We will be looking at Hardcoded issues this week. At times developers tend to hard code while developing certain functionalities during the development phase. Let us look at DIVA – hardcoded functionality and how to uncover it.
Click on “2. Hardcoded Issues – Part 1”, we will walk through Part 1 which is one of the basic areas on Hardcode value issues to understand. Also, there is another hardcoded issue exercise 12 which will be featured in another post.
When the User Interface (UI) prompts to enter vendor key, the user has no clue about a key/password. Entering any value results in the message “Access denied! See you in hell :D”. Next option is to check the source code to understand the functionality and action accordingly.
As discussed in the previous post, decompile the .apk file and convert .jar file using Jadx tool. Click on “HardcodeActivity” class under “jakhar.aseem.diva” package. We can analyse the source code and its method “access”. Access method takes an input of “View” object. This view object occupied rectangular area and is responsible for drawing and event handling. Also, the ‘View’ option is the base class for “Widgets” which is used for creating Text fields, Button and other UI components. We can see statements like “import android.widget.EditText”, “import android.widget.Toast” on decompiled HardcodeActivity class:
The above figure shows source code of HardcodeActivity class. It has a method access, where it checks for the view’s edit text value equals to “vendorsecretkey” which is a hardcoded value, if true then it displays message as “Access granted!, See you on the other side” else displays our previous message as “Access denied!, See you in hell”. Let’s attempt with the hardcoded value in the app:
As expected from the source code analysis, the app responds with “Access granted!, See you on the other side :)” message.
Remediation: It is recommended to not use any hardcoded values in the code as this provides a way to read the code after decompiling.
We will look at another type of vulnerability in the next post.