Project 11: theScore Plaintext Password Storage (10 pts.)

What You Need for This Project

A computer with any OS, with adb installed
An Android emulator such as Genymotion, or a real Android device, to test the app on

Summary

The theScore Android app stores the user's password locally without encryption.

Responsible Disclosure

I notified theScore of this on 12-30-16 and got no response.

Troubleshooting
If theScore ever fixes this, you can get the app version I used here:
https://samsclass.info/128/proj/com.fivemobile.thescore-1.apk

Installing the App on the Emulated Phone

Launch Genymotion. Open the Google Play store and install theScore, as shown below.

Creating an Account

Open the app.

On the first page, tap "Get Started", as shown below.

On the "Favorite Sports" page, click any item and click NEXT.

On the "Follow Teams" page, click any item and click NEXT.

On the "Notifications" page, click None, as shown below.

Click NEXT.

A "Create Account" page appears, as shown below.

Click "Sign up with email".

On the next page, create an account with your name in the email address, as shown below. Don't use the literal text "YORNAME", use some version of your own name instead.

Use a password of P@ssw0rd

Click Register.

Finding ADB

On your host machine, open a Terminal or Command Prompt window.

Execute these commands, changing the path in the first command to your correct SDK path.

Note: To find your SDK path, open Android Studio and click Tools, Android, "SDK Manager".

Here are common examples of SDK paths:

Ubuntu: /home/user/Android/Sdk
Mac: ~/Library/Android/sdk
Windows: C:\Users\student\AppData\Local\Android\sdk

NOTE: If you are using Windows, remove the "./" before "adb".

cd /Users/sambowne/Library/Android/sdk cd platform-tools
./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.

Auditing Local Storage

In your Terminal or Command Prompt window, execute this command to open a shell on your Android device:

./adb shell

You get a different prompt, ending in #, as shown below.

Execute these commands to locate the theScore local storage directory:

cd /data/data
ls | grep core

The local storage directory is /data/data/com.fivemobile.thescore, as shown below.

Execute this command to find your password stored locally:

grep ssw0 -r com.fivemobile.thescore

The response says it's stored in a binary file, but doesn't print the binary file contents, as shown below.

Execute this command to see the stored binary content (which has a chance of freezing your terminal, but works in this case):

grep ssw0 -ar com.fivemobile.thescore

Saving a Screen Image

Make sure YOURNAME and P@ssw0rd are visible in the log, as shown above.

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 11", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.128sam@gmail.com with the subject line: Proj 11 from YOUR NAME

Password Stored on SD Card

Execute this command to find additional copies of your password, stored on the emulated SD card, available to all apps.

grep ssw0 -ar /

This command freezes up before traversing the entire filesystem, but it runs long enough to find several more copies of your password, as shown below.

Posted 2-22-17 by Sam Bowne