Proj 2x: Ask A Lawyer Plaintext Password Storage (10 pts)

What You Need for This Project

An Android emulator or device to test the app on
Android Debug Bridge to observe the log
You should have that already set up from previous projects

Summary

The "Ask a Lawyer" iOS and Android apps store the user's password locally without encryption. Both the Android and iOS apps also transmit the password over the Internet without encryption.

This project only finds the local storage flaw in the Android app.

Responsible Disclosure

I notified the developer of the Android flaws on 1-2-17 and got no response.

I tested several other apps from that developer and found that they all had similar flaws. I notified the developer on 1-7-17 and got no response.

I see no reason to bother notifying them again about the iOS vulnerabilities--it's obvious that they don't care.

Start VMware

Always launch your Kali virtual machine before you start Genymotion, to avoid VirtualBox networking errors.

Installing the App

You should already have the app shown below installed from an earlier project. If you don't, get it from the Google Play store.

Registering an Account

On your Android device launch the app and click Register.

topsecret3-YOURNAME

Relace "YOURNAME" with a version of your name that doesn't contain any spaces.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:

adb connect 172.16.123.154 adb devices -l

You should see your Genymotion device in the "List of devices attached", as shown below.

Exploring the Android File System

On Kali, in a Terminal, execute this command:

adb shell

You get a root shell on the Android device, as shown below.

On Kali, in the Terminal, execute these commands:

cd data ls -p

You see the files and directories in the /data/ directory, as shown below.

On Kali, in the Terminal, execute these commands:

cd data ls -p

You see the files and directories in the /data/data/ directory, as shown below.

Each app has its own directory here. Most of them begin with "com.android" because they are part of the Android operating system, but near the top, you see the com.absmallbusinessmarketing.askalawyer/ directory, highlighted in the image below.

On Kali, in the Terminal, execute these commands:

cd com.absmallbusinessmarketing.askalawyer ls -p

You see a list of directories in the /data/data/be.delhaize/ directory, as shown below.

This is where the "Ask a Lawyer" app stores its local data.

Searching for a Stored Password

On Kali, in the Terminal, execute this command, to search the current working directory and all subdirectories for the string "pass", showing results from binary files:

grep pass . -ra

You see the password, containing your name a list of files and directories in the /data/data/be.delhaize/ directory, as shown below.

Saving a Screen Image

Make sure YOURNAME is visible, as shown above.

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 2x", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.128sam@gmail.com with the subject line: Proj 2x from YOUR NAME

Posted 1-14-19 by Sam Bowne