VeryFitPro flaw decidedly unhealthy for user privacy
UPDATED An Android fitness app with nearly 10 million downloads is transmitting sensitive information in clear text, potentially leaving passwords and other sensitive data exposed as a result.
The as-yet unresolved flaw in VeryFitPro was discovered by security researchers at Trovent.
Trovent’s team discovered that the VeryFitPro mobile application performs all communication with the backend API via cleartext HTTP.
All manner of sensitive information including login, registration, and password change requests are open to eavesdropping and interception because of this lack of encryption, Trovent warns.
Trovert contacted the developers of the app repeatedly but without success after discovering the issue in May.
After failing to get a response, Trovent went public with its findings in a technical blog post.
The post includes evidence of the issues with the app, namely a TCP packet capture showing a login request including password hash and username in clear text.
The Daily Swig attempted to contact Shenzhen DO Intelligent Technology – the China-based developers of the VeryFitPro – for comment, so far without success. We’ll update this story as and when more information comes to hand.
In the absence of a security update, Trovert recommends only using HTTPS when sending sensitive data to and from the application.
A representative of Germany-based Trovent told The Daily Swig that issues with VeryFitPro were indicative of lax security practices in the wider wearables market.
"During our ongoing security research process we are looking for security and data privacy issues in health apps and devices (wearables)," Stefan Pietsch, team lead penetration testing at Trovent explained. "There is a whole bunch of applications that handle valuable health data and from our experience security standards are not met or don't receive sufficient attention during the development (and software maintenance) process."
The current (3.3.0) version of the Android app and it still sends the data via plain HTTP without encryption, Trovent confirmed on Tuesday.
This story has been updated to correct the number of downloads figure and to add comment from security researchers at Trovent