Developers are often forced to create custom encryption methods due to various reasons, such as performance and efficiency issues. Broken cryptography happens mainly due to the following three reasons:
Using a weak, custom, or known algorithm (RC4, MD4, MD5, SHA1) that has been proven to be vulnerable for the encryption and decryption process
Poorly implementing strong algorithms
The key management process being flawed
In this section, let's go ahead and explore the insecure usage of custom encryption and its implementation. Since we downloaded the app Herd Financials, let's convert the .apk
file into a .jar
file using dex2jar
, as shown in the following code snippet:
C:\Hackbox\A-Tools\dex2jar-2.0>d2j-dex2jar.bat "OWASP GoatDroid- Herd Financial Android App.apk" dex2jar OWASP GoatDroid- Herd Financial Android App.apk -> .\OWASP GoatDroid- Herd Financial Android App-dex2jar.jar
The next step is to load the .jar
file into JD-GUI and locate StatementDBHelper...