Mobile (in)Security Series: Application "Czech Public Transport IDOS" leaks your location, password & email address

SUMMARY

In this blog post we report vulnerabilities found in the "Czech Public Transport IDOS" mobile application developed by MAFRA, a.s. Our analysis of both the iOS and Android versions only focused on the network traffic generated by these applications.

The issues found in the IDOS application version 2.6.0 for Android (cz.mafra.jizdnirady) were the following:

  • An improper certificate validation that caused the information leak of:

    • The location of the user

    • The route suggestions that are displayed to the user

    • The route that the user chooses

    • Email and password when the user logs in or registers

    • The route displayed on the map

    • The operating system, phone version, manufacturer, language settings, screen resolution

    • Updates for the application

    • The unique user ID

  • The name and email of a logged in user is sent in plain text when the user clicks on the “Ticket sales support” option.

The IDOS application version 2.10.0 for iOS does not have the same issue with certificate validation; however, it is affected by the issue with the “Ticket sales support”.

On May 13th reports were sent about both versions of the application to the developers and assistance was given to fix the issues. The new version 2.6.1 for Android, released on the 16th of June, fixes the certificate validation vulnerability.

ABOUT THE APPLICATION

The IDOS application is one of the most popular public transport applications in Czech Republic. Its main functionality is to provide options and details for routes according to the user’s location and the desired destination. The application chooses the best options from train, bus and public city transport routes.

Figure 1 - Application “Czech Public Transport IDOS“ in the Google Play store. Source: Google Play Store, Date: 2019-06-06

Figure 1 - Application “Czech Public Transport IDOS“ in the Google Play store. Source: Google Play Store, Date: 2019-06-06

According to Google Play, the application requests the following permissions upon installation:

  • Storage

    • modify or delete the contents of your USB storage

    • read the contents of your USB storage

  • Location

    • precise location (GPS and network-based)

    • approximate location (network-based)

  • Wi-Fi connection information

    • view Wi-Fi connections

  • Photos/Media/Files

    • modify or delete the contents of your USB storage

    • read the contents of your USB storage

  • Other

    • full network access

    • run at startup

    • view network connections

Location permissions are also explicitly requested when installing both the iOS and the Android version.

INFORMATION LEAKED

Due to the lack of certificate validation, an adversary can perform a man-in-the-middle attack to decrypt the traffic of a given connection. This means that the application isn’t making sure that the certificate that is coming from the server is the correct one and not just any other certificate. Therefore, an attacker can intercept the traffic, exchange the server’s certificate for a different one and decrypt the communication as a result of that. This issue causes several information to be available for the attacker.

Updates

After opening, the application checks if there is a new update available. If that is the case, an update is performed. The host that provides the update is “resources.crws.cz.” The details of the traffic are displayed in Figures 2 and Figure 3. This connection also reveals a unique user ID and other information about the user’s device such as the operating system, phone version, manufacturer, language settings, screen resolution, and more.

Figure 2 - A request that checks for a new update. It contains information about the user and the application.

Figure 2 - A request that checks for a new update. It contains information about the user and the application.

Figure 3 - A response to the request in Figure 2. It contains the update.

Figure 3 - A response to the request in Figure 2. It contains the update.

GPS Location, Origin And the Destination of a Route

When a user chooses a route, the application sends information about the choice to the server “main.crws.cz”. When the Origin Field in the application is left with the default value: current location, the application sends the exact GPS location of the user. The response then sends the travel options for the user. The option chosen by the user is also revealed.

Figure 4 - Details of a request to “main.crws.cz” after the user searches for a route from a current location to Praha hl.n. It reveals the origin and the destination of the user’s travel.

Figure 4 - Details of a request to “main.crws.cz” after the user searches for a route from a current location to Praha hl.n. It reveals the origin and the destination of the user’s travel.

Figure 5 - A response to the request shown in Figure 4 revealing the routes suggested to the user

Figure 5 - A response to the request shown in Figure 4 revealing the routes suggested to the user

Login Credentials

When the user registers or logs in, all the credentials are revealed via a request to “eshopws.crws.cz”. The request is shown in Figure 6. This connection also reveals a unique user ID and other information about the user’s device such as the operating system, phone version, manufacturer, language settings, screen resolution and more. This information can be seen in Figure 2.

Figure 6 - A request with user’s credentials after the user tries to log in. It contains the email, password and other information.

Figure 6 - A request with user’s credentials after the user tries to log in. It contains the email, password and other information.

Name And Email

When the user chooses the “Ticket sales support” option there is a request in plain text revealing the email, name, the language settings of the user and other, as shown in Figure 7. The full content of the “Ticket sales support” tab is then downloaded unencrypted in plain HTTP.

Figure 7 - A request revealing user’s name and email after choosing the “Ticket sales support request” in the application. It also reveals language settings among other information about the device.

Figure 7 - A request revealing user’s name and email after choosing the “Ticket sales support request” in the application. It also reveals language settings among other information about the device.

CONCLUSION

Due to the lack of certificate validation, there is sensitive data leaking when using the Android application such as the location of a user, the route chosen, the email and password. Furthermore, both iOS and Android versions download all the files in the “Ticket sales support” option unencrypted which leaks information like the user’s name, email and language settings.

All the data leaked may not only be read but also modified by an attacker. That creates an easy way for an attacker to inject malicious content. It is therefore possible to not only see from and where a user is going but also modify the traffic and send the user to a different location. An attacker could also easily inject malicious content into the files sent to the application after clicking on the “Ticket sales support” option.

If you are an individual at risk because of the type of work you do, or the people you help, it is important to understand that any tiny piece of data that is leaked may put you at risk. We recommend uninstalling the IDOS app until the it’s updated and completely fixes all the problems. In the meantime other applications may be used, such as Google Maps, which encrypts the content sent to and from the phone properly.

Stay safe.