Moodle for mobile

 
 
Picture of Huy Hoang
Mobile App sending password in URL
Group Developers

just installed the Android version of the new Moodle Mobile app, and logged in fine to my test server. However, on the initial request to acquire the token, the mobile app sent username and password in the URL (as GET params), and thus the username and password are saved into Apache's access log:

"GET /2.4/login/token.php?username=moodle_tester&password=mySillyPassword123&service=moodle_mobile_app HTTP/1.1" 200 44 "-" "Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; SGH-I777 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"

"POST /2.4/webservice/rest/server.php?wstoken=632a0cb3d4a44660cf9c28f25aecd2d2&moodlewsrestformat=json HTTP/1.1" 200 1105 "-" "Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; SGH-I777 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"

This is a big no-no regardless of what ever the situation is (we are using centralized SSO so this is even more critical). Can anybody weigh in on this one? Maybe we should submit the username and password through POST instead (just like subsequent calls to server.php)?

thanks

 
Average of ratings: -
Picture of Jérôme Mouneyrac
Re: Mobile App sending password in URL
Group DevelopersGroup Documentation writersGroup Moodle Course Creator Certificate holdersGroup Moodle HQGroup Particularly helpful MoodlersGroup Testers

Hi Huy, thanks for the report, I wrote this issue https://tracker.moodle.org/browse/MOBILE-413. Don't hesitate to write issues in the Moodle Tracker (specially security ones).

 

 
Average of ratings: -
Picture of Patrick Pollet
Re: Mobile App sending password in URL
Group Particularly helpful Moodlers

yes but I am unable to see or comment this issue. see screenshot

 

Cheers


 
Average of ratings: -
Picture of David Perry
Re: Mobile App sending password in URL
Group Testers

Major security bugs (and this is up there imho) are restricted access - I was added as a beta tester to access the beta version i OS and can't see it!

 
Average of ratings: -
Picture of Juan Leyva
Re: Mobile App sending password in URL
Group DevelopersGroup Moodle HQGroup Particularly helpful Moodlers

Hi,

thanks for reporting, I thought that this issue was resolved the day before the release but I was wrong

We will do a new release fixing this bug

This is only happening in Android, the iOs app is working good

Regard

 
Average of ratings: -
Picture of Willy Lee
Re: Mobile App sending password in URL
 

I just downloaded the iOS app and it sent my password in clear text in the get request like described above.

Not OK.

Version 1.2 downloaded from the app store June 12, 2013

 
Average of ratings: -
Picture of Ryan Smith
Re: Mobile App sending password in URL
Group Particularly helpful Moodlers

I just had a user request that I enable mobile services so they could use the Mobile app. The latest iOS version, 1.2, is still sending passwords in plain text. Will this be fixed any time soon?

 
Average of ratings: -
Picture of Juan Leyva
Re: Mobile App sending password in URL
Group DevelopersGroup Moodle HQGroup Particularly helpful Moodlers

Hi,

sorry for the big delay in publishing the version that solve the problem for iOs, there are some problems related to publish the app in iTunnes (btw the Android version that solves the problem is published since May)

http://docs.moodle.org/dev/Moodle_Mobile_Release_Notes

 
Average of ratings: -
Picture of Jay Cook
Re: Mobile App sending password in URL
 

Do you know when this will be resolved for iOS?  We'd really like to promote Moodle Mobile on our campus but need the clear text password issue resolved for iOS before promoting it.

Thanks!  Jay

 
Average of ratings: -
Picture of Juan Leyva
Re: Mobile App sending password in URL
Group DevelopersGroup Moodle HQGroup Particularly helpful Moodlers

Hi, we just solved our problems for publishing new versions of the app in the Apple app store and also we just submitted a new version of the app that solves this security problem.

We are now waiting for Apple approval of the new app, I will make a public announcement once approved

 
Average of ratings: -
Picture of Juan Leyva
Re: Mobile App sending password in URL
Group DevelopersGroup Moodle HQGroup Particularly helpful Moodlers

The app has been just published in the App store (version 1.2.2)

I just made some tests and I can confirm that the password is not send in the URL anymore (it uses POST instead GET)

x.x.x.x - - [13/Sep/2013:12:42:51 +0200] "POST /moodle/login/token.php HTTP/1.1" 200 464 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x - - [13/Sep/2013:12:42:52 +0200] "POST /moodle/webservice/rest/server.php?moodlewsrestformat=json HTTP/1.1" 200 1487 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x - - [13/Sep/2013:12:42:53 +0200] "POST /moodle/webservice/rest/server.php?moodlewsrestformat=json HTTP/1.1" 200 953 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x- - [13/Sep/2013:12:42:54 +0200] "GET /moodle/pluginfile.php/243/user/icon/f1 HTTP/1.1" 200 14635 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"
x.x.x.x - - [13/Sep/2013:12:43:04 +0200] "POST /moodle/webservice/rest/server.php?moodlewsrestformat=json HTTP/1.1" 200 10109 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B146 (534256528)"

 
Average of ratings: -