Saturday, December 31, 2016

ANDROID PT - DIVA / 2 - Harcoding Issues 1


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application: 

- The challenge 2 is based of the fact that many Android applications hardcode sensitive information in the source code. 

- This is an important vulnerability because using reverse engineering it would be possible to see that sensitive information. Examples could be access keys, passwords, etc ...

- Clicking the second challenge:

- The application prompts the user to introduce the vendor key to grant the access:

- Testing any invalid key, the applications denies the access, as expected:

- Once the application is decompiled with jadx, as done in the first post of this series (see here), there is access to the source code of the activity related with this challenge 2:

- Opening the Java source code for the activity of this challenge 2 (, it is very clear how the access is implemented. 

- In case of the hardcoded key "vendorsecretkey" matching (equals) the key entered by the user the access is granted, and denied otherwise:

- Checking that hardcoded key "vendorsecretkey" is the right one, the access is granted: