FourGoats Vulnerabilities: Hardcoded Backdoor

If we keep on reading the Login activity, we will soon spot an asynchronous task used to validate the user credentials in the server and we will see that there is a harcoded user/password pair that will set up the admin property and so it will enable us to access the AdminHome Activity:

if (userName.equals("customerservice")  && password.equals("Acc0uNTM@n@g3mEnT")) userInfo.put("isAdmin", "true");

If we enter these credentials (and the user is registered in the backend), we will be able to access the AdminHome Activity:


FourGoats Vulnerabilities: Information Leakage through SharedPreferences

OK, so let start reviewing the FourGoats App.

First, If you havent done yet, clone the ForGoats repo from github to get the source code.

Try to get an idea of how does the app work, install it in your device and/or emulator and get familiar with the different activities and application flow.

Open the Main activity and check what its doing. Basically, its looking for a sessionToken and if she cannot find it, it will start the Login Activity, otherwise it will take the user to the Home or AdminHome activities.

Lets review the Login activity.

The first thing that looks really weird is:

SharedPreferences prefs = getSharedPreferences("credentials", MODE_WORLD_READABLE);

So the app is storing the user credentials under a World Readable SharedPreferences file that will be accessible in:


So any application installed on your device will be able to read these credentials. Lets write a sample app that retrieve that info and show it on the display. I will hold these apps in gitHub on the following repo:

Why dolphins?? well because they are not malware, just dolphins LOL


Ok, so create a new Android app in your IDE of choice (I will be using Eclipse) and use the MainActivity onCreate method to get the FourGoats application context and read its sharedPreferences:

You can find the app source code here.

Ok, so now you can start the fourgoats application and log in with your user.

If you start the sharedPreferences dolphin anytime after, you will be able to access the FourGoats credentials and you will get something like:


Note: The credentials will only be available if the user checked the “Remember me” checkbox

The secure coding recommendations for this vulnerability are quite simple: Dont store sensitive data in any WORLD_READABLE sharedPreference object!

Soon more vulnerabilities ๐Ÿ™‚ Enjoy!



Kicking off the blog

I have been thinking about starting a blog for a while but never got something to say that could not be found googling around (or that was too secret to tell in public ๐Ÿ™‚ ). Anyway, Ive being doing some research lately on secure coding on Android applications and I found OWASP goatDroid very instructive and formative but although the source code is freely available here. I could not find a comprehensive list of vulnerabilities present in the code so I decided to start a serie of posts about Android vulnerabilities using goatdroid to show them off. I hope you enjoy it ๐Ÿ˜‰