Life Link III App Hardcoded Password Exposure

Summary

The Life Link III Android app contains a hard-coded password which can be easily read. That password then opens both the iOS and Android apps.

Android App

I used the Genymotion Android emulator.

Here's the app:

It asks for a password

Pulling the APK file from the Android device and unpacking it with apktool:

A simple grep for "secretpassword" reveals the password, which I have redacted in the image below:

That password unlocks the app:

iOS App

I used an iPad.

Here's the app:

It asks for a password

The password from the Android APK file unlocks the app:

Remediation

Passwords should not be inserted into source code in plaintext.

They should be hashed with many rounds of a hashing function and salted.

Notification

I sent this message on 6-15-15:

Posted 6-15-15 by Sam Bowne