Staples Insecure Encryption

Summary

The Staples Android app stores the user's password with insecure encryption, because it uses a predictable password.

This is the #6 most important security flaw in mobile apps, according to OWASP.

Detailed Test

Here's the app I tested:

Here's the locally-stored password, which is encrypted:

The encryption uses AES in ECB (Electronic Code Book) mode, as shown by making an account with this password:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123A

Logging in with that account:

Shows a longer encrypted password:

The encrypted password looks like this in base64:

Ex+zjrCIlgw/kkZ0dIRfPhMfs46wiJYMP5JGdHSEXz4VWo8KfvDtbU+NuhSpui58

Decoding it from Base64 shows this pattern of byte: two identical 16-byte patterns, followed by a third, different, 16-byte pattern.

It's clear that the encrypted form of "aaaaaaaaaaaaaaaa" is

13 1f b3 8e b0 88 96 c 3f 92 46 74 74 84 5f 3e

Examining the app's Smali code revealed that the key is constructed in this manner:

A fixed salt of 3xtraS@lt
The device ID string, which in my case was genericvbox86pGoogle Galaxy Nexus - API 18 - 720x1280
A string of unknownapp.staples

This string is hashed with SHA-1, and the first 128 bits of that hash are used as the AES key:

That key now reproduces the encryption of "aaaaaaaaaaaaaaaa", as outlined in green below.

Similarly, it would be easy to deduce the key from a stolen phone and recover the password.

Recommendation

If the local password is used to log in to the device, it should be stored in a securely hashed form, using an algorithm such as bcrypt.

If the password must be used to log in to remote servers, a system such as OAuth should be used to authenticate without needing to store the password itself.

Notification

I sent this email:

I got this automated reply immediately:

On Feb. 16, I asked them when the app would be fixed.

I never got any reply. I don't think anyone at Staples actually read any of my messages, and I don't believe any fix is coming. So I decided to disclose this publicly and use it for homework.

Here's the homework assignment.

App Update

On 5-9-17, I tested the newest version of the app again, and Staples has added detection of rooted devices to the app! This may not be the highest degree of security, but it does address the precise attack I am using.

Posted 1-2-17 by Sam Bowne
Revised with public disclosure and link to homework on 4-13-17.
Revised with update about Staples fix on 5-9-17