Continuing to previous post, download the Damn Insecure and Vulnerable App (DIVA). Download the tar file from the below location and unzip for .apk file:

http://www.payatu.com/storage/2016/01/diva-beta.tar.gz

  

Installing .apk into Emulator

adb install diva-beta.apk – New App Diva installed in Android device

apk Emulator
apk Emulator  

If installation has completed successfully, following screen should be displayed when starting the App “Diva”. Click on 1. Insecure Logging exercise:

App Diva

Screen navigates to Insecure Logging page, where user is expected to enter credit card number and click on Checkout. As this vulnerability is about logs, check the emulator is connected to adb:

adb devices

 

 

Now the log can be seen using the command, enter card number in emulator “123456” and click on Checkout. The log should be recording the value “123456” which is a credit card number.

adb logcat

 

 

Walk through the source code after decompiling the App. Process to decompile:

  • Rename .apk file as .zip and unzip the file.
  • Using dex2jar tool, convert the extracted “classes.dex” to “.jar” file.
  • Open the .jar file using Jadx tool for viewing the source code.

dex2jar tool
Find and navigate to LogActivity.class, checkout method processes an exception in case of issue, and error message is logged into log file. Normally during development stage of the lifecycle, developers would add messages to log file for debugging purposes. There are scenarios where the app is deployed into production without removing log messages.

 

Remediation

The developer should remove the Log class during final build. By adding the following line to ProGuard config, it will help in preventing log information. ProGuard helps to obfuscate and optimise your code into release version.

-assumenosideeffects class android.util.Log{*;}

 

An alternative way to remediate is to use Log.d inside a wrapper class by implementing BuildConfig.Debug variable as build type to differentiate if the build is Release or Debug build:

public class LogUtils {

 

    public static void LOGD (final String tag, String message) {

        if (BuildConfig.DEBUG) {

            Log.d(tag, message);

        }

    }

}

 

LogUtils.LOGD(TAG, “MyActivity.onCreate debug message”);

 

 

In the next article we’ll look at different kinds of vulnerabilities in Mobile applications.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch