Researcher Tears Apart A Android Password Manager App

Many services offer such password management Apps for Android. Bughardy targeted one of those however he has chosen not to name it till the App publisher releases a patch fixing the vulnerability he discovered.  He says on his blog post, “Hello everyone, in this post I would like to analyze an Android application which purpose is to manage and generate passwords securely.” Bughardy says the App he chose claimes to offer DES encryption on its Google Play listing.  Bughard first reverse engineered the App to get a first hand look at the coding. Bughardy says that even though the Apps developer used some sort of code obfuscation software, he was able to locate the Apps password decryption routine. Further researching the first firle, Bughardy found that the software was using DES encryption but in ECB mode.  He says that using DES encryption in ECB mode has been known to have security issues and should not be used for password management services. We actually have two very interesting files: com/#####/android/###/d/b.java com/#####/android/###/bj.java” Another point he noticed was the App used a eight digit PIN as a encryption key.  Bughardy says that using a eight digit PIN throws up a possible 100 million combinations, which, he says may seem a lot to users but not to a fast computer. The third problem with the App was that if the PIN is less than eight characters, the same digits are always padded to the end to fill in the blanks. Since most people tend to use four digit pins, this can possibly lower the total number of combinations to just ten thousand. Bughardy says that his Python Proof of Concept would take approximately 35 minutes to break all possible combinations. ? 2^54 = 18014398509481984 ? 10^8 = 100000000 The second file he researched showed that the App stored the passwords in plain text. Bughardy has not named the specific Android App in his blogpost but by the looks of it, it seems to a popular one.  We reached out to him for the name of the App as the developer is pushing out the patch but apparently the patch is not ready yet. This is a very interesting function. The application when we generate a PIN code save it in clear-text into an xml file, located in the data folder of app. Then, when you want to see your saved passwords, it will check if the PIN you write is correct, comparing it to the one saved in the file. Very secure.

— bughardy (@bughardy) January 19, 2015 Maybe you can identify the App in question!