SIK-2016-019


Title:

Read Private Data of My Passwords App

Report ID

SIK-2016-019

Summary:

  • Vendor: Erkan Molla
  • Product: My Passwords
  • Affected Version: 4.5.0
  • Severity: Medium
  • Short summary:
    The integrated HTMLViewer of the app can be used to read private data from the local app folder.

Details:

Android normally protects the app’s private data directory using ACLs such that only the respective owning app, but not any other app can access the files in that directory. This also prevents a user from viewing these files, which is important when we assume a lost or stolen device scenario. With the vulnerability described above, the unauthorized person who steals or finds the device can bypass this protection and view the app’s private files without any further effort. No root privileges or system-level exploits are required.

The app contains an HTML viewer which can be abused to extract data from the app’s private data
directory which would otherwise be unavailable to an attacker without requiring the phone to be rooted.
This includes, for instance, access to the app’s shared preferences file. For displaying this XML file, the
attacker only needs to run the following command from a shell (“adb shell”):

am start -n com.er.mo.apps.mypasswords/com.er.mo.libs.htmlviewer.HTMLViewer -d file:///data/data/com.er.mo.apps.mypasswords/shared_prefs/com.er.mo.apps.my passwords_preferences.xml

Workaround

The impact is reduced, because the HTML viewer component is no longer included in version 6.0.0. However, the older version 4.5.0 of the app is still offered on Google Play to users who are running older versions of Android and thus cannot use the new app version.

Users should make sure to choose a secure lock screen such as a sufficiently long and complicated password to prevent an attacker from accessing any ctivities displayed on the phone’s screen. They should deactivate USB debugging to prevent an attacker from issuing commands through the “adb” tool running on a computer. Furthermore, users should encrypt their phone to prevent data extraction directly from the storage.

Suggested Mitigation

The HTML viewer component should check the URIs it is requested to open and prevent access to sensitive
directories such as the app’s private data directory. As a more general measure, one could also restrict the HTML viewer to only display pages loaded over http or https, but not local files, if the component was only intended for remote documents in the first place.

This component is not available in version 6.0.0.

Timeline

  • 2016-11-11 Vulnerability Reported
  • 2017-02-15 Checked back with developer
  • 2017-02-17 Fixed in Version 7.2.1