Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use- SSL (Mobile Knowledge)

Subject: Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use- SSL (Mobile Knowledge)


CERT Advisory:

Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge)

Arro and possibly over 100 other Android taxi hailing apps did not SSL to secure communications between the application and its servers.

Arro is a taxi hailing service allowing users to hail yellow taxis in New York from their smartphones. The service also allows users to pay for their ride via the application while they are in a taxi. The underlying technology is a white branded version of an application called Taxi Hail, made by a company called Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile Technologies, LLC (CMT) of New York, NY. Both are providers of technology solutions for the taxi industry. At least 100 other white branded taxi applications run on the same platform as Arro, with a link to a non-exhaustive list appearing later in this document.

While monitoring network traffic from an Android smartphone, we observed that most communications between the Arro Android application and servers was unencrypted and did not use SSL. Instead, regular HTTP calls were being used. Further investigation showed that the underlying application and servers were a white branded version of TaxiHail, developed by Mobile Knowledge.

Information observed included:
Username and passwords for the users of the application
User profile including address and phone number
Credentials for various APIs and payment gateways used by the application
Latitude and longitude of the user requesting a taxi
Last four digits and expiration date of the user's credit cards on file
When adding a new credit card - full credit card information
Payments were made via a separate gateway that uses SSL and were not at risk. However, adding credit cards would be done without SSL. 

A secondary minor issue was also discovered. The GoArro app created a text log on the SD Card of the device being tested. This log, located in "/TaxiHail/errorlog.txt" contained GPS locations for the user, which would accessible to applications on the same phone without location access. This issue has also been fixed.

Arro website: 
CERT/CC ID: VU# 439016

CMT website:
List of white branded apps:
TaxiHail website:

Thank you to Garret Wasserman of CERT/CC for helping to communicate with the vendors.

2015-10-14: Arro notified
2015-10-14: Initial vendor response
2015-10-15: Followup communications to Arro, no response
2015-10-20: CERT/CC notified
2015-10-23: CERT/CC response
2015-11-06: Mobile Knowledge acknowledged the problem via CERT/CC
2015-11-30: Fix deployed by vendor
2015-12-01: Fix confirmed
2015-12-08: Public disclosure, coordinated with CERT/CC

Version Information
Version 3
Last updated on 2015-12-07

Copyright © 1995-2020 All rights reserved.