[Original posted here: https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-google-io-2017-android-app/] SUMMARY Google I/O 2017 Application for Android does not use SSL for retrieving some information to populate the app. This would allow an MITM attacker to inject their own content into the application. The vendor (Google) fixed the issue in v5.1.4 of the application. DETAILS The Google I/O 2017 application for Android is a companion app produced by Google for their annual I/O conference that takes place in May. This particular version was produced for I/O conference in May of 2017. While performing network level testing of various Google applications, we discovered that the content for the application did not use SSL. This would allow an MITM attacker to inject their own content into the application using a method like ARP spoofing, DNS takeover, etc. To replicate the issue on v5.03: 1. Install the application 2. Setup the proxy without an SSL certificate and point the Android device to it. 3. Go to the application and select the "feed" option (middle icon on the bottom). 4. Go back to the proxy and observe captured traffic. [Screenshots are in the blog post] The specific URL was "http://storage.googleapis.com/io2017-festivus/manifest_v1.json" which then causes the device to download additional URLs. The following URLs are downloaded: - http://storage.googleapis.com/io2017-festivus/manifest_v1.json - http://storage.googleapis.com/io2017-festivus/blocks_v4.json - http://storage.googleapis.com/io2017-festivus/map_v4.json - http://storage.googleapis.com/io2017-festivus/session_v1.70.json This can also be seen in the source code of the I/O 2016 application on Github here (lines 42-43): https://github.com/google/iosched/blob/master/gradle.properties ---- # API manifest URLs. These URLs provide the data files to load to download data for the app. # When data needs to change the underlying data file is published as a new revision and the manifest # is updated with the new file name. staging_api_manifest_endpoint = https://storage.googleapis.com/io2016-bucket-dev/manifest_v1.json production_api_manifest_endpoint = http://storage.googleapis.com/io2016-festivus/manifest_v1.json ---- All testing was done on Android 7, Google I/O version 5.03. Network captures were performed using an on-device proxy (PacketCapture) without a trusted SSL certificate. PROOF OF CONCEPT All testing was done on Ubuntu v17.04 and Android 7: 1. Install nginx - "sudo apt-get install nginx". 2. Install dnsmasq - "sudo apt-get install dnsmasq" 3. Find out the IP address of your computer via ifconfig. 4. Add the IP address mapping to the hosts file: "192.168.1.x storage.googleapis.com" 5. Create and download the files from Google to the NGINX directory: - cd /var/www/html - mkdir io2017-festivus - cd io2017-festivus - wget http://storage.googleapis.com/io2017-festivus/manifest_v1.json - wget http://storage.googleapis.com/io2017-festivus/blocks_v4.json - wget http://storage.googleapis.com/io2017-festivus/map_v4.json - wget http://storage.googleapis.com/io2017-festivus/session_v1.70.json 6. Modify "blocks_v4.json" to add your content. 7. Install version 5.03 of the application on the Android device. 8. Change DNS on the device to point to the Ubuntu machine. 9. Open the app, skip sign in, and on the main screen choose the feed icon. 10. Switch back to the first section and observe injected content (screenshots in the blog post). VENDOR RESPONSE This issue was responsibly reported to the vendor and fixed in version 5.14. REFERENCES CVE ID: CVE-2017-9045 Google I/O 2016 source code: https://github.com/google/iosched BOUNTY INFORMATION Pending... CREDITS Advisory written by Yakov Shafranovich. TIMELINE 2017-05-11: Initial report to the vendor 2017-05-11: Report triaged by the vendor and bug filed 2017-05-13: Fixed version released by the vendor 2017-05-16: Draft advisory sent to vendor for comment 2017-05-17: Public disclosure