Poor Authorization and Authenticationntitled¶
It occurs when the user is not allowed for the particular activity an attacker force to application to do such a thing which not authorized for user.
Case-1: DIVA Access Control 1
In this case application allows user to view the credential by clicking button so Attacking Scenario is that attacker can call the particular intent from adb so it's show's without clicking the button that mean there's no authorization required application trigger without authentication by using adb shell am (activity manager command). This method can use for bypass authentication to directly access home screen.
Defines an intent filter with the name
jakhar.aseem.diva.action.VIEW_CREDS
adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS
Mobile may be require to perform local authentication or authorization checks within the application. It recommendation and best practice says all the process must done in server side then load on to the mobile. If the application uses hardcoded password in hash form attacker can reverse engineer the application and take advantage of weak cryptography.
Hardcoding Issue¶
When the application stores credential in source code file as string, it’s known as hardcoded vulnerability.
How to test :
- Reverse Engineer the application
- Check the file (ls -la) see .java file and analyze password or credential string