SIK-2017-034
Title:
Hard-Coded Database Credentials in „Localizador de Celular GPS“
Report ID
SIK-2017-034
Summary:
- Vendor: AppDroid Aplicativos Ponto Com
- Product: Localizador de Celular GPS (App-package: com.androidaplicativos.localizadordelcelular)
- Affected Version: 3.1
- Severity: High
- Short summary:
The app contains hard-coded credentials for the backend MySQL server. This allows an attacker full access to all data.
Details:
The app directly connects to the MySQL database server in the backend without a middleware in between. The credentials used to authenticate against the MySQL database are hard-coded into the app and can easily be obtained by decompiling the app:
Host: mysql.androidaplicativos.com
Username: a**********2
Password: P**********k
Database: a**********2
As a consequence, attackers can directly connect to the MySQL database and extract or modify all data stored by all users of the app without requiring any further authorization.
Workaround
None available.
Suggested Mitigation
Never place backend credentials or other sensitive data into the app. Always use a trusted middleware system to connect to the database. This middleware is responsible for checking proper user authentication and authorization such that users can only see the data they are allowed to see.
Timeline
- 2017-08-09: Vulnerability discovered
- 2017-08-09: Contacted developer
- 2017-08-17: Advisory sent to developer
- 2018-08-11: Published