Observing the TD Ameritrade Log

What You Need for This Project


We'll download a ridiculously insecure app and watch it throw passwords into the log.

Installing the Vulnerable App

On your Android emulator or device, open Google Play.

Search for

Install the "TD Ameritrade Mobile" app, as shown below.


When the app launches, close the "What's New" page.

A popup box asks "Do you want to see the New Features popup again?" Click No.

You see a home screen, with an inviting green "Log In" button, as shown below.

Finding ADB

You need to find the path to ADB on your machine. You can usually find it by starting from these examples of SDK paths: Another way to find your SDK path: open Android Studio and click Tools, Android, "SDK Manager".

On your host machine, open a Terminal or Command Prompt window.

Execute these commands, changing the path in the first command to your correct SDK path.

NOTE: If you are using Windows, remove the "./" before "adb" in the third command.

cd /Users/sambowne/Library/Android/sdk

cd platform-tools

./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.


If the Genymotion device does not appear, try these troubleshooting steps.
  • Make sure the Genymotion device is running and connected to the Internet. Open the Web browser and see if you can view Web pages.

  • Try issuing these commands:
    ./adb kill-server

    ./adb start-server

  • Find the devices IP adress in Settings, Wi-Fi and connect to it with this command, replacing the IP address with the correct address in Genymotion
    ./adb connect

Monitoring the Log

From the sdk/platform-tools directory, execute this command:
./adb logcat
A lot of messages scroll by.

Logging in to the App

Enter test credentials into the app, such as

You can see the credentials in the log. If you want to make it easier, pipe the log through grep, as shown below.

Posted 6-13-15 by Sam Bowne