The first thing that comes into my mind after i find any app with security, encryption, locked features etc, is that whether it can be tweaked and to get the paid features.
Since 1 or 2 months back an app attracts me. But due to my laziness i hadn’t given enough time to it in past. But tonight i decide to give it a serious try. I sit on computer with the apk of that application on hand.
For every app my first try is to look at the app’s private directory and check whether i could find any interesting information hidden on database or on preferences file. But this very app has nothing of this type. That’s why this need a serious try.
I have the apk means i have the source code.All i need to do is extract the apk and then convert the .dex file to .jar package. After this the story goes easy cause that jar package can easily be converted to a zip file full of source code.
Yahoooooo.
Then starts slightly extensive task. I have to go through the source code and then find function of interests. For example the API call to get the login credentials, to send and receive vital information and so on.
On the way i find out an back door on the login logic. The programmer had used a string which when entered into login field will give you access without any user varification.
Ya first dose of the excitement to increment my heart beat 😀 😀
CUsed a REST Client over Chrome to test the API found. Slowly i started to find out the GEMS. With a flash of excitement i find out the exact information i was looking after and it is successfully HACKED.
Few minutes there after is used to “lick the hand used to rip the honey” :D.
Thinking about emailing the developer about the hack that i have done…
What should i do??
Ok i will think about this later. for now lets list down the holes that i find out on this app.
- providing back door on login mechanism for testing purpose. ( it makes his/her job easy along with mine 😀 )
- using a hard-coded user token for api call. (Only thing it can do is increase the packet size of the request but no security )
- No cross checking for the delivery of the product associated with purchase. ( as user have to make purchase from online payment gateway, the server should challenge app to send the transactionID and server need to verify it. But this dumb developer had fooled his manager by expecting it on API call but does no verification before delivery. )
- obfuscate the code when your app is dealing with sensitive information like purchase
Lastly i find out one interesting construct. Here the developer had used for loop for some unusual task.