HTC's E-Mail Client Fails to verify Server Certificates

We decided not to release an official advisory, but to write this short and hopefully entertaining blogpost about a stupid, but severe bug we recently discovered.

Severity: medium to high
Vendor: HTC
Products we known to be affected:

  • Mail Version 5.2.2222282614.528614.528614 on an HTC One SV with Android 4.0.4, HTC Sense 4.1, HTC SDK API 4.25
  • Mail Version 5.5.550363 running on an HTC One X with Android 4.1.1, HTC Sense 4+ HTC SDK API 4.63

Short Summary

modzero identified a vulnerability in HTC's default mail client. If the user chooses encrypted and authenticated communication to a mail server, the application does not verify the server's certificate and automatically accepts any certificate without asking or warning the user. Thus, an attacker is able to intercept a user's credential and e-mails, especially in rogue access point scenarios.

Whole Story

While analyzing a wireless infrastructure, we were testing station behaviour regarding rogue access-points. Using airbase-ng and some metasploit capture server modules, the set-up was painless and straight forward.

YEP, it works as expected; the phone connects to the rogue network and tries to pull the e-mails from the SSL protected POP3 or IMAP servers. The iPhone did properly show a certificate warning, because it could not verify the certificate while trying to get the e-mails. Lets check how the other phones behave. Booom - a username and password was captured!

Wait a second? SSL was enabled on all the configs right? Let's check the config the HTC ONE X android phone again? YEP,SSL enabled -maybe something is broken or someone had accept the certificate already or ... whatever ... So we setup another fake e-mail account and gave it a go.

Again, the password showed up and no certificate warning was visible on the HTC ONE X e-mail client at all. This happens for POP and IMAP accounts.

Great!Everyone can man-in-the-middle your apparently SSL protected e-mail communication. FSCK ... impossible ...

Lets compare the available settings of a HTC Android phone and a regular android phone:

Other Android E-Mail Client HTC E-Mail Client

Did the guys at HTC wanted to make the user experience better? More options might just confuse their users? In fact the "SSL" setting on the HTC e-mail client does behave like the "SSL accept allcertificates" setting on other Android e-mail clients.

Using SSL is completely pointless, if you don't verify the certificates at all.

We did not even bother to check what they precisely messed up in the E-Mail client code. HTC, please go and fix it. This is plain stupid. Other versions might be affected as well. Feel free to e-mail us regarding other affected versions.

  • Max Moser
  • Martin Schobert

Posted by modzero | Permanent link | File under: rant, crypto