Monkey race ray! RSA conference badge scanning application broke vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201672201
Type myhack58
Reporter 佚名
Modified 2016-03-04T00:00:00


Recently, the BLUE BOX company's security researchers found: RSA 2 0 1 6 The General Assembly on the use of badge scanning APP there is a hard-coded default passwords. This year, RSA 2 0 1 6 The participants will get a unique surprise: the General Assembly, as many manufacturers offer a Samsung Galaxy S4 smartphone, on Google Play is running a special Android APP, you can make them by scanning their badges to keep track of these visitors to the trail. The mobile scanning APP can not be used in addition to scanning badge outside of anything, unless the administrator uses the password to unlock. This operating mode called“kiosk mode”. BLUE BOX security safe expert analysis of the downloaded scanning apps, and now developers will be the default password in plain text form is placed in the source code. BLUE BOX security researchers at Securityweek. com this to say: When we use the password to will be able to get the kiosk app set permissions. In turn, once we get the device system settings permissions, and then we will be able to put the device into development mode, then get into the device all the permissions, all this is relevant, because if we can do that, the attackers have as much as you can, they can root the device, obtain the device data, or install malicious software to steal more data. We speculate that hidden in the APP in the default code can be used as a mechanism, so that the administrator lost the device password, the case can still be managed. However, this password will be embedded into the APP factory number practice is a very absurd development practices, especially those not encrypted and is not confused, ! In this particular vulnerability, and was not found, the end users serious risk, but found that with hard-coded credentials in the mobile APP is very common. A hacker can use to hide the password to obtain Device Control permissions, and thus be used to spy on victims or will it run on a mobile botnet. Similar thing in the 2 0 1 4 years already happened once, at the time at IOActive experts will discover some of the impact of the RSA conference Android APP vulnerabilities, such as information related to disclosure issues, etc. Design security for mobile APP development is critical, unfortunately due to the mobile APP development tools the rapid development and promotion, to release a mobile APP becomes a very easy thing to do. But in most cases, for the mobile APP security requirements is completely ignored. But strange is that this problem actually happens in full is the security field's top experts to participate in the General Assembly.