Project 4: Mayo Clinic Medical Transport App Hardcoded Password Exposure (10 pts.)

What You Need for This Project

An Android emulator or device to test the app on
Android Debug Bridge to observe the log

Summary

The Mayo Clinic Medical Transport Android app contains a hard-coded password which can be easily read. That password then opens both the iOS and Android apps.

Responsible Disclosure

I notified the developer about this in June of 2015. He told me to get lost. The app was updated in December of 2016 but this problem was not fixed. It seems clear that no one cares, except security students.

Update: 11-9-18

The name of the APK file has changed, but not this flaw.

Downloading the App

Start the Genymotion Android emulator. Open Google Play and search for "Mayo Clinic Medical Transport". The app install page is shown below.

Install the app.

If you don't have Google Play, or you prefer to use an old version, download the APK file from the link below, and drag it onto the Genymotion Android device:

https://samsclass.info/128/proj/com.mayoclinicmedicaltransport-1.apk

When the app starts, it asks for a password, as shown below. This password is supposed to be a secret, but it's not all that secret, as we will see.

Finding ADB

On your host machine, open a Terminal or Command Prompt window.

Use the "cd" command to move to the directory containing adb. Here are examples for various operating sytems, for a user named "student":

Windows: cd C:\Users\student\AppData\Local\Android\sdk\platform-tools
Mac OS: cd /Users/student/Library/Android/sdk/platform-tools
Ubuntu: cd /home/student/Android/Sdk/platform-tools

Getting the APK Package

Every app on an Android phone is stored in a single APK file, and can be pulled off the phone with adb.

Execute this command to see the packages installed on your phone. (If you are using Windows, omit the "./").

./adb shell pm list packages

A long list of packages scrolls by, as shown below.

To see just the mayo clinic app, execute this command. (If you are using Windows, omit the "./").

./adb shell pm list packages | grep may

Now the name of the app appears, as shown below. It's "com.mayoclinicmedicaltransport".

Using the package name, execute this command to find the path to the APK file. (If you are using Windows, omit the "./").

./adb shell pm path com.mayoclinicmedicaltransport

Now the to the APK file appears, as shown below. On my phone, it's "/data/app/com.mayoclinicmedicaltransport-2.apk", but it will probably be different on yours.

On 11-9-18, the name was "/data/app/com.mayoclinicmedicaltransport-pKpwpUnDmJ-5ltfc6Ge5uw==/base.apk" and after the "pull" command, the local file was named "base.apk".

Use the correct path to your app for the next command, which pulls the APK file off the phone. (If you are using Windows, omit the "./").

./adb pull /data/app/com.mayoclinicmedicaltransport-2.apk

The file downloads, as shown below.

Getting apktool

Go here: https://connortumbleson.com/2017/01/23/apktool-v2-2-2-released/

Download the latest version of apktool. When I did it, it was apktool_2.2.2.jar. Leave that file in your Downloads folder.

Unpacking the APK

Execute these commands to make a directory to work in and move the files to it.

You should start in the platform-tools directory containing adb. Use the correct name for your APK file, which may not be the same as mine. Use your own name wherever you see "YOURNAME".

mkdir ~/YOURNAME-p4 mv com.mayoclinicmedicaltransport-2.apk ~/YOURNAME-p4 mv ~/Downloads/apktool_2.2.1.jar ~/YOURNAME-p4 cd ~/YOURNAME-p4 java -jar apktool_2.2.1.jar d com.mayoclinicmedicaltransport-2.apk

The unpacked files appear in a subdirectory, as shown below.

Finding the Secret Password

To find the secret password, we need to search for the string "secretpassword".

If you are using Windows, execute this command:

findstr /s /i secretpassword *.*

If you are using Mac OS or Linux, execute this command:

grep -ir secretpassword .

You should see the secret password, as shown below. (I obscured part of the password.)

Saving a Screen Image

Make sure you can see YOUR NAME and the Secret Password as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 4", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 4 from YOUR NAME

Posted 12-20-16 by Sam Bowne
Revised 2-22-17
Updated 11-9-18