Zero-encryption zero-day – Android fitness app caught sending data in clear text

VeryFitPro flaw decidedly unhealthy for user privacy

An Android fitness app with nearly 70,000 active users is transmitting sensitive information in clear text, potentially leaving passwords and other sensitive data exposed as a result.

The as-yet unresolved flaw in VeryFitPro was discovered by security researchers at Trovent.

Trovent’s team discovered that the VeryFitPro mobile application performs all communication with the backend API via cleartext HTTP.

All manner of sensitive information including login, registration, and password change requests are open to eavesdropping and interception because of this lack of encryption, Trovent warns.

No response

Trovert contacted the developers of the app repeatedly but without success after discovering the issue in May.

After failing to get a response, Trovert went public with its findings in a technical blog post.

The post includes evidence of the issues with the app, namely a TCP packet capture showing a login request including password hash and username in clear text.

Catch up on the latest Android security news

The Daily Swig attempted to contact Shenzhen DO Intelligent Technology – the China-based developers of the VeryFitPro – for comment, so far without success. We’ll update this story as and when more information comes to hand.

In the absence of a security update, Trovert recommends only using HTTPS when sending sensitive data to and from the application.

The Daily Swig contacted Germany-based Trovert for additional comment and on what advice ittext had for mainstream users of the app, but we’re yet to hear back.

RELATED Intent redirection vulnerabilities in popular Android apps spotlight danger of dynamic code loading