HAPI Connected Scale

The HAPI Connected scale shows several privacy and security issues which should be considered. Mostly these are related to HAPI's mobile application.

Considerations

The most severe is the missing encryption of communication between the mobile application and the HAPI web servers. The user is not able to apply adequate counter measures as this can only be fixed by the developers. The version we analyzed might even leak your email address and the password you are using. Hence usage of that application should be avoided.

• unencrypted data transmission data exchanged between your mobile application and web servers is not properly encrypted
• password policy missing your applications don’t enforce any kind of password policy; allowing the user to choose very easy passwords (e.g. one character) puts their data at risk
• highly overprivileged android app your Android mobile application appears to be highly overprivileged; general recommendation is to use the minimum permissions required to run your services only

Remarks

We strive to discuss the mentioned issues and more with HAPI. At this point in time we are waiting for any response, but will be happy to help on request.