Boozt Fashion AB: Application code is not obfuscated -- OWASP M9 (2016)

2017-02-13T10:21:40
ID H1:205925
Type hackerone
Reporter dineshdinz
Modified 2017-02-24T17:55:20

Description

Description :

Boost android app is not obfuscated which lead to view the source code of the app.

Impact :

Attackers can steal code and reuse it or sell it to create new application or create a malicious fake application based on the initial one.

POC :

Step 1 :

First, I did the basic reverse engineering like unzip the apk file by changing the file extension from .apk to .zip.

Step 2 :

once I have unzipped the apk i have noticed that it had two classes.dex file.i planned to make the .dex file into .jar file to view the source code.

Step 3 :

For changing the .dex file into .jar file i used dex2jar tool in macos terminal. In terminal i used the following command :

MacBook-Pro:dex2jar-0.0.9.15 dinesh$ sh d2j-dex2jar.sh classes.dex dex2jar classes2.dex -> classes-dex2jar.jar MacBook-Pro:dex2jar-0.0.9.15 dinesh$

Step 4 :

Once it done the converting,i got the .jar file. To view the jar file i used the jd-gui tool.

Step 5:

Open the .jar file with the jd-gui tool. Now you can view the java files. thats all..

Step 6 :

I did the same process from step 3 to step 5 for second .dex file also.

mitigation :

Obfuscate Java source code with tools like Proguard or Dexguard in your application.

Reference to Fix the problem

https://developer.android.com/studio/build/shrink-code.html https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code-complexity-and-obfuscation.html