WEBVTT

00:00.640 --> 00:07.420
So in this lecture, we're going to access the credentials because of insecure data storage vulnerabilities.

00:08.480 --> 00:15.620
So after getting the encrypted data will decode them and then hijack the username and password sound

00:15.630 --> 00:16.250
like a plan?

00:16.820 --> 00:17.570
Let's start.

00:18.870 --> 00:23.380
I was always will make sure that the Android emulator and application server running.

00:24.760 --> 00:32.620
And here we're looking at the do logging activity last and something must have caught your attention

00:32.620 --> 00:33.050
here.

00:33.070 --> 00:34.090
I'm going to wager.

00:35.110 --> 00:40.480
So when a user logs in, the credentials are saved using the Save Krebs method.

00:41.440 --> 00:47.560
So this method creates a new file called My Shared Preferences if it doesn't already exist.

00:49.040 --> 00:57.830
The method then base64 encoded the username and encrypts the password with its encryption before storing

00:57.830 --> 00:59.920
them in the shared preferences file.

01:01.300 --> 01:07.660
And then this file is overwritten each time a user successfully logs in with their own credentials.

01:09.770 --> 01:12.320
So let's have a look at the Log-in activity class.

01:14.160 --> 01:17.970
As you can see, there's a method called fail data.

01:18.980 --> 01:26.930
And it enables users to autofill credentials in order to save them from having to enter in their username

01:26.930 --> 01:29.270
and password every time they wish to log in.

01:31.370 --> 01:36.530
The failed data method is opening the Mind Shared Preferences file.

01:37.710 --> 01:44.010
The username and password are decoded and decrypted, respectively, before being used to fill in the

01:44.010 --> 01:45.630
login input fields.

01:47.500 --> 01:52.750
Now, as you remember, the password is encrypted with, yes, encryption using crypto class.

01:54.250 --> 01:56.620
So let's also have a look at this class.

02:00.990 --> 02:05.820
And the password has been encrypted with a method called A-s encrypted string.

02:06.980 --> 02:12.920
We saw that the developer was using years, yes, encryption with the cipher block chaining mode, but

02:13.370 --> 02:18.230
used a static initialization vector and hard coded the encryption key.

02:20.150 --> 02:26.660
So we can decode a password using this static initialization vector and hard coded encryption key.

02:27.610 --> 02:31.840
So first, let's get the credentials from the insecure bank at.

02:33.260 --> 02:40.760
We can use HDB to identify where the mind shared preferences file is stored in the insecure bank, the

02:40.760 --> 02:42.680
two apps private directory.

02:45.000 --> 02:49.350
So open up the terminal and first we'll check the devices.

02:50.710 --> 02:57.220
All right, so when you can verify that you're connected, run the ADB shell command.

02:58.970 --> 03:06.890
Now, don't forget the the my shared preferences file will not be created until you've logged in successfully

03:07.130 --> 03:08.210
at least once.

03:09.780 --> 03:13.050
All right, so we'll make sure that we've successfully logged into the app.

03:14.920 --> 03:17.800
And we'll log in with the default credentials.

03:23.850 --> 03:29.130
OK, so now we can go to the directory where the shared preferences file is.

03:30.730 --> 03:40.700
So it should be under the folder called data slash data slash com android, that insecure bank to slash

03:40.900 --> 03:41.860
shared perhaps.

03:43.730 --> 03:45.560
And list the files.

03:46.640 --> 03:47.690
All right, so here it is.

03:48.910 --> 03:50.560
So let's copy the location.

03:54.560 --> 03:57.440
And we'll use the exit command to get out of the shell.

03:59.180 --> 04:07.460
Now, to get this file, run ADB, pull location of the file, and don't forget adding the file name

04:07.460 --> 04:08.840
and the location.

04:10.470 --> 04:12.270
All right, so that pulls a file.

04:13.710 --> 04:15.990
And let's open the file with Nano.

04:18.210 --> 04:26.640
So as you can see, the password is an encrypted form, but it should not be forgotten that base64 is

04:26.640 --> 04:32.040
not secure because base64 is not encryption, it's encoding.

04:32.460 --> 04:38.130
It's a way of representing binary data, using only text characters so we can retrieve the username

04:38.130 --> 04:38.850
quite easily.

04:40.220 --> 04:47.870
Using an online tool such as cyber chef, in fact, we can decode the username and password, so just

04:47.900 --> 04:51.530
open the Web browser, search for cyber chef.

04:52.950 --> 04:54.600
And click on the first website.

04:55.950 --> 04:59.820
Select to base64 as the option from the left pane.

05:01.470 --> 05:03.240
So we can start with a username.

05:04.900 --> 05:06.100
Will copy this.

05:08.260 --> 05:10.390
Paste it into the input field.

05:12.190 --> 05:16.870
And there you see it, there's the username quite easily gotten.

05:18.730 --> 05:21.430
So why don't we just continue with the password?

05:23.150 --> 05:28.970
And what do you think, all from the source code, we have the information needed, such as encryption,

05:28.970 --> 05:35.000
key, initialization vector and ciphertext so that we can decrypt the password.

05:37.290 --> 05:38.610
So we'll just copy this part.

05:41.080 --> 05:43.110
Paste it into the input field.

05:44.260 --> 05:52.990
Now, before decoding the s encryption will need to change, decode the base64 password and encode it

05:53.350 --> 05:54.370
to hex.

05:55.420 --> 05:59.560
So I'll just add the two option into the recipe field.

06:01.570 --> 06:03.700
And this is the Hecks format of the password.

06:04.860 --> 06:05.790
So we'll copy it.

06:06.630 --> 06:09.720
And now we can start the A-S decryption.

06:11.310 --> 06:14.610
Over the encryption and coding section from the left pane.

06:15.660 --> 06:17.640
So like a yes decrypt.

06:19.220 --> 06:23.600
Now we can disable these options because we'll just use the yes encryption now.

06:25.280 --> 06:27.620
So paste the hex format of the password here.

06:30.360 --> 06:35.070
Open the source code and copy the key and paste it into the tool.

06:37.400 --> 06:39.920
Now, copy the initialization vectors.

06:42.910 --> 06:49.900
So this is in an array format in the Java programming language, so that means we'll need to transform

06:49.900 --> 06:51.820
it into the Hecks format again.

06:52.770 --> 06:56.460
We'll just remove the commas and add one more zero for each one.

06:57.730 --> 07:04.960
The value of all the initialization vectors is zero, making it predictable and easy to decode the password.

07:06.450 --> 07:14.700
Mode is OK, as you remember from the source code, it was CBC, which, by the way, stands for cipher

07:14.700 --> 07:15.510
block chaining.

07:17.210 --> 07:20.960
Oh, and don't forget to set this Moad to UTF eight.

07:22.820 --> 07:23.590
All right, great.

07:24.620 --> 07:26.360
We've also got the password.

07:28.130 --> 07:31.490
So here's the result of insecure storage of data.