[email protected] +84 (0) 9679 24241

Android App – Local Attack

If you have read the “Thinking about request” article. This would be much more relevant. Previously, I had made a video about gaming attack to get to the top 1st user who has the highest score in the world . This was API validation vulnerability, it does not check for user’s input and allow people to modify them and send it back to servers.

I do not really want to perform any duplicated type of attacks, so I’m about showing you guys a simple vulnerability that can ruin app-makers business. I’ve also talked about this vul in “Common vuls in Mobile Apps”, if developers stores all of the crucial information as such users/passwords, keys, and so on in plain-text, this would also mean the app is facing trouble.

We are too “sick” of seeing those apps storing your credential in plain-text. That’s why I stop rewriting this issue but also about “storing” thing but different items are stored. Here are “values”. I meant, “value” in the computational definition that a variable has its own value (a = 5), and it’s valuable (you have to pay to increase it).

Different things are stored but still considered as a vital key. We are not making a gaming-app or any apps for free. In this game, they are making money from an item called “diamond”, in order to earn more diamond the players have to pay for it (real money).

Unfortunately, all the values of the game are stored in application package sandbox where rooted users can read/write/modify them.

Similarly, in this case, I can easily bypass the diamond value to get some free. The video below will show precisely what I did.