CVE-2021-32612
📋 TL;DR
The VeryFitPro Android app transmits all sensitive data including login credentials and password changes over unencrypted HTTP instead of HTTPS. This allows attackers on the same network to intercept and steal user information, potentially leading to account takeover. All users of the vulnerable Android app version are affected.
💻 Affected Systems
- VeryFitPro (com.veryfit2hr.second)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to personal health data, location information, and ability to impersonate users or perform malicious actions through the compromised account.
Likely Case
Credential theft and unauthorized access to user accounts, potentially exposing sensitive personal and health information stored in the app.
If Mitigated
No data exposure if all communication is forced through HTTPS with proper certificate validation.
🎯 Exploit Status
Exploitation requires network access to intercept traffic, which can be achieved through ARP spoofing, rogue access points, or compromised network infrastructure. No authentication needed to observe cleartext traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - users should update to latest version from Google Play Store
Vendor Advisory: https://trovent.io/security-advisory-2105-01
Restart Required: Yes
Instructions:
1. Open Google Play Store on Android device
2. Search for 'VeryFitPro'
3. If update is available, tap 'Update'
4. Restart the application after update completes
🔧 Temporary Workarounds
Network-level HTTPS enforcement
allUse network security controls to block HTTP traffic to the app's API endpoints and force HTTPS
VPN usage
androidForce all app traffic through a VPN with encrypted tunnel to prevent local network sniffing
🧯 If You Can't Patch
- Discontinue use of the vulnerable app version and switch to alternative fitness tracking applications
- Only use the app on trusted, secure networks and avoid public Wi-Fi entirely
🔍 How to Verify
Check if Vulnerable:
Use network monitoring tools like Wireshark or mitmproxy to capture traffic from the app. Check if API calls are made to HTTP (not HTTPS) endpoints.Check Version:
On Android: Settings > Apps > VeryFitPro > App info shows version numberVerify Fix Applied:
After updating, capture network traffic again and verify all API calls use HTTPS with valid certificates. No cleartext HTTP traffic should be observed.📡 Detection & Monitoring
Log Indicators:
- Failed HTTPS connections followed by HTTP fallback
- Unusual authentication patterns from multiple locations
Network Indicators:
- Cleartext HTTP traffic to API endpoints on port 80
- Lack of TLS handshakes for application traffic
SIEM Query:
source_port=80 AND dest_ip IN (app_api_servers) AND protocol=HTTP AND user_agent CONTAINS 'VeryFitPro'🔗 References
- http://seclists.org/fulldisclosure/2021/Jun/45
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second&hl=en_US&gl=US
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txt
- https://trovent.io/security-advisory-2105-01
- http://seclists.org/fulldisclosure/2021/Jun/45
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second&hl=en_US&gl=US
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txt
- https://trovent.io/security-advisory-2105-01
