Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL

Overview

Arro and possibly over 100 other Android taxi hailing apps did not SSL to secure communications between the application and its servers.

Background

Arro is a taxi hailing service allowing users to hail yellow taxis in New York from their smartphones. The service also allows users to pay for their ride via the application while they are in a taxi. The underlying technology is a white branded version of an application called Taxi Hail, made by a company called Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile Technologies, LLC (CMT) of New York, NY. Both are providers of technology solutions for the taxi industry. At least 100 other white branded taxi applications run on the same platform as Arro, with a link to a non-exhaustive list appearing later in this document.

Details

While monitoring network traffic from an Android smartphone, we observed that most communications between the Arro Android application and servers was unencrypted and did not use SSL. Instead, regular HTTP calls were being used. Further investigation showed that the underlying application and servers were a white branded version of TaxiHail, developed by Mobile Knowledge.

Information observed included:

  • Username and passwords for the users of the application
  • User profile including address and phone number
  • Credentials for various APIs and payment gateways used by the application
  • Latitude and longitude of the user requesting a taxi
  • Last four digits and expiration date of the user’s credit cards on file
  • When adding a new credit card — full credit card information

Payments were made via a separate gateway that uses SSL and were not at risk. However, adding credit cards would be done without SSL.

A secondary minor issue was also discovered:

The GoArro app created a text log on the SD Card of the device being tested. This log, located in “/TaxiHail/errorlog.txt” contained GPS locations for the user, which would accessible to applications on the same phone without location access. This issue has also been fixed.

References

Arro website: https://www.goarro.com/
CERT/CC ID: VU# 439016
CMT website: http://creativemobiletech.com/
List of white branded apps: https://play.google.com/store/search?q=com.apcurium.MK&c=apps&hl=en
TaxiHail website: http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/

Credits

This has been originally discovered and written by Yakov Shafranovich via collaboration with Shaftek Enterprises Security Research Team. Thank you to Garret Wasserman of CERT/CC for helping to communicate with the vendors.

Timeline

2015–10–14: Arro notified
2015–10–14: Initial vendor response
2015–10–15: Followup communications to Arro, no response
2015–10–20: CERT/CC notified
2015–10–23: CERT/CC response
2015–11–06: Mobile Knowledge acknowledged the problem via CERT/CC
2015–11–30: Fix deployed by vendor
2015–12–01: Fix confirmed
2015–12–08: Public disclosure, coordinated with CERT/CC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s