Mayo Clinic Medical Transport App Hardcoded Password Exposure

Summary

The Mayo Clinic Medical Transport Android app contains a hard-coded password which can be easily read. That password then opens both the iOS and Android apps.

Android App

I used the Genymotion Android emulator.

Here's the app:

It asks for a password

Pulling the APK file from the Android device and unpacking it with apktool:

A simple grep for "secretpassword" reveals the password (partially redacted in the image below):

That password unlocks the app:

iOS App

I used an iPad.

Here's the app:

It asks for a password

The password from the Android APK file unlocks the app:

Remediation

Passwords should not be inserted into source code in plaintext.

They should be hashed with many rounds of a hashing function and salted.

Notification

I sent this message on 6-10-15:


Posted 6-10-15 by Sam Bowne