Observing the TD Ameritrade Log

What You Need for This Project

Purpose

We'll download a ridiculously insecure app and watch it throw passwords into the log.

Installing the Vulnerable App

TD Ameritrade patched this error, so you'll need to download this old version.

Download and save this APK file:

com.tdameritrade.mobile3-1.apk

Make sure your Genymotion Android emulator is running and logged in.

Drag the APK file and drop it on your Genymotion emulated device.

Approve the software installation.

When the app launches, close the "What's New" page.

A popup box asks "Do you want to see the New Features popup again?" Click No.

You see a home screen, with an inviting green "Log In" button, as shown below.

Finding ADB

On your host machine, open a Terminal window.

Execute these commands, which assume you are using a Linux host:

cd

cd Android/Sdk/platform-tools

./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.

Troubleshooting

If the Genymotion device does not appear, try these troubleshooting steps.
  • Make sure the Genymotion device is running and connected to the Internet. Open the Web browser and see if you can view Web pages.

  • Try issuing these commands:
    ./adb kill-server

    ./adb start-server

  • Find the device's IP adress in Settings, Wi-Fi and connect to it with this command, replacing the IP address with the correct address in Genymotion
    ./adb connect 192.168.1.101

Monitoring the Log

From the sdk/platform-tools directory, execute this command:
./adb logcat
A lot of messages scroll by.

Logging in to the App

Enter test credentials into the app, such as

You can see the credentials in the log. If you want to make it easier, pipe the log through grep, as shown below.


Posted 6-13-15 by Sam Bowne
Revised 7-12-15
Revised to remove password 3-31-16