Kochava SDK (2016 versions 20140227 and 20150415) Vulnerable to MITM Attack (Fixed in version 20150511)

Kochava is a mobile SDK for iOS and Android applications that provides mobile attribution and analytics data for its customers. Via the Kochava platform, mobile advertisers have access to precise real-time visualization of campaigns. With over 2,000 publisher and network integrations including Facebook, Google, Pandora, and Amazon, Kochava claims to have the largest brands in mobile gaming, commerce, news, and media.

Versions of the Kochava Android SDK between 20140227 and 20150415 (inclusive of 20140227, but exclusive of 20150415) are vulnerable to SSL Man-in-the-Middle attacks. When the vulnerable version of Kochava is embedded in a mobile application, the SDK disables SSL hostname validation for the entire application (not just connections to/from Kochava endpoints).

The following Java classes within the Kochava SDK trigger the dangerous behavior:

  • com.kochava.android.tracker
  • com.kochava.android.tracker.Feature

The vulnerable code within the SDK follows:

    private static HttpClient createHttpClient(boolean arg9) {
        Logging.Log("Creating https client.");
        X509HostnameVerifier v1 = SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
        BasicHttpParams v2 = new BasicHttpParams();
        HttpProtocolParams.setVersion(((HttpParams)v2), HttpVersion.HTTP_1_1);
        HttpProtocolParams.setContentCharset(((HttpParams)v2), "ISO-8859-1");
        HttpProtocolParams.setUseExpectContinue(((HttpParams)v2), true);
        if(arg9) {
            HttpConnectionParams.setConnectionTimeout(((HttpParams)v2), 10000);
        }

        SSLSocketFactory v4 = SSLSocketFactory.getSocketFactory();
        v4.setHostnameVerifier(v1);
        SchemeRegistry v3 = new SchemeRegistry();
        v3.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        v3.register(new Scheme("https", ((SocketFactory)v4), 443));
        ThreadSafeClientConnManager v0 = new ThreadSafeClientConnManager(((HttpParams)v2), v3);
        HttpsURLConnection.setDefaultHostnameVerifier(((HostnameVerifier)v1));
        return new DefaultHttpClient(((ClientConnectionManager)v0), ((HttpParams)v2));
    }

As shown in the code snippet, the embedded Java class has set ALLOW_ALL_HOSTNAME_VERIFIER as the default HostnameVerifier, resulting in SSL hostname verification being disabled for the entire application. Consequently, any certificate signed by a valid Certificate Authority using any hostname, including unrelated hostnames, will be accepted as valid by the mobile application. This makes the entire application vulnerable to SSL Man-in-the-Middle (MITM) attacks, allowing an attacker to compromise all communication to/from the application.

Recommendation

To avoid data in-transit exposures, upgrade to the latest version of the Kochava Android SDK, especially to version 20150511 or beyond (Version 20150511 has a fix for the SSL-MITM vulnerability):

Google Play Status

As of May 2016, approximately .8% of the top 100 applications in each of the 26 Google Play categories were affected. Data Theorem has contacted each publisher and provided them with the fix.

Pavan Walvekar - 04 Aug 2016 at 20:02