[Cryptography] Need Debunking help

Tom Ritter tom at ritter.vg
Fri May 2 16:56:42 EDT 2014 

Never heard of it.  What the heck is it supposed to do?  They post the
APK, which is polite of them.  Yanking the source code out of it
yields the following:

Tiny Manifest File. [0]  Low permisisons, which is good, but only one
activity.  App doesn't seem very large...

Working on SDCard, which is a no-no
        fileoutputstream = new FileOutputStream((new
StringBuilder("/sdcard/")).append(MainActivity.decodeURIComponent(s)).toString());

They embed a webview, which has some dangerous options, but I didn't
see any of the scary addJavascriptInterface calls.  Although there is
this:
        public void onReceivedSslError(WebView webview,
SslErrorHandler sslerrorhandler, SslError sslerror)
        {
            sslerrorhandler.proceed();
        }
Looking like they're overriding certificate validation. Yay. ;)

Posting username and password over HTTP in the URL?
                String s1 = (new
StringBuilder("username=")).append(ManagerFragment.szUserName).append("&password=").append(ManagerFragment.szUserPassword).append("&usbid=").append(ManagerFragment.serial).append("&magicnumber=89uz6391&os=android&model=").append(ManagerFragment.hwtype).toString();

ManagerFragment.mWebView.postUrl("http://simpozia.info/impv_man/memloginfromman.php",
EncodingUtils.getBytes(s1, "base64"));

Oh come on.  At this point, I stopped looking.  I still have no idea
what this app _does_ and if any of these are legitimate bugs.  Maybe
'username' and 'password' in this context are completely harmless?
Doubt it though....

Anyway, I just wanted to remind folks that 'closed source'
applications, especially on Android, are often easily picked apart and
analyzed.  You don't always have to speculate about how something
works, you can go dig in.[1]

-tom




[0]    <application android:theme="@style/AppTheme"
android:label="@string/app_name" android:icon="@drawable/ic_launcher"
android:allowBackup="true">
        <activity android:label="@string/app_name"
android:name="com.impervio.imperviorm.MainActivity"
android:screenOrientation="landscape"
android:configChanges="keyboard|keyboardHidden|orientation">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

[1] Or hire a security firm to review a piece of software you are
considering purchasing. ;)

More information about the cryptography mailing list