SIK-2017-034


Title:

Hard-Coded Database Credentials in „Localizador de Celular GPS“

Report ID

SIK-2017-034

Summary:

  • Vendor: AppDroid Aplicativos Ponto Com
  • Product: Localizador de Celular GPS (App-package: com.androidaplicativos.localizadordelcelular)
  • Affected Version: 3.1
  • Severity: High
  • Short summary:
    The app contains hard-coded credentials for the backend MySQL server. This allows an attacker full access to all data.

Details:

The app directly connects to the MySQL database server in the backend without a middleware in between. The credentials used to authenticate against the MySQL database are hard-coded into the app and can easily be obtained by decompiling the app:

Host: mysql.androidaplicativos.com
Username: a**********2
Password: P**********k
Database: a**********2

As a consequence, attackers can directly connect to the MySQL database and extract or modify all data stored by all users of the app without requiring any further authorization.

Workaround

None available.

Suggested Mitigation

Never place backend credentials or other sensitive data into the app. Always use a trusted middleware system to connect to the database. This middleware is responsible for checking proper user authentication and authorization such that users can only see the data they are allowed to see.

Timeline

  • 2017-08-09: Vulnerability discovered
  • 2017-08-09: Contacted developer
  • 2017-08-17: Advisory sent to developer
  • 2018-08-11: Published