DIVA

Insecure Logging

We can see the pid of the jakhar.aseem.diva is 1430.

We can view the logs of the process using logcat. At the end of the line, we can see the credit number that we entered.

╭─hnl@hnl ~/Desktop/ctf/diva  
╰─➤  adb logcat | grep 1430                                                                                        130 ↵
D/dalvikvm( 1430): Late-enabling CheckJNI
I/ActivityManager(  631): Start proc jakhar.aseem.diva for activity jakhar.aseem.diva/.MainActivity: pid=1430 uid=10057 gids={50057, 1028, 1015, 3003}
W/dalvikvm( 1430): VFY: unable to find class referenced in signature (Landroid/view/SearchEvent;)
I/dalvikvm( 1430): Could not find method android.view.Window$Callback.onSearchRequested, referenced from method android.support.v7.internal.view.WindowCallbackWrapper.onSearchRequested
W/dalvikvm( 1430): VFY: unable to resolve interface method 17922: Landroid/view/Window$Callback;.onSearchRequested (Landroid/view/SearchEvent;)Z
...
W/dalvikvm( 1430): VFY: unable to resolve virtual method 397: Landroid/content/res/Resources;.getDrawableForDensity (IILandroid/content/res/Resources$Theme;)Landroid/graphics/drawable/Drawable;
D/dalvikvm( 1430): VFY: replacing opcode 0x6e at 0x0002
E/EGL_emulation( 1430): tid 1430: eglSurfaceAttrib(1210): error 0x3009 (EGL_BAD_MATCH)
W/HardwareRenderer( 1430): Backbuffer cannot be preserved
D/dalvikvm( 1430): GC_CONCURRENT freed 136K, 5% free 4438K/4640K, paused 18ms+2ms, total 28ms
E/diva-log( 1430): Error while processing transaction with credit card: 12345

Hardcoding Issues - Part I

We can see Vendor key in the source code of this apk using jadx-gui.

Insecure Data Storage Part 1

By viewing source code, we can see the credentials is stored in shared_prefs directory.

    public void saveCredentials(View view) {
        SharedPreferences spref = PreferenceManager.getDefaultSharedPreferences(this);
        SharedPreferences.Editor spedit = spref.edit();
        EditText usr = (EditText) findViewById(R.id.ids1Usr);
        EditText pwd = (EditText) findViewById(R.id.ids1Pwd);
        spedit.putString("user", usr.getText().toString());
        spedit.putString("password", pwd.getText().toString());
        spedit.commit();
        Toast.makeText(this, "3rd party credentials saved successfully!", 0).show();
    }
}

We can see the credentials in this directory /data/data/jakhar.aseem.diva.

Insecure Data Storage Part 2

In this time, the credentials are stored in SQL Database.

    public void saveCredentials(View view) {
        EditText usr = (EditText) findViewById(R.id.ids2Usr);
        EditText pwd = (EditText) findViewById(R.id.ids2Pwd);
        try {
            this.mDB.execSQL("INSERT INTO myuser VALUES ('" + usr.getText().toString() + "', '" + pwd.getText().toString() + "');");
            this.mDB.close();
        } catch (Exception e) {
            Log.d("Diva", "Error occurred while inserting into database: " + e.getMessage());
        }
        Toast.makeText(this, "3rd party credentials saved successfully!", 0).show();
    }
}

We can see the data are stored in the /data/data/jakhar.aseem.diva/databases.

Insecure Data Storage Part 3

By reviewing source code, the data are stored in the tmp directory.

    public void saveCredentials(View view) {
        EditText usr = (EditText) findViewById(R.id.ids3Usr);
        EditText pwd = (EditText) findViewById(R.id.ids3Pwd);
        File ddir = new File(getApplicationInfo().dataDir);
        try {
            File uinfo = File.createTempFile("uinfo", "tmp", ddir);
            uinfo.setReadable(true);
            uinfo.setWritable(true);
            FileWriter fw = new FileWriter(uinfo);
            fw.write(usr.getText().toString() + ":" + pwd.getText().toString() + "\n");
            fw.close();
            Toast.makeText(this, "3rd party credentials saved successfully!", 0).show();
        } catch (Exception e) {
            Toast.makeText(this, "File error occurred", 0).show();
            Log.d("Diva", "File error: " + e.getMessage());
        }
    }
}

We can check the tmp file at /data/data/jakhar.aseem.diva/uinfo-934313309tmp

Insecure Data Storage Part 4

At this time, the credentials are saved but we don't know where the data is stored? Here is a source code. It stored data on the external storage means sd card.

    public void saveCredentials(View view) {
        EditText usr = (EditText) findViewById(R.id.ids4Usr);
        EditText pwd = (EditText) findViewById(R.id.ids4Pwd);
        File sdir = Environment.getExternalStorageDirectory();
        try {
            File uinfo = new File(sdir.getAbsolutePath() + "/.uinfo.txt");
            uinfo.setReadable(true);
            uinfo.setWritable(true);
            FileWriter fw = new FileWriter(uinfo);
            fw.write(usr.getText().toString() + ":" + pwd.getText().toString() + "\n");
            fw.close();
            Toast.makeText(this, "3rd party credentials saved successfully!", 0).show();
        } catch (Exception e) {
            Toast.makeText(this, "File error occurred", 0).show();
            Log.d("Diva", "File error: " + e.getMessage());
        }
    }
}

We can check either on the Settings>Apps>Apps Info.

We can read the data from sd card.

Input Validation Issues - Part 1

We can dump the data by using SQL injection ' OR 1=1--

Input Validation Issues - Part 2

If we check the google webpage, we can access it.

How about local files??

Access Control Issues - Part 1

We can check the api credentials through button.

Our purpose is to access from outside the app. If we run logcat, we can see ActivityManager name.

When we start the activity, the application is auto open and see the credentials.