Database leakage caused by improper design of a trading network APP

Database leakage caused by improper design of a trading network APP

The android client of this APP causes data leakage due to design issues, resulting in full-site data leakage. Recently, it is quite interested in reverse engineering of Android apps, and then performs security tests on some apps on the Internet, when this app first started, it found that it had a mysql jdbc driver internally, and then wanted to have a problem. In more decompilation processes, it found that its database configuration was directly written in the so library file, save in plaintext, connect to the database, and discover the controllable full-site database! Serious dangers! Use the tool to start decompilation, and then escalate its dex,

After converting the dex file into a jar package, the analysis code finds the database connection, but does not find the specific connection code. Then I thought that the connection may exist in the class library, and then find the libservice_jni.so file,
 

. Plt: 00000BAC ;. plt: 00000BAC; + --------------------------------------------------------------------------- +. plt: 00000BAC; | This file has been generated by The Interactive Disassembler (IDA) |. plt: 00000BAC; | Copyright (c) 2009 by Hex-Rays, <support@hex-rays.com> |. plt: 00000BAC; | License info: FA-EC7E-28A4-A5 |. plt: 00000BAC; | Licensed User |. plt: 00000BAC; + ------------------------------------ ------------------------------------- +. Plt: 00000BAC ;. plt: 00000BAC; Input MD5: 0208C7DA39BFDBBC13FD435EA49F9C78. plt: 00000BAC. plt: 00000BAC ;---------------------------------------------------------------------------. plt: 00000BAC; File Name: D: \ apk \ apktool1.5.2 \ apktool1.5.2 \ libservice_jni.so.plt: 00000BAC; Format: ELF (Shared object ). plt: 00000BAC; Needed Library 'libstdc ++. so '. plt: 00000BAC; Needed Library 'libm. so '. plt: 00000BAC; Needed Library 'libc. so '. plt: 00000BAC; Needed Library 'libl. so '. plt: 00000BAC; Shared Name 'libservice _ jni. so '. plt: 00000BAC ;. plt: 00000BAC; EABI version: 5.plt: 00000BAC ;. plt: 00000BAC. plt: 00000BAC; Processor: ARM. plt: 00000BAC; Target receiver Er: Generic receiver ER for ARM. plt: 00000BAC; Byte sex: Little endian. plt: 00000BAC. plt: 00000BAC; ====================== ========================================================== ================================. Plt: 00000BAC. plt: 00000BAC; Segment type: Pure code. plt: 00000BAC AREA. plt, CODE, READWRITE. plt: 00000BAC; ORG 0xBAC. plt: 00000BAC CODE32.plt: 00000BAC str lr, [SP, #-4]!. Plt: 00000BB0 ldr lr, = (_ GLOBAL_OFFSET_TABLE _-0 xBBC). plt: 00000BB4 add lr, PC, LR. plt: 00000BB8 ldr pc, [LR, #8]! Plt: 00000BB8 ;---------------------------------------------------------------------------. plt: 00000BBC off_BBC DCD _ GLOBAL_OFFSET_TABLE _-0 xBBC; data xref :. plt: 00000BB0r. plt: 00000BC0; [0000000C BYTES: collapsed function _ cxa_atexit. press keypad "+" to expand]. plt: 00000BCC; [0000000C BYTES: collapsed function _ cxa_finalize. press keypad "+" to expand]. plt: 00000BD8; [0000000C BYTES: collapsed function _ gnu_Unwind_Find_exidx. press keypad "+" to expand]. plt: 00000BE4; [0000000C BYTES: collapsed function memcpy. press keypad "+" to expand]. plt: 00000BF0; [0000000C BYTES: collapsed function abort. press keypad "+" to expand]. plt: 00000BFC; [0000000C BYTES: collapsed function _ cxa_begin_cleanup. press keypad "+" to expand]. plt: 00000C08; [0000000C BYTES: collapsed function _ cxa_type_match. press keypad "+" to expand]. text: 00000C14 ;---------------------------------------------------------------------------. text: 00000C14; ========================================================== ==========================================. text: 00000C14. text: 00000C14; Segment