For one of the manufacturers who was already represented in previous tests with fitness tracker products, we automatically compare the changes, improvements and deterioration to the pre-test. Jawbone products were quite mediocre in past tests, if and to what extent this has changed for the better with the latest version, the Jawbone UP3, is explained in the following test report.
The UP3 application (com.jawbone.upopen; tested version 4.29.0) offers no reason for criticism at first glance: The standard, static analysis, which is carried out as the first step of the app investigation, provided only a few clues for possible weak points, none of which turned out to be really critical. Large-scale obfuscation of the source code also makes it more difficult for less experienced attackers to search for and identify any weak points, thereby further increasing the security level of the application.
In the case of the Jawbone application, the implementation of the SSL communication appears to be quite successful. Especially the implementation of the trust manager, the standard possibility to implement an adequate certificate validation under Android, has been implemented with all necessary functions. The application is thus equipped with the tools necessary to communicate in encrypted form and to protect this encrypted communication against potential man-in-the-middle attacks. The correct function of the implementation was then tested in practical tests.
Furthermore, no other obvious weak points could be detected in this area – there is no unsecured storage of sensitive information outside the protected app area, nor could we detect excessive logging of app or user activity. Overall, the Jawbone application makes a good impression in this respect.
Local communication between the application and the tracker also takes place with the Jawbone via Bluetooth LE. The tracker only allows an exclusive connection, so that attack attempts with an existing connection to the legitimate user phone are practically difficult right from the start. Furthermore, a fixed pairing between tracker and user telephone is also performed during setup, during which the keys required for encrypted communication are negotiated. The communication is completely encrypted, so any interception of the radio connection should not provide any valuable information. References to the negotiated keys can be found in the app data, so that on smartphones with root rights there is the possibility of spying on them. As always, however, we do not regard this as a weak point, since a “rooted” smartphone naturally always brings with it security problems that the app developer can hardly completely secure.
As the static analysis of the source codes already suggested, the online communication of the Jawbone application is adequately secured. Even the practical tests gave no reason for another assumption – the registration, the login and the synchronization ran completely over encrypted, TLS secured connections and our standard man-in-the-middle attacks also could not detect any obvious weak points. Of course, security could be increased even further here, for example by using client certificates, but we already consider the security level here to be absolutely adequate for the purpose.
Compared to earlier tests of Jawbone products, you can see real progress here as a tester. Much has changed for the better, especially in the areas of application security, local and online communication. In the area of data protection, one can find some points that seem at least questionable, but this statement applies to many tested products. All in all, the Jawbone UP3 convinces with an absolutely adequate safety level and is accordingly also provided with the full 3-star rating.