Hey! It’s June 12, 2021, 02:48 AM at the time of writing … na mean?
… sipping on milk…
Few weeks ago I submitted a bug to NALA Inc, using which, one with malicious intention was able to bypass PIN authentication set by any user of the application. Affects versions below & including v2.0.2.
First, here’s a brief background about this specific application. NALA Pesa Money Manager with 100,000+ downloads in Android Play Store, is an android application maintained by NALA Inc, that was earlier designed to manage money transactions via USSD automation but later the company behind pulled out money transactions from USSD automation leaving it be only a money manager.
How did I achieve Authentication Bypass?¶
As usual, it started with static code analysis - specifically examining the AndroidManifest.xml file. Just to find a bunch of Activity components were exposed, most of which were very interesting to me.
Every Android application has an AndroidManifest.xml file, where you would find vital information about the application such as application ID, package name, permissions, components among others.
After thoroughly examining AndroidManifest.xml file, I decided to switch to dynamic application analysis. I went on straight to test the NALA PIN authentication feature. Created a PIN of my choice and began hacking my way through PIN authentication. The restriction here was that after some number of attempts you were remained with 3 attempts after which your NALA data would be reset in the device - this really dropped any chances of success if one would decide to choose bruteforce to hack the authentication.
So, it took me a little while before I was able to achieve an Authentication bypass by simply invoking the exposed Activity component of the NALA application. The invoked exposed Activity component was money.nala.pay/money.nala.pay.ui.auth.pin.PinCreateActivity. What actually happened behind the scene was that, when I invoked the activity component, the application redirected me to the MainActivity, overriding PIN authentication step.
adb shell am start -n money.nala.pay/money.nala.pay.ui.auth.pin.PinCreateActivity
CWE-284: Improper Access Control¶
With this kind of weakness among others (including ability to reset NALA data without authenticating yourself), NALA Pesa Money Manager, is at great risk of breaching their users’ security and privacy altogether. Going against the vow they made about how much serious they consider privacy and security towards their users’ data.
Their response:¶
As stated earlier, this issue was reported to NALA Inc. To my surprise, below was how they responded.
They don’t consider this to be a potential bug. Really?? Okay.
Recommendations:¶
- Developers, really, should only export components that need to be exposed to other applications. This would limit what Activities are exposed in the AndroidManifest.xml.
- Properly validate all data received in Intents.
- Consider to apply permissions to restrict which applications are allowed to pass data to your application.
- Developers can disable external exposure of any components by specifying android:exported=”false” in the AndroidManifest.xml file.
Thank you for reading!
Timeline:¶
[May 12, 2021] - Bug reported.
[May 13, 2021] - Received response from NALA Inc.
Contact me through Twitter “@bl4ckbo7”