M 113: Password in Log (15 pts + 45 extra)

What You Need for This Project

Summary

The Wellness Coach - MyHealth Android app exposes login credentials in the device log.

Monitoring the Log

With your emulator running, on the host machine, open a Terminal and navigate to the folder where adb is.

Then execute these commands:

adb logcat | grep SECRET

Installing the Wellness Coach - MyHealth Android App

Open Google Play and search for Wellness Coach - MyHealth.

Install the app, as shown below.

Archived App

In case they ever fix the app, here's the old version from 9-18-25.

base.apk

Logging In

On your Android emulator, launch the Wellness Coach - MyHealth app.

At the bottom of the first screen, click "I have already an account".

Log in with these credentials:

Your login will be rejected.

The credentials appear in the log, as shown below.

M 113.1: Function Name (15 pts)

Find the text covered by a green box in the image above. That's the flag.

Live Psychic Chat (FIXED) (15 extra)

I tested the app below, but don't install it from the Play Store because it was patched! Possibly as a result of my disclosure, when we tested it on approximately Oct 1, 2025, it no longer logged the password.

Archived App

Since the app was fixed, follow these steps to install the old version from 9-24-25.

Work from your host system, or any machine that can connect to your Android emulator with adb.

Download these files:

Then execute this command to install the app. 
adb install-multiple -r ./base.apk ./split_config.en.apk ./split_config.xxhdpi.apk ./split_config.arm64_v8a.apk

Observing the Log

Launch the app and create an account. Then log in.

Monitor the log as before.

You see your password, as shown below.

M 113.2: First Parameter (15 pts)

Find the text covered by a green box in the image above. That's the flag.

My Psychic Reading (15 extra)

Install this app:

Archived App

In case they ever fix the app, here's how to install the old version from 9-24-25.

Work from your host system, or any machine that can connect to your Android emulator with adb.

Download these files:

Then execute this command to install the app. 
adb install-multiple -r ./base.apk ./split_config.en.apk ./split_config.xxhdpi.apk ./split_config.arm64_v8a.apk

Observing the Log

Launch the app and create an account. Then log in.

Monitor the log as before.

You see your password, as shown below.

M 113.3: Library Name (15 pts)

Find the text covered by a green box in the image above. That's the flag.

Psychics 24/7 (15 extra)

Install this app:

Archived App

In case they ever fix the app, here's how to install the old version from 9-24-25.

Work from your host system, or any machine that can connect to your Android emulator with adb.

Download these files:

Then execute this command to install the app. 
adb install-multiple -r ./base.apk ./split_config.es.apk ./split_config.xxhdpi.apk ./split_config.arm64_v8a.apk

Observing the Log

Launch the app and create an account. Then log in.

Monitor the log as before.

You see your password, as shown below.

M 113.4: Library Name (15 pts)

Find the text covered by a green box in the image above. That's the flag.

Responsible Disclosure

I notified the companies:
Posted privately 9-22-25 by Sam Bowne
Updated with Live Psychic Chat, My Psychic Reading, and Psychics 24/7 on 9-24-25
"Live Psychic Chat" updated message added 10-4-25