Activ8rlives Body Analyser

Several issues have been identified and are mainly related to the Android app provided by Activ8rlives. On notification Activ8rlive initiated a constructive discussion to address these issues. Newer versions (including the recent app) may therefore not exibit the issues mentioned below.

Considerations

• unencrypted data transmission data exchanged between your mobile application and web servers is not properly encrypted
• web server SSL configuration dated several attacks are possible on your web server (to validate use SSLlabs); related issues require fixes urgently
• password policy missing your applications don’t enforce any kind of password policy; allowing the user to choose very easy passwords (e.g. one character) puts their data at risk
• (over)privileged android app your Android mobile application appears to be highly overprivileged; general recommendation is to use the minimum permissions required to run your services only
• account management as your privacy policy indicates users can request the deletion of their data with your company; this deletion request requires integrity, that is to authenticate a deletion request by, e.g. the email address the request is send from matches the account which is to be deleted; emails send from other accounts should not be authenticated successfully for account deletion requests
• device fingerprinting / tracking the XAMARIN framework you are using in your application reads out the devices MAC address; reading the MAC address is no longer recommended and for advertising/tracking purposes there are newer solutions to which applications should be adjusted

Remarks

On notification Activ8rlives started to address and fix many of these issues. Some of these might already have been fixed. Please refer to specific version numbers for details.