Mayo Clinic Medical Transport App Hardcoded Password Exposure
Summary
The Mayo Clinic Medical Transport Android app
contains a hard-coded password which can
be easily read. That password then opens
both the iOS and Android apps.
Android App
I used the
Genymotion Android emulator.
Here's the app:
It asks for a password
Pulling the APK file from the
Android device and unpacking it with
apktool:
A simple grep for "secretpassword"
reveals the password
(partially redacted in the image
below):
That password unlocks the app:
iOS App
I used an iPad.
Here's the app:
It asks for a password
The password from the Android APK file
unlocks the app:
Remediation
Passwords should not be inserted
into source code in plaintext.
They should be hashed with many rounds
of a hashing function and salted.
Notification
I sent this message on 6-10-15:
Posted 6-10-15 by Sam Bowne