Yorick Koster, April 2014
Outlook.com for Android's WebView contains an insecure SSL error handler
that ignores any certificate validation errors. Due to this, it is
possible to perform a man in the middle attack against this app. The
vulnerable component is uses to log into outlook.com. A successful
attack allows sniffing of login credentials (user name & password).
Demonstration:
http://vimeo.com/101999863
This issue was found in Outlook.com for Android version 7.8.2.12.49.2176
and version 7.8.2.12.49.6434.
A new version (7.8.2.12.49.7090) of Outlook.com for Android was released
in which the affected SSL error handler is no longer present. The latest
version of Outlook.com for Android can be obtained from Google Play [4]
When logging into outlook.com, Outlook.com for Android will load
login.live.com in a WebView. This WebView has implemented a custom SSL
error handler [5], which basically ignores any certificate validation
errors.
The affected SSL error handler can be found in the
AuthorizationWebViewClient inner class of
com.microsoft.live.AuthorizationRequest$OAuthDialog. The relevant code
is listed below.
public void onReceivedSslError(WebView paramWebView, SslErrorHandler
paramSslErrorHandler, SslError paramSslError)
{
AuthorizationRequest.OAuthDialog.this.setLiveSdkProvProgressStatus(false);
paramSslErrorHandler.proceed();
}
[1] http://www.securify.nl/advisory/SFY20140403/outlook_com_for_android_fails_to_validate_server_certificates.html
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5239
[3] http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000086.html
[4] https://play.google.com/store/apps/details?id=com.outlook.Z7
[5] http://developer.android.com/reference/android/webkit/WebViewClient.html#onReceivedSslError%28android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError%29
[6] http://developer.android.com/reference/android/webkit/SslErrorHandler.html#proceed%28%29