open menu
Part 4: Android Mobile Pen Testing
Viswa
Author at Bramfitt
09 Feb, 2020
in
Penetration tests

We will be looking at Hardcoded issues this week. At times developers tend to hard code while developing certain functionalities during the development phase. Let us look at DIVA – hardcoded functionality and how to uncover it.  

Click on “2. Hardcoded Issues – Part 1”, we will walk through Part 1 which is one of the basic areas on Hardcode value issues to understand. Also, there is another hardcoded issue exercise 12 which will be featured in another post.

When the User Interface (UI) prompts to enter vendor key, the user has no clue about a key/password. Entering any value results in the message “Access denied! See you in hell :D”. Next option is to check the source code to understand the functionality and action accordingly. 

As discussed in the previous post, decompile the .apk file and convert .jar file using Jadx tool. Click on “HardcodeActivity” class under “jakhar.aseem.diva” package. We can analyse the source code and its method “access”. Access method takes an input of “View” object. This view object occupied rectangular area and is responsible for drawing and event handling. Also,  the ‘View’ option is the base class for “Widgets” which is used for creating Text fields, Button and other UI components. We can see statements like “import android.widget.EditText”, “import android.widget.Toast” on decompiled HardcodeActivity class:

jakhar.aseem_.diva  

 

The above figure shows source code of HardcodeActivity class. It has a method access, where it checks for the view’s edit text value equals to “vendorsecretkey” which is a hardcoded value, if true then it displays message as “Access granted!, See you on the other side” else displays our previous message as “Access denied!, See you in hell”. Let’s attempt with the hardcoded value in the app:

vendor-secret-key

As expected from the source code analysis, the app responds with “Access granted!, See you on the other side :)” message.

Remediation: It is recommended to not use any hardcoded values in the code as this provides a way to read the code after decompiling.

We will look at another type of vulnerability in the next post.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
Copyright © Bramfitt Technology Labs 2017-2020 BRAMFITT TECHNOLOGY LABS LIMITED Company number: 09049302
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch