Skip to main content
feature image for 'Debugging in prod: Maximizing user attack surface'
by maia arson crimew

Debugging in prod: Maximizing user attack surface

Note: This is a su­per quick write-up and prob­a­bly still full of ty­pos and styl­is­tic er­rors, which you’re free to point out in the com­ment sec­tion.

One thing that’s re­ally cool about the Android de­vel­oper ecosys­tem, is the mas­sive amount of tools and li­braries to sim­plify and help dur­ing de­vel­op­ment. There is an en­tire sub­genre of var­i­ous re­mote de­bug­ging tools, with cool tools such as Stetho or Debug Drawer. One such tool is Android-Debug-Database from Mindorks, it’s a neat lit­tle util­ity that al­lows you to view and edit your apps pref­er­ences and dbs from a web browser dur­ing de­vel­op­ment.

Android Debug Database in action.
Android Debug Database in ac­tion.

The key phrase here is, of course, in de­vel­op­ment, which makes sense to every­one (and is also ex­plained in the in­te­gra­tion guide of the li­brary), right? Well, no. During to­days Shodan sa­fari I ran­domly stum­bled into a phone run­ning this, openly avail­able for any­one to play around with (Brazilian ISPs hav­ing all ports open per de­fault be thanked). On closer in­spec­tion it turns out there are thou­sands of de­vices in­dexed on Shodan run­ning de­bug db.

This is bad.
This is bad.

I took a look at some of these to fig­ure out some no­table apps, here are two of them:

  • Cinemark Brazil - 1M+ down­loads

  • No Last Seen for WhatsApp - 50K+ down­loads (yes, this al­lows read­ing all con­tacts and mes­sages in the db)

    Some of these apps include logs of sensor and location data.
    Some of these apps in­clude logs of sen­sor and lo­ca­tion data.

I down­loaded Cinemark to ver­ify this for my­self, and I was in­deed able to read and edit the ap­p’s db and prefs by open­ing the app and go­ing to localhost:8080. This is es­pe­cially ironic con­sid­er­ing the app also uses the ThreatMetrix sdk, which is some Enterprise Risk man­age­ment (read: cor­po­rate spy­ware) sdk which sup­pos­edly also pre­vents cy­ber­se­cu­rity threats.

The damn­ing thing here is that we have to con­sider that most ISPs won’t al­low ac­cess to their clients on port 8080 (at least not with­out UpNp), but this will al­ways work in­side net­works, thus open­ing up an­other huge se­cu­rity threat with pub­lic WiFis. This also makes me won­der how many other apps are out there, ship­ping this to all their users and open­ing them up for at­tacks by lit­er­ally any­one. Another ter­ri­ble thing is that this li­brary al­lows edit­ing of the data in the db and the prefs, so the ac­tual pos­si­ble ways to ex­ploit this out­side data ex­fil­tra­tion reach far as well.