Security Vulnerability in third party IRCTC android applications in Google Play

About security vulnerability in third party IRCTC Android apps on Google Play

Update : If you have come here to download my IRCTC Android application, I am sorry I’ve removed it from google play as there are many IRCTC applications in Google play but with serious security risk.

I had developed an Android application for my personal use to book IRCTC (Indian Railway Catering and Tourism Corporation) railway tickets. I found it useful, So I released it on Google Play for the benefit of the others. Since then there has been an influx of numerous IRCTC apps on the Google play with added features like storing username/password, credit/debit card details, automatic login and session management. Though these features are undoubtedly useful, they pose a serious security risk which could lead to loosing your IRCTC login credentials to loosing your Credit/Debit card credentials thereby loosing your hard earned savings altogether to some malicious hacker/developer !

The reasons below states why it is not advisable to store user credentials on webview applications which make use of third party websites. Webview is the mecahnism by which android applications can make use of websites to provide a mobile application and it is the widely used method for number of IRCTC applications found on Google Play. You can check out the IRCTC applications from Google Play from the link below,

For this demo I am choosing IRCTC Pro app Shahul3D, it is the most well built IRCTC app  from the Google Play but is prone to following vulnerability in rooted Android devices,

                        

As you can see from the images above (if not click the image to enlarge), the application takes in user credentials like username, passwords to credit/debit card details even with the pin !! and what does it do with it ?

Stores it in a plain xml format in the android preferences
Google implemented the preferences as a simple database mechanism to store in user preferences in an application like dates,settings and it was never meant to store credit card details like the above application. unfortunately many developers still use preferences to store in sensitive information which in turn gets saved as an un-encrypted plain xml.
How to retrieve user data stored from android application stored in preferences,
 
Above screen capture of my terminal shows the basic set of commands I used to navigate into an rooted android file system to access the sensitive information stored in the above android application.
I made a video of the same for your understanding !
Any newbie could code an android application to parse the above xml data and take it to his home server. Even better he could target users of an particular application like the one shown above using similar package signatures