2013-05-28
HTC's E-Mail Client Fails to verify Server Certificates
We decided not to release an official advisory, but to write this short and hopefully entertaining blogpost about a stupid, but severe bug we recently discovered.Severity: medium to high
Vendor: HTC
Products we known to be affected:
- Mail Version 5.2.2222282614.528614.528614 on an HTC One SV with Android 4.0.4, HTC Sense 4.1, HTC SDK API 4.25
- Mail Version 5.5.550363 running on an HTC One X with Android 4.1.1, HTC Sense 4+ HTC SDK API 4.63
Short Summary
modzero identified a vulnerability in HTC's default mail client. If the user chooses encrypted and authenticated communication to a mail server, the application does not verify the server's certificate and automatically accepts any certificate without asking or warning the user. Thus, an attacker is able to intercept a user's credential and e-mails, especially in rogue access point scenarios.Whole Story
While analyzing a wireless infrastructure, we were testing station behaviour regarding rogue access-points. Using airbase-ng and some metasploit capture server modules, the set-up was painless and straight forward.YEP, it works as expected; the phone connects to the rogue
network and tries to pull the e-mails from the SSL protected POP3
or IMAP servers. The iPhone did properly show a certificate
warning, because it could not verify the certificate while trying
to get the e-mails. Lets check how the other phones behave.
Booom - a username and password was captured!
Wait a second? SSL was enabled on all the configs right? Let's
check the config the HTC ONE X android phone again? YEP,SSL
enabled -maybe something is broken or someone had accept the
certificate already or ... whatever ... So we setup another fake
e-mail account and gave it a go.
Again, the password showed up and no certificate warning was
visible on the HTC ONE X e-mail client at all. This happens for POP
and IMAP accounts.
Great!Everyone can man-in-the-middle your apparently SSL
protected e-mail communication. FSCK ... impossible ...
Lets compare the available settings of a HTC Android phone and a
regular android phone:
| Other Android E-Mail Client | HTC E-Mail Client |
 |
 |
Did the guys at HTC wanted to make the user experience better? More options might just confuse their users? In fact the "SSL" setting on the HTC e-mail client does behave like the "SSL accept allcertificates" setting on other Android e-mail clients.
Using SSL is completely pointless, if you don't verify the
certificates at all.
We did not even bother to check what they precisely messed up in the E-Mail client code. HTC, please go and fix it. This is plain stupid. Other versions might be affected as well. Feel free to e-mail us regarding other affected versions.
Credits:
- Max Moser
- Martin Schobert