A30: Android App Plaintext Login (55 pts)

What You Need for This Project

A computer with an Android emulator and Wireshark.

Purpose

First, to prepare an Android emulator connected to ADB. Then, to observe network transmissions from an insecure app, and prove that they are not encrypted.

Responsible Disclosure

I notified the developer about serious security flaws in 2016 and got no response. Nothing was ever fixed. It's obvious that they don't care.

Installing Equity Pandit

On your Android device, in Google Play, find and install the app, as shown below.

Archived APK
This project requires the 2016 version of the app, which was the version in Google Play in April, 2019, when I wrote this project. If that version is no longer available, use this archived copy of the app:
base-eqp.apk

Preparing the App

Launch the app. Click "Create Account".

Fill in the form, as shown below, but don't click the "Sign Up" button yet.

Starting Wireshark

On your host system, launch Wireshark. If you don't have it, get it at:

https://www.wireshark.org/

In the main Wireshark window, double-click the network interface that is being used to reach the Internet. On my system, it is "Wi-Fi: en0", outlined in green in the image below.

Wirehark starts displaying packets. At the top, in the Filter bar, enter this display filter:

http

Press Enter to filter the traffic.

On your Android device, in EquityPandit, click the "Sign Up" button.

In Wireshark, two POST requests appear, as shown below.

Right-click the second POST request, the one calling "add_user.php", and click Follow, "TCP Stream".

The request appears, as shown below, containing your username and password in plaintext.

A30.1: Recording Your Success (5 pts)

The flag value is the portion of the request covered by a green rectangle in the image above.

To record your success, email that flag to us as shown at the bottom of this page.

A30.2: Find the Server (10 pts)

Uninstall the EquityPandit app and install this app instead:

A30.2.apk

Execute a login request. The flag is the domain name of the server it sends a POST request to.

A30.3: Find the Second Flag (5 pts)

Use the same app: A30.2.apk. Explore the app and find the second flag.

A30.4: Find the Server (5 pts)

Install this app

A30.4.apk

Execute a login request. The flag is the domain name of the server it attempts to connects to.

A30.5: Find the Stored Password (10 pts)

Use the original EquityPandit app. Create an account and log in.

From Kali, find your Android device with the netdiscover command.

Connect to it with adb connect.

Open a shell on the Android device with adb shell

Now you can use normal Bash commands, including these:

ls cd pwd find grep nano more date whoami

Find the locally stored copy of your password. The name of the file containing it is the flag.

A30.6: Find the Logged Password (10 pts)

Use the original EquityPandit app. Create an account, if necessary, and log in.

From Kali, find your Android device with the netdiscover command.

Connect to it with adb connect.

View the log with adb logcat

Find your password in the log, as shown below. The flag is the word covered by a green box in the image below.

A30.7: Steal My Password (10 pts)

I made an account on the EquityPandit system with this email address: topsecret@mailinator.com

Steal my password from the server. My password is the flag.

Note: I gave you permission to steal that password; don't steal other passwords without permission.

Turning in your Project

Email the flag values to to cnit.128sam@gmail.com with the subject line: Proj A30 from YOUR NAME

Posted 4-10-19