How I “found” the database of the college App

25 Oct 2018

How I “found” the database of the college App

1 minute read

It’s Thursday afternoon, there is nothing interesting on YouTube. And hacked my application called Gitote on my text editor!

Suddenly an idea came, what if I can increase my attendance percentage in my college? LOL!

Recognition

I just open the XXXXXXX(I Don’t wanna reveal the appname) App which is installed in my android device and peeked my old attendance

Nothing really surprising, this is just my regular checkup!

Static Analysis

  • From my phone, I exported the APK to my computer. I used the app called APK Export

Play Store Link

  • I used apktool to get the resources of the app.

  • I used jadx to obtain the decompiled source code from the extracted DEX file.

  • Now, I have everything I need.

Time to analyze what we have. By looking at AndroidManifest.xml, we can see that:

  • The app is using Firebase

  • This is Java Application which is confirmed by the fact that the com/XXXXXXX folder has tons of .java files

  • This app asked some permissions which looks not dangerous!

Next, I looked at the res/values/strings.xml file.

    <string name="firebase_database_url">https://******-e****.firebaseio.com</string>
    <string name="gcm_defaultSenderId">8***3163***5</string>
    <string name="google_api_key">AIzaS****f94c3-qh4W3*****cdRrbKui*****8</string>
    <string name="google_app_id">1:8873*****935:android:**5f597*****6691</string>
    <string name="google_crash_reporting_api_key">AI*****Vhf94c*-q**W3WOv*****rbKui*****8</string>
    <string name="google_storage_bucket">*******-e****.appspot.com</string>

Woah!! IDs and Keys of everything are hardcoded in this file… It’s showing how serious they are regarding security.

Moreover, we can see that they are using Firebase Database. Let see if they correctly configured their database. I pasted https://********e**5*.firebaseio.com/.json in Chrome.

Woah!! Again the entire database is visible to me! This is freeking their database is accessible by everyone who has the key, Now, I’m able to view all the user info (name, avatar, id, device, email, phone number and some more credentials)

None of them are encrypted

#!/bin/bash

for i in $(awk -F'"' '{ for(i=1; i<=NF; i++) { if($i ~ /^http/) print $i } }' $1); do
    wget "$i"
done

with this simple script, I downloaded all the available avatars.

BackgroundMail.newBuilder(MailUs.this).withUsername("*******.*****@gmail.com").withPassword("******@*****347")

Oooohhh! I found an email of an admin and password of their Google Play Console account(it may)

Mitigations

  • Don’t use the development settings for Firebase database when you publish your app

  • Don’t put your API keys, Tokens and Secrets visible easily

  • Hire Good and cool developers!

If you like this article, feel free to follow me on Twitter

Still, lot coming to you

Tags:

Updated:

Leave a Comment