It’s Thursday afternoon, there is nothing interesting on YouTube. And hacked my application called Gitote on my text editor!
Suddenly an idea came, what if I can increase my attendance percentage in my college? LOL!
Recognition
I just open the XXXXXXX(I Don't wanna reveal the appname) App which is installed in my android device and peeked my old attendance
Nothing really surprising, this is just my regular checkup!
Static Analysis
- From my phone, I exported the APK to my computer. I used the app called APK Export
I used apktool to get the resources of the app.
I used jadx to obtain the decompiled source code from the extracted DEX file.
Now, I have everything I need.
Time to analyze what we have. By looking at AndroidManifest.xml, we can see that:
The app is using Firebase
This is Java Application which is confirmed by the fact that the com/XXXXXXX folder has tons of .java files
This app asked some permissions which looks not dangerous!
Next, I looked at the res/values/strings.xml file.
<string name="firebase_database_url">https://******-e****.firebaseio.com</string>
<string name="gcm_defaultSenderId">8***3163***5</string>
<string name="google_api_key">AIzaS****f94c3-qh4W3*****cdRrbKui*****8</string>
<string name="google_app_id">1:8873*****935:android:**5f597*****6691</string>
<string name="google_crash_reporting_api_key">AI*****Vhf94c*-q**W3WOv*****rbKui*****8</string>
<string name="google_storage_bucket">*******-e****.appspot.com</string>
Woah!! IDs and Keys of everything are hardcoded in this file… It’s showing how serious they are regarding security.
Moreover, we can see that they are using Firebase Database. Let see if they correctly configured their database. I pasted https://********e**5*.firebaseio.com/.json
in Chrome.
Woah!! Again the entire database is visible to me! This is freeking their database is accessible by everyone who has the key, Now, I’m able to view all the user info (name, avatar, id, device, email, phone number and some more credentials)
None of them are encrypted
#!/bin/bash
for i in $(awk -F'"' '{ for(i=1; i<=NF; i++) { if($i ~ /^http/) print $i } }' $1); do
wget "$i"
done
with this simple script, I downloaded all the available avatars.
BackgroundMail.newBuilder(MailUs.this).withUsername("*******.*****@gmail.com").withPassword("******@*****347")
Oooohhh! I found an email of an admin and password of their Google Play Console account(it may)
Mitigations
Don’t use the development settings for Firebase database when you publish your app
Don't put your API keys, Tokens and Secrets visible easily
Hire Good and cool developers!
If you like this article, feel free to follow me on Twitter
Still, lot coming to you