Mobile Defense Blog
Protect and Manage Your Mobile Life
UPDATE: We have received word from one of our enterprise partners that they have been in contact with Xelex, and they are working to resolve the MobileTrack vulnerabilities.
UPDATE: We have received notification from the United States Computer Emergency Readiness Team that this vulnerability note is now live. US-CERT assigned the following CVE’s (Common Vulnerabilities and Exposures) to the vulnerabilities our Threat Research Team discovered: CVE-2012-2562- Lack of authentication for administrative SMS commands and CVE-2012-2567- Information exposure on insecure FTP account.
The MobileTrack application (Google Play: http://play.google.com/store/apps/details?id=com.mobiletrack). MobileTrack™ is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. During a recent routine security audit, the Mobile Defense Threat Research Team (TRT) found two security vulnerabilities in the MobileTrack application.
MobileTrack’s current scheme for saving data is insecure and makes user data publicly available. The application also allows for remote control via SMS. MobileTrack stores its users’ data on a Xelex FTP server. The user’s data is sent in plain text (that is, non-encrypted) via HTTP or FTP from the user’s device to Xelex’s servers. The credentials for the FTP server are the same for every user and are hard-coded into the application.
Additionally, commands can be sent to the app via SMS. There is no password or attempt to verify the sender’s number, allowing anybody to send commands to the device. Commands can be found in both assets/strings.xml as well as the normal Android strings.xml.
Both of these vulnerabilities were discovered in MobileTrack 2.1.4. It appears the latest version (2.3.7) contains the same vulnerabilities.
Mobile Defense attempted to contact Xelex on February 16, 2012 and notified US-CERT. One of our enterprise partners reached out to the Xelex Development Team on April 23, 2012. Xelex has yet to respond or resolve the issues.
MobileTrack does not use a password or validate the author of each SMS command so any person who sends a text message with the correct body can control the device. Additionally, credentials can be trivially extracted from the application giving anyone full access to every MobileTrack users’ data.
We are currently unaware of a practical solution to this problem. Mobile Defense recommends that users do not use MobileTrack until the developer releases a fix. As soon as Mobile Defense is made aware of a fix, we will update this advisory.