Mayo Clinic Medical Transport App Hardcoded Password Exposure


The Mayo Clinic Medical Transport Android app contains a hard-coded password which can be easily read. That password then opens both the iOS and Android apps.

Android App

In Genymotion, in Google Play, search for and download the app shown below.

If you don't have Google Play, or you prefer to use an old version, download the APK file from the link below, and drag it onto the Genymotion Android device:


Here's the app:

It asks for a password

Finding ADB

On your host machine, open a Terminal window.

Execute these commands, which are correct for Ubuntu Linux machines. If you are using a Mac or Windows, you need to adjust the second command to the correct SDK path:


cd Android/Sdk/platform-tools

./adb devices -l

Note that the last character is a lower case L, not the numeral one.

You should see a device listed, as shown below.

Pulling and Unpacking the APK File

From the sdk/platform-tools directory, execute these commands:
./adb shell pm list packages | grep may

./adb shell pm path com.mayoclinicmedicaltransport

./adb pull /data/app/com.mayoclinicmedicaltransport-1.apk

mv com.mayoclinicmedicaltransport-1.apk ~/Downloads

cd ~/Downloads

Decoding the APK with apktool

In a browser, go to

Download the latest version of apktool. When I did it on 2-1-15, it was "apktool_2.0.0rc3.jar".

Save the file in the same folder you used for the APK file, such as Downloads.

In the Terminal, from the sdk/platform-tools directory, execute these commands:

cd ~/Downloads

java -jar apktool_2.0.0rc3.jar d com.mayoclinicmedicaltransport-1.apk

Finding the Password

In the Terminal, from the sdk/platform-tools directory, execute these commands:
cd ~/Downloads

cd com.mayoclinicmedicaltransport-1

grep -ir secretpassword . | more

That password unlocks the app:

iOS App

I used an iPad.

Here's the app:

It asks for a password

The password from the Android APK file unlocks the app:


Passwords should not be inserted into source code in plaintext.

They should be hashed with many rounds of a hashing function and salted.

Vendor Notification

On June 10, 2015, I notified the Mayo Clinic and the developer about this problem.

I got a form letter from the Mayo Clinic, and nothing from the developer at that time, as detailed here.

This app was updated the next day, June 11, 2015, but this problem was not fixed.

A few days later, after reporting several similar problems to that developer, he rudely told me:

"Enough with the spam already".

It seems clear that neither the Mayo Clinic nor the developer care about this problem.

Posted 7-12-15 by Sam Bowne
Revised with local copy of app 3-29-16