Project 3: Observing the TD Ameritrade Log (10 pts.)

What You Need for This Project

An Android emulator or device to test the app on
Android Debug Bridge to observe the log

Purpose

We'll download a ridiculously insecure app and watch it throw passwords into the log. This is the real unmodified TD Ameritrade app, but it's an old version. The last time I tested their app, this defect was corrected.

This is a veryunsafe practice, because the log is visible to all applications on the device, so any malicious app could steal your credentials from it.

Installing the Vulnerable App

TD Ameritrade patched this error, so you'll need to download this old version.

Download and save this APK file:

com.tdameritrade.mobile3-1.apk

Make sure your Genymotion Android emulator is running and logged in.

Drag the APK file and drop it on your Genymotion emulated device.

Approve the software installation.

When the app launches, close the "What's New" page.

A popup box asks "Do you want to see the New Features popup again?" Click No.

You see a home screen, with an inviting green "Log In" button, as shown below.

Finding ADB

On your host machine, open a Terminal or Command Prompt window.

Use the "cd" command to move to the directory containing adb. Here are examples for various operating sytems, for a user named "student":

Windows: cd C:\Users\student\AppData\Local\Android\sdk\platform-tools
Mac OS: cd /Users/student/Library/Android/sdk/platform-tools
Ubuntu: cd /home/student/Android/Sdk/platform-tools

Viewing Connected Devices

If you are using Windows, execute this command. Note that the last character is a lower case L, not the numeral one.

adb devices -l

If you are using a Mac or Linux, execute this command. Note that the last character is a lower case L, not the numeral one.

./adb devices -l

You should see a device listed, as shown below.

Troubleshooting
If the Genymotion device does not appear, try these troubleshooting steps.

Make sure the Genymotion device is running and connected to the Internet. Open the Web browser and see if you can view Web pages.

Try issuing these commands (omit the "./" if you are using Windows):
./adb kill-server
./adb start-server

Find the device's IP adress in Settings, Wi-Fi and connect to it with this command, replacing the IP address with the correct address in Genymotion
./adb connect 192.168.1.101

Monitoring the Log

From the sdk/platform-tools directory, execute this command (omit the "./" if you are using Windows):

./adb logcat

A lot of messages scroll by.

Logging in to the App

Enter test credentials including YOUR-NAME into the app, as shown below. Don't use the literal text "YOUR-NAME", use your own name instead. such as

YOUR-NAME

YOUR-NAME-PASSWORD

Click the "Log in" button.

Your credentials appear in the log, as shown below.

Saving a Screen Image

Make sure you can see YOUR NAME in the log, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 3", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to to cnit.128sam@gmail.com with the subject line: Proj 3 from YOUR NAME

Posted 6-13-15 by Sam Bowne
Revised 12-20-16
Tested and verified 11-10-18