thief steals an Android device, they could root the device and harvest passwords on the system.

I first disclosed this issue to Fitbit a few weeks ago, and after a few days they notified me that they were addressing the issue.  Another day or two goes by, and the new update was already available in the Google Play store.  After seeing the new update, I launched the app, and then Root Explorer to see if the this issue was fixed.  In the new version, the login_credentials.json file was gone, and instead replaced with a file called authinfo_credentials.json.  

Root Explorer viewing the Fitbit Android app sandbox.

Root Explorer viewing the Fitbit Android app sandbox.

This file contains what appears to be a base64-encoded encrypted blob,  which likely contains my username/password.  By encrypting my credentials, this fix prevents the scenario’s that I listed above.

Fitbit doesn’t list a security-related email address on their page for reporting these kind of issues.  I had to open a trouble-ticket with support, and quickly had it escalated, in order to disclose this vulnerability.  On the positive side, I was impressed that Fitbit took this issue seriously, and issued a fix within a week of my report.  I continue to be a fan of their products, and am glad to see that they care about user security.

Securing your app’s data on Android

Great article by SecureState’s Brandon Knight on Mobile App Security.

Securing your data is a common Android security problem.  During my development of Android apps, I’ve noticed lots of information being stored in unprotected areas of the filesystem, such as the /sdcard/Android/data folder.  For example, any file you view or cache offline from Dropbox is stored in /sdcard/Android/data/com.dropbox.android.  Given that Dropbox could be used for both personal and team-based uses, it’s easy to see that corporate data isn’t safe here either.

During the Android 2.2 days, many phones (such as my HTC EVO) had ~200MB available for apps (and storage), supplemented by micro SD.  There was no choice but to save information on the micro SD.  The newer Android phones ship with much more internal storage, meaning app developers can (and should) begin to more to saving data in the app sandbox instead of the public space.  It will take a long time before app developers change over to the new model.  In the meantime, users should be aware of what data is being stored on the micro SD and other public areas of the filesystem.