Tag Archives: mobile apps

Fitbit Android App and Password Security Issue

Android 3.0 047/365I’ve been a Fitbit user for a few months now, and really love the product.  Recently, I had been reading about Android apps that don’t do a great job of protecting user information on the device itself.  Many Android apps store sensitive information in plain text, and rely on the Linux sandbox model to protect that information.  The sandbox model works well, until the device is rooted, which allows access to all of the previously secured sandboxes.

I’ve been looking at the data stored by various apps on my rooted Galaxy S3 using Root Explorer looking for apps that fail to protect sensitive information.  During one of these exercises, I discovered that the Fitbit Android app falls into this category.

In the application sandbox’s files directory, is a file called login_credentials.json.  Inside this file are my Fitbit username and password in clear text:

{“password”=”<my password>”,”login”:”xxxx.yyyy@gmail.com”}

If a user chooses to use the same password for the Fitbit.com service as other services (such as a bank account), the disclosure of the Fitbit.com password could be very detrimental to them.  Of course, I’m able to see this information easily because my phone is rooted.  On a non-rooted device, the application sandbox security model prevents other apps from seeing this data.  However, there have been attacks on Android devices where malware first obtains root, and then uses root to enable other malicious behavior.  If someone was determined enough, they could craft a similar malware bot that could first obtain root access and then discover other passwords on the system stored as plain text.  If a thief steals an Android device, they could root the device and harvest passwords on the system.

I first disclosed this issue to Fitbit a few weeks ago, and after a few days they notified me that they were addressing the issue.  Another day or two goes by, and the new update was already available in the Google Play store.  After seeing the new update, I launched the app, and then Root Explorer to see if the this issue was fixed.  In the new version, the login_credentials.json file was gone, and instead replaced with a file called authinfo_credentials.json.  

Root Explorer viewing the Fitbit Android app sandbox.

Root Explorer viewing the Fitbit Android app sandbox.

This file contains what appears to be a base64-encoded encrypted blob,  which likely contains my username/password.  By encrypting my credentials, this fix prevents the scenario’s that I listed above.

Fitbit doesn’t list a security-related email address on their page for reporting these kind of issues.  I had to open a trouble-ticket with support, and quickly had it escalated, in order to disclose this vulnerability.  On the positive side, I was impressed that Fitbit took this issue seriously, and issued a fix within a week of my report.  I continue to be a fan of their products, and am glad to see that they care about user security.

photo by: Louish Pixel

Use REST Web services to share data across iOS and Android apps.

REST Web Services can be a great way to share data between iOS and Android mobile apps.  I recently answered a question on Quora about this topic.  Here’s my answer:

There are several different options here.  When you want to support multiple mobile platforms, creating a simple REST api is a good way to go.  Soap-based protocols are going to be too complex, slow, and difficult to use from a mobile device.

It sounds like you already have the data being sent to a webserver.  From there you will need to store the data in a SQL database, such as MySQL or Postgresql.  When you want users to see the other scores, you can implement a simple GET request on your same web service which would query the database, and return back the scores of the other users.

When submitting the score, your app can use this GET operation to read the other scores before submitting it’s own score.

Alternatively, if you need real-time scoring updates, you can use push notifications.  Both Apple and Google have push notification capabilities in their architecture, but this will add some complexity and server requirements.  If you don’t need real-time updates, I’d suggest each app just read the other scores from the leaderboard as needed.


Google Cloud Messaging for Android

View Answer on Quora