Moov, based in the USA, sells a very lightweight fitness tracker weighing 15.1 grams under the product name Moov Now. It is not designed as an everyday pedometer, but mainly for sports activities.
The link between the smartphone and Moov Now is established by pressing the tracker. After a short authentication process, the fitness tracker is ready for use. According to our findings, the device itself consists of a gyroscope whose data are sent to the app via Bluetooth and analyzed there. This also explains the small, light design of the device.
After authentication, the app receives the real-time data from the gyroscope via a notification service and analyzes it, calculating the number of steps, for example.
The authentication process used is static and can be simulated relatively easily. This would allow attackers to record the gyroscope data with simple means. However, the attack scenario is mitigated by the fact that this data would then also have to be processed accordingly by the attacker. Furthermore, the point in time at which the owner of the device activates a training by pressing the tracker would have to be adjusted.
The communication between the Moov app and the cloud was always TLS1.2 encrypted and thus protected against simple man-in-the-middle attacks. Also, the registration and the firmware update were identically encrypted.
After installing a CA certificate, the communication can be eavesdropped on and manipulated by a man-in-the-middle attack. However, this requires direct access to the device, which is why this point is not rated negatively. A session key is generated for communication between the app and the cloud (X-Moov API session), which is then used to authenticate each data transfer to the cloud.
The Moov Android app (version 5.0.2548) is partially obfuscated, making reconstruction of the app more difficult.
An implementation of certificate pinning is recommended to prevent man-in-the-middle attacks. Furthermore, it is recommended to check the implementation of third-party modules, as the implemented Baidu module contains vulnerabilities according to static analysis.
During operation, the app generates a protocol which also contains the above-mentioned session key in plain text. However, since this is located in the protected app area and can therefore only be read on rooted smartphones, this does not lead to a devaluation.