Proj 8: Menards Plaintext Password Storage (15 pts)
What You Need for This Project
- An Android emulator or device to test the app on
- Android Debug Bridge to observe the log
- You should have that already set up from previous projects
Windows Users
Use the Nox emulator for this project. Don't use
BlueStacks, unless you've rooted it first.
Summary
The Menards Android apps
stores the user's password locally without
encryption.
Responsible Disclosure
I notified the developer of the
Android flaws
in 2017 but the app was not fixed.
Start VMware
Always launch your Kali virtual machine before
you start Genymotion, to avoid VirtualBox networking
errors.
Installing the App
Install the app shown below
from the Google Play
store.
Registering an Account
On your Android device launch the app and click
CREATE ACCOUNT.
Register an account with the password
YOURNAME-PASSWORD
as shown below.
Replace "YOURNAME" with a version of your name
that doesn't contain any spaces.
Connecting to your Android Device with ADB
On Kali, in a Terminal, execute these commands,
replacing the IP address with the IP address
of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the
"List of devices attached",
as shown below.
Exploring the Android File System
On Kali, in a Terminal, execute this command:
adb shell
You get a root shell on the Android device,
as shown below.
On Kali, in the Terminal, execute these commands:
cd /data/data
cd com.menards.mobile
cd shared_prefs
ls
You see the files the app saved,
including one named User_Information.xml,
as shown below.
On Kali, in the Terminal, execute this command:
cat User_Information.xml
You see the password, containing your name,
as shown below.
Saving a Screen Image
Make sure
YOURNAME is visible,
as shown above.
Capture a full-screen image.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the image with the filename "YOUR NAME Proj 8", replacing "YOUR NAME" with your real name.
Turning in your Project
Email the image
to cnit.128sam@gmail.com with the subject line:
Proj 8 from YOUR NAME
Posted 1-14-19 by Sam Bowne
Dash removed from password 1-23-19
Changed slightly to work on Windows also 2-13-19