Proj 8: Menards Plaintext Password Storage (15 pts)

What You Need for This Project

Windows Users

Use the Nox emulator for this project. Don't use BlueStacks, unless you've rooted it first.


The Menards Android apps stores the user's password locally without encryption.

Responsible Disclosure

I notified the developer of the Android flaws in 2017 but the app was not fixed.

Start VMware

Always launch your Kali virtual machine before you start Genymotion, to avoid VirtualBox networking errors.

Installing the App

Install the app shown below from the Google Play store.

Registering an Account

On your Android device launch the app and click CREATE ACCOUNT.

Register an account with the password


as shown below. Replace "YOURNAME" with a version of your name that doesn't contain any spaces.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Exploring the Android File System

On Kali, in a Terminal, execute this command:
adb shell
You get a root shell on the Android device, as shown below.

On Kali, in the Terminal, execute these commands:

cd /data/data
cd shared_prefs
You see the files the app saved, including one named User_Information.xml, as shown below.

On Kali, in the Terminal, execute this command:

cat User_Information.xml
You see the password, containing your name, as shown below.

Saving a Screen Image

Make sure YOURNAME is visible, as shown above.

Capture a full-screen image.


Save the image with the filename "YOUR NAME Proj 8", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to with the subject line: Proj 8 from YOUR NAME
Posted 1-14-19 by Sam Bowne
Dash removed from password 1-23-19
Changed slightly to work on Windows also 2-13-19