------------------------------------------------------------------------ Outlook.com for Android fails to validate server certificates ------------------------------------------------------------------------ Yorick Koster, April 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Outlook.com for Android's WebView contains an insecure SSL error handler that ignores any certificate validation errors. Due to this, it is possible to perform a man in the middle attack against this app. The vulnerable component is uses to log into outlook.com. A successful attack allows sniffing of login credentials (user name & password). Demonstration: http://vimeo.com/101999863 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was found in Outlook.com for Android version 7.8.2.12.49.2176 and version 7.8.2.12.49.6434. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2014-5239 [2] - JVNDB-2014-000086 [3] Outlook.com for Android contains an issue where it fails to verify SSL server certificates ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ A new version (7.8.2.12.49.7090) of Outlook.com for Android was released in which the affected SSL error handler is no longer present. The latest version of Outlook.com for Android can be obtained from Google Play [4] ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ When logging into outlook.com, Outlook.com for Android will load login.live.com in a WebView. This WebView has implemented a custom SSL error handler [5], which basically ignores any certificate validation errors. ------------------------------------------------------------------------ Insecure error handler ------------------------------------------------------------------------ The affected SSL error handler can be found in the AuthorizationWebViewClient inner class of com.microsoft.live.AuthorizationRequest$OAuthDialog. The relevant code is listed below. public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError) { AuthorizationRequest.OAuthDialog.this.setLiveSdkProvProgressStatus(false); paramSslErrorHandler.proceed(); } As can be seen in this listing, the method gets an SslErrorHandler instance named paramSslErrorHandler. The handler calls proceed() [6], which will ignore any certificate error and the connection will be created. Due to this, any invalid certificate will also be accepted, even the attacker's certificate rendering the app vulnerable to man in the middle attacks. Since this issue exists within a login component, it is possible to steal Microsoft account login credentials, which is usually an Outlook.com email address and password. ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] http://www.securify.nl/advisory/SFY20140403/outlook_com_for_android_fails_to_validate_server_certificates.html [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5239 [3] http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000086.html [4] https://play.google.com/store/apps/details?id=com.outlook.Z7 [5] http://developer.android.com/reference/android/webkit/WebViewClient.html#onReceivedSslError%28android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError%29 [6] http://developer.android.com/reference/android/webkit/SslErrorHandler.html#proceed%28%29