Skip to main content

Damn Vulnerable Android Application by Security Compass - Lab 6 Advanced Encryption

Lab 6 Advanced Encryption


 Today we are going to see the solution of basic encryption post in that no encryption was used for sensitive info. The solution is implementing the encryption and that we will try to bypass the encryption implementation as some times the developers store the hardcoded encryption key in the app itself.

For this you need to install the BasicEncryptionSolution.apk.

Now start this app and configure the credentials.

 





Now app is configured and credentials are also stored as per design in preferences.xml but I am expecting some sort of encryption now as we have installed solution for this flaw.

Browse to the

/data/data/com.securitycompass.androidlabs.basicencryptionsolution/shared_prefs


as you can see that all the credentials are encrypted.

So now we go and disassemble the app and try to figure out is there any key hardcoded key in the app.

You can disassemble the app by using EasyApkDisassembler tool as i did


or else you can use apktool for disassembling the apk file by using below commands

apktool d BasicEncryptionSolution.apk export

for more information on apktool click here.

 I am interested in smali files which will be in the disassembled app folder.


I browsed through the smali files and found something relevant to encryption, its CryptoTool.smali file

I opened it in notepad


and found this hardcoded encryption key.

Solution:

Developers should not keep the encryption keys in the app binary, it should be on server side.

Comments

  1. Unknown24 March 2015 at 03:04

    Where can i download all these apk files?

    ReplyDelete
  2. shanewarner22 April 2020 at 04:30

    The post is written in very a good manner and it contains many useful information for me.


    gexton cctv monitiring

    ReplyDelete
    Replies
    1. Miawilliams17 June 2025 at 05:31

      Sunrise Techs is a leading mobile app development company in Australia, specializing in custom iOS and Android applications. Our expert team delivers scalable, secure, and user-friendly apps tailored to your business needs. From startups to enterprises, we transform ideas into high-performing digital solutions. Discover more at Mobile app development company in australia.

      Delete
  3. Zoe Martin20 June 2025 at 05:11

    Working with app developers in Perth has been a game-changer. They bring professionalism, creativity, and technical expertise to every project. Highly recommend for digital transformation.

    Best App Developers Perth

    ReplyDelete
  4. asknoahbrown20 June 2025 at 05:19

    top AI companies Australia
    ​Explore the top AI companies in Australia​ known for delivering cutting-edge artificial intelligence solutions across industries. This list features leading AI development firms specializing in machine learning, automation, and data-driven innovations.

    ReplyDelete
  5. asknoahbrown21 June 2025 at 03:24

    ChatGPT app development cost
    Discover the real ChatGPT app development cost in this in-depth guide that outlines the essential components involved in building a high-functioning AI chatbot. From NLP integration and cloud infrastructure to UI/UX and post-launch support, understand how these factors influence overall AI chatbot app pricing.

    ReplyDelete
  6. Zoe Martin21 June 2025 at 04:17

    Your work in AI app development is shaping the future of intelligent solutions. Great to see companies delivering both technical excellence and user-focused design—well deserved recognition!
    Best AI Application Development Company

    ReplyDelete
  7. Miawilliams23 June 2025 at 09:35

    This comprehensive breakdown of 2025 software development costs is a game-changer for tech budgeting! Essential reading for any business planning digital projects. Explore more with the A Complete Guide to the Software Development Cost 2025

    ReplyDelete
  8. Miawilliams30 June 2025 at 06:07

    Build a seamless banking app with Brisbane’s top developers. Features include mobile wallets, P2P transfers, bill splitting, and FDIC/APRA compliance. Ideal for banks, credit unions, and neobanks. Start your project now!
    App Developers Brisbane

    ReplyDelete
  9. ethanmitchell1 July 2025 at 02:23

    Build sleek, scalable, and high-performing iOS apps with Sunrise Technologies. Our Sydney-based team delivers custom iPhone and iPad app solutions tailored to your business goals—combining innovative design with powerful functionality.iOS Mobile App Development Company Sydney

    ReplyDelete

Post a Comment

Popular posts from this blog

Android Damn Vulnerable App by Security Compass

Tutorial of Android Damn Vulnerable App by Security Compass Introduction: Hi folks, today I am gonna show you some hands on or tutorial of the android app testing which I done during my R&D of android app security testing. Here I will show you from scratch setting up of Lab Server to testing of application. In this you will learn on below topics: 1)Insecure Connection (Traffic over HTTP) 2)Server Side Authorization Issue 3)Insecure File Storage 4)Insecure Logging 5)Encryption of data on device 6)Memory Protection Setting-up of lab (App & Server) First of all you have to download the base app which is damn vulnerable from here . After downloading zip and extracting it you have to build it in .apk format using Eclipse IDE. Now you have to install the app in the emulator before that you have to make sure that you installed SDK and its packages. To install the app you have to start emulator using AVD and clicking on "Start" or by command line emul...
25 comments
Read more

Drozer Commands - A Security & Attack Framework for Android

What is Drozer? Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing. There are 2 Versions of Drozer an Open Source and other one Pro version having following features Gathering the information about the application Find the attack surface Test your Exposure to Public Exploits Execute dynamic code on a device, to avoid the need to compile and install small test scripts. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate. Simulate sensor input, such as GPS, to emulators to test the full attack surface. View the attack surface as a graph. this will be helpful for the risk assessment reporting. Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device. Command to install the Dr...
6 comments
Read more