Some progress, seen that they have updated the app, they however didn't take into consideration existing users, and so the previous version of the app now crashes if you try and do any transaction. Seems the dev and product guys need to synchronize their activities. Now they face the massive task of dealing with support issues regarding the previous version which now no longer works, and crashes with the "unfortunately, x app has stopped" android error.

In summary

Good to see:

Https (finally)
No longer using hardcoded ip, now the api calls epayments.nairobi.go.ke

Still needs work

API calls done over plain http should not be allowed. https should be the only way to communicate with the server. Should an internal developer ever forget to use a url that starts with https, then the call wouldn't work, otherwise the plain text communication would slip through to the production version.
The user PIN still being sent over each request. Still not good as a simple brute force attack of the main login API can reveal any users' pin, and only 9999 requests are required.

On a final note, since the devs are obviously on this list, can any one of them please respond to this thread. Collaboration is how security is done, watching a thread and silently fixing issues while good, is not enough. Get involved, pull in some professional pen testers to see what other vulnerabilities your system has. The bad guys are also reading this thread, and unlike the rest of us, they won't post their findings.

On 12 February 2015 at 18:37, Okechukwu <okechukwu@gmail.com> wrote:

Or just a wireshark installation on your laptop and your mobile phone connecting to the same access point can tell you what protocols your apps are using

./Ok3ch

On Tue, Feb 10, 2015 at 10:01 PM, John K. via skunkworks <skunkworks@lists.my.co.ke> wrote:
@Benjamin Force the device to use your own custom proxy that you can then monitor all traffic through it. In android it would mean when connecting to wifi, choose advanced, then enter your own proxy and port.

On 10 February 2015 at 06:50, Gichuki John Chuksjonia via skunkworks <skunkworks@lists.my.co.ke> wrote:
Their domain is https://epayments.nairobi.go.ke/selfservice/login

i haven't checked SSL on them, but i wonder if it is, or even whether
they have tested security on them or have any form of security
standards.

On 2/10/15, Benjamin Muraguri via skunkworks <skunkworks@lists.my.co.ke> wrote:
> How are you able to tell whether a mobile app uses SSL? Even for say an
> email or banking app. For web applications, the URL gives it away, but for
> a mobile application, how can one tell whether data is being transmitted
> securely?
>
> On Tue Feb 10 2015 at 13:40:48 John K. via skunkworks <
> skunkworks@lists.my.co.ke> wrote:
>
>> Seems they may have patched the site, still waiting for a fix for the
>> app.
>> I'll keep checking, for now the previous advice remains. Do not use the
>> app
>> until they at the very minimum, enforce SSL.
>>
>>
>>
>> On a side note, can the devs explain why they are using a hard coded IP?
>> If the IP tomorrow is not available, all installed apps become useless?
>> Many users have no idea how to update apps, so, saying you'll force an
>> update is not an option.
>>
>>
>>
>>
>>
>>
>> On Monday, February 9, 2015, Allan O. via skunkworks <
>> skunkworks@lists.my.co.ke> wrote:
>>
>>> Looks like they've taken measures to resolve those issues?
>>>
>>> On Sat, Feb 7, 2015 at 3:23 PM, John K. via skunkworks <
>>> skunkworks@lists.my.co.ke> wrote:
>>>
>>>> Anyone know the dev's of the Nairobi County App at JamboPay? Need to
>>>> notify them of some serious security concerns in their app. Seroius to
>>>> the
>>>> point that I won't use the app until they are patched.
>>>>
>>>> And if anyone on this list uses it, please don't use the same PIN you
>>>> use for other secure services like Mpesa, atm etc until these issues
>>>> are
>>>> patched.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> skunkworks mailing list
>>>> skunkworks@lists.my.co.ke
>>>> ------------
>>>> List info, subscribe/unsubscribe
>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>>> ------------
>>>>
>>>> Skunkworks Rules
>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>>> ------------
>>>> Other services @ http://my.co.ke
>>>>
>>>
>>> _______________________________________________
>> skunkworks mailing list
>> skunkworks@lists.my.co.ke
>> ------------
>> List info, subscribe/unsubscribe
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> ------------
>>
>> Skunkworks Rules
>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> ------------
>> Other services @ http://my.co.ke
>

--
--
Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
I.T Security Analyst and Penetration Tester
jgichuki at inbox d0t com

{FORUM}http://lists.my.co.ke/pipermail/security/
http://chuksjonia.blogspot.com/

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke

_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke