Android Hacking & Securing “Insecure Shop” — Hidden Credentials

This is the first in a series of articles, we’re going to look at how to hack and then secure this app:

GitHub - optiv/InsecureShop: An Intentionally designed Vulnerable Android Application built in…

Attacking

The first challenge is getting through the login screen:

So let’s have a look in the code that’s to do with the login screen. We can see this:

fun verifyUserNamePassword(username: String, password: String): Boolean {
    if (getUserCreds().containsKey(username)) {
        val passwordValue = getUserCreds()[username]
        return passwordValue.equals(password)
    } else {
        return false
    }
}
private fun getUserCreds(): HashMap<String,String> {
    val userCreds = HashMap<String, String>()
    userCreds["shopuser"] = "!ns3csh0p"
    return userCreds
}

So, the answer on this one is fairly clear — the username is ‘shopuser’ and the password ‘!ns3csh0p`

Securing

This example is very convoluted — but the overall lesson we can take away is clear:

Don’t store usernames and passwords in your binary

Note that here I’m saying binary, and not ‘source code’ there are many articles about ‘securing secrets in apps’ and a lot of otherwise very clever people will note in code reviews that you shouldn’t store secrets in source code but instead you should store them in private environment variables and compile them in at build time. This is wrong. If secrets (whether passwords or API keys) are stored in the binary in any way it can be trivially extracted. I leave you with a slide with the most common vulnerabilities for bug bounties in android.

Thanks for reading!