type: Pure code. text: 00000C14 AREA. text, CODE, READWRITE. text: 00000C14; ORG 0xC14. text: 00000C14 CODE32.text: 00000C14 LDR R2, = (unk_4000-0xC24 ). text: 00000c6 MOV R1, #0. text: 00000C1C ADD R2, PC, R2.text: 00000C20 B _ cxa_atexit.text: 00000C20; large ;---------------------------------------------------------------------------. text: 00000C24 off_C24 DCD unk_4000-0xC24; data xref :. text: 00000C14r. text: 00000C28. text: 00000C28; ================== s u B r o u t I N E ====================== =======================================. text: 00000C28. text: 00000C28. text: 00000C28 sub_C28; data xref :. fini_array: Required 3eb8o. text: 00000C28 LDR R0, = (unk_4000-0xC34 ). text: 00000C2C ADD R0, PC, R0.text: 00000C30 B _ cxa_finalize.text: 00000C30; End of function sub_C28.text: 00000C30. text: 00000C30 ;---------------------------------------------------------------------------. text: 00000C34 off_C34 DCD unk_4000-0xC34; data xref: sub_C28r.text: 00000C38 CODE16.text: 00000C38. text: 00000C38; ================== s u B r o u t I N E ====================== =======================================. text: 00000C38. text: 00000C38. text: 00000C38 EXPORT Java_com_fly186_service_jni_JNI_getUrl.text: 00000C38 Java_com_fly186_service_jni_JNI_getUrl.text: 00000C38 PUSH {R3, LR }. text: 00000C3A LDR R2, [R0]. text: 00000C3C LDR R1, = (aJdbcMysql59_63-0xC46 ). text: 00000C3E MOVS R3, 0x29C. text: 00000C42 ADD R1, PC; "jdbc: mysql: // do not tell you/myxdfw ". text: 00000C44 LDR R3, [R2, R3]. text: 00000C46 BLX R3.text: 00000C48 POP {R3, PC }. text: 00000C48; End of function Java_com_fly186_service_jni_JNI_getUrl.text: 00000C48. text: 00000C48 ;---------------------------------------------------------------------------. text: 00000C4A ALIGN 4. text: 00000C4C off_C4C DCD aJdbcMysql59_63-0xC46. text: 00000C4C; data xref: Java_com_fly186_service_jni_JNI_getUrl + 4r. text: 00000C4C; "jdbc: mysql: // do not tell you/myxdfw ". text: 00000C50. text: 00000C50; ================== s u B r o u t I N E ====================== =======================================. text: 00000C50. text: 00000C50. text: 00000C50 EXPORT Java_com_fly186_service_jni_JNI_getName.text: 00000C50 Java_com_fly186_service_jni_JNI_getName.text: 00000C50 PUSH {R3, LR }. text: 00000C52 LDR R2, [R0]. text: 00000C54 LDR R1, = (aMyxdfw-0xC5E ). text: 00000C56 MOVS R3, 0x29C. text: 00000C5A ADD R1, PC; "myxdfw ". text: 00000C5C LDR R3, [R2, R3]. text: 00000C5E BLX R3.text: 0000060pop {R3, PC }. text: 0000060; End of function Java_com_fly186_service_jni_JNI_getName.text: 0000060. text: 0000060 ;---------------------------------------------------------------------------. text: 00000C62 ALIGN 4. text: 00000C64 off_C64 DCD aMyxdfw-0xC5E; data xref: Java_com_fly186_service_jni_JNI_getName + 4r. text: 00000C64; "myxdfw ". text: 00000C68. text: 00000C68; ================== s u B r o u t I N E ====================== =======================================. text: 00000C68. text: 00000C68. text: 00000C68 EXPORT Java_com_fly186_service_jni_JNI_getPassword.text: 00000C68 Java_com_fly186_service_jni_JNI_getPassword.text: 00000C68 PUSH {R3, LR }. text: 00000C6A LDR R2, [R0]. text: 00000C6C LDR R1, = (a101627xdfw-0xC76 ). text: 00000C6E MOVS R3, 0x29C. text: 00000C72 ADD R1, PC; "don't tell you ". text: 00000C74 LDR R3, [R2, R3]. text: 00000C76 BLX R3.text: 00000C78 POP {R3, PC }. text: 00000C78; End of function Java_com_fly186_service_jni_JNI_getPassword.text: 00000C78. text: 00000C78 ;---------------------------------------------------------------------------. text: 00000C7A ALIGN 4. text: 00000C7C off_C7C DCD a101627xdfw-0xC76; data xref: Java_com_fly186_service_jni_JNI_getPassword + 4r. text: 00000C7C; "don't tell you ". text: 00000C80 CODE32.text: 00000C80

Once analyzed, database leakage is inevitable!