Android App Hacking - Hardcoded Credentials
Android App Hacking - Hardcoded Credentials
Android App Hacking - Hardcoded Credentials
Hardcoded Credentials
1. Unpack APK.
2. Recognize that it is a PhoneGap app.
3. View JavaScript source code to find hardcoded test credentials.
4. Login.
By bad5ect0r 17/05/2020 No Comments
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Introduction
This was a relatively simple vulnerability I found for a company that
deals with some potentially sensitive information. They offer paid
services to their customers, but I was able to get free service by
locating credentials in their Android application.
The Story
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
So as with any mobile app hacking, I started by downloading their
APK onto my computer. You can easily do this with a service like
APKPure. After that I ran apktool to unpack the APK:
[I] ✔ Test ls
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:29 2020 .
drwxrwxr-x osboxes osboxes 4 KB Sat May 16 23:37:31 2020 ..
.rw-r--r-- osboxes osboxes 6.3 MB Sat May 16 23:37:49 2020 app
[I] ✔ Test apktool d app.apk
I: Using Apktool 2.4.0-dirty on app.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/osboxes/.local/share/ap
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
[I] ✔ Test ls
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:41 2020 .
drwxrwxr-x osboxes osboxes 4 KB Sat May 16 23:37:31 2020 ..
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:48 2020 app
.rw-r--r-- osboxes osboxes 6.3 MB Sat May 16 23:37:49 2020 app
[I] ✔ Test cd app
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
[I] ✔ app ls
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:48 2020 .
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:41 2020 ..
.rw-rw-r-- osboxes osboxes 2.6 KB Sun May 17 00:15:45 2020 Andr
.rw-rw-r-- osboxes osboxes 467 B Sun May 17 00:15:48 2020 apkt
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:48 2020 asse
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:48 2020 orig
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:45 2020 res
drwxrwxr-x osboxes osboxes 4 KB Sun May 17 00:15:48 2020 smal
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
<uses-permission android:name="android.permission.READ
13. <application android:hardwareAccelerated="true" androi
14. <activity android:allowTaskReparenting="true" andr
15. <activity android:excludeFromRecents="true" androi
16. <intent-filter android:label="@string/launcher
17. <action android:name="android.intent.actio
18. <category android:name="android.intent.cat
19. </intent-filter>
20. </activity>
21. <activity android:alwaysRetainTaskState="true" and
22. <receiver android:name="org.chromium.ChromeAlarmsR
23. <receiver android:name="org.chromium.ChromeNotific
24. </application>
25. </manifest>
With some research, I found a blog post detailing how source code
could be extracted from IPAs and APKs built using
Cordova/PhoneGap. TLDR: You can just go to
app.apk/assets/www/js/ to view source files.
When viewing
app.apk/assets/www/js/ViewModels/IndexViewModel.js on this
application, I was shocked to see commented out bits of code!
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
app.apk/assets/www/js/ViewModels/IndexViewModel.js
Among some of these comments, there was code that was assigning
a username and password. Presumably this was done during testing
to automatically authenticate the developer rather than having them
manually type out the password each time:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Plaintext credentials exposed in comments!
I tried logging into the app using these credentials but the first few
failed so I started losing hope. That quickly changed when I tried the
last one which allowed me to successfully authenticate!
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
*ACCESS GRANTED*
Takeaway
PhoneGap apps are fun to test since you get the source code!
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Disclosure Timeline
21/03/2020 – Issue was reported to the company.
25/03/2020 – Follow up.
27/03/2020 – Acknowledged by the company.
03/04/2020 – Issues were fixed.
15/05/2020 – Partial disclosure was authorized.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment
Name * Email *
Website
POST COMMENT
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
© 2020 bad5ect0r Powered by WordPress To the top ↑
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD