An Android app that allows corporate users to connect to their own Microsoft Exchange Server installations leaks user credentials, which can be easily decoded to their clear text version.

Microsoft Exchange Server is an email and calendaring server developed by Microsoft that runs only on Windows Server. Companies deploy it to run their own private email servers, but it also allows them to run a localized version of Outlook via the Office 365 offering.

"Nine" app users exposed to credential leaks

Corporate employees that want to connect to their company's Microsoft Exchange Servers from their mobile devices can use a third-party app called Nine - Outlook for Android.

The app is very popular on Android and has between 500,000 and 1,000,000 active installations.

Security researchers from Rapid7 have discovered that while the app uses SSL/TLS to encrypt communications from the user's smartphone to the Exchange Server, the app doesn't validate the source of the SSL/TLS certificates it receives.

App doesn't check certificate source

This lack of validation means the app is subject to MitM (Man-in-the-Middle) attacks, despite the usage of powerful encryption.

An attacker on the same Wi-Fi network can intercept traffic, despite being encrypted, and act as a relay point.

Rapid7 researchers say that when the app connects to the user's Microsoft Exchange Server installation, it also authenticates. These details are sent as part of HTTPS requests, which the attacker intercepts and can decrypt because he supplied the victim with a fake SSL/TLS certificate.

Credentials can be reversed to their cleartext form

The credentials are transmitted using Base64 encoding, which can be easily reversed and reveal the employee's actual credentials.

Despite the need for both victim and attacker of being on the same network, security researchers say that a plausible and possible attack scenario would be when a threat actor would carry a mobile Wi-Fi hotspot with him, hidden in a backpack. This way, the attack vector is mobile and can be deployed at will, not just at chance encounters.