Security Researcher tears apart an unknown Android Password Management App to show its vulnerabilities
A security researcher, Matteo Beccaro, aka bughardy has taken it upon himself to show exactly how secure Android password management system Apps are. Nowadays we have to use passwords for each and every online activity, more often than not, a different password for each service. To save these different and often complex passwords users often turn to services providing password management.
Many services offer such password management Apps for Android. Bughardy targeted one of those however he has chosen not to name it till the App publisher releases a patch fixing the vulnerability he discovered. He says on his blog post, “Hello everyone, in this post I would like to analyze an Android application which purpose is to manage and generate passwords securely.”
Bughardy says the App he chose claimes to offer DES encryption on its Google Play listing. Bughard first reverse engineered the App to get a first hand look at the coding. Bughardy says that even though the Apps developer used some sort of code obfuscation software, he was able to locate the Apps password decryption routine.
“I’ll try to rename some of them in order to make it more easy to understand.
We actually have two very interesting files:
Further researching the first firle, Bughardy found that the software was using DES encryption but in ECB mode. He says that using DES encryption in ECB mode has been known to have security issues and should not be used for password management services.
Another point he noticed was the App used a eight digit PIN as a encryption key. Bughardy says that using a eight digit PIN throws up a possible 100 million combinations, which, he says may seem a lot to users but not to a fast computer.
The third problem with the App was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand.
So, if for example my PIN code is: 1111 to encrypt my passwords the application will use DES/ECB with key 1111 + 0742 ? 11110742, which, in my honest opinion is not enough.
Let’s make some math, for a real random DES key we have 2^64 possible combinations ( which in real are just 2^54 ). But as we saw before the application uses only digits to generate our key, which reduces the possible combinations to 10^8.
? 2^54 = 18014398509481984
? 10^8 = 100000000
Bughardy says that his Python Proof of Concept would take approximately 35 minutes to break all possible combinations.
The second file he researched showed that the App stored the passwords in plain text.
private boolean K()
return c().getSharedPreferences(,0).getString(“manager_pin”, “invalid”).equals(ab.getText().toString());
This is a very interesting function. The application when we generate a PIN code save it in clear-text into an xml file, located in the data folder of app. Then, when you want to see your saved passwords, it will check if the PIN you write is correct, comparing it to the one saved in the file. Very secure.
Bughardy has not named the specific Android App in his blogpost but by the looks of it, it seems to a popular one. We reached out to him for the name of the App as the developer is pushing out the patch but apparently the patch is not ready yet.
@comboupdates Not before the patched version will be released in play store, it should be a matter of few hours..
— bughardy (@_bughardy_) January 19, 2015
Maybe you can identify the App in question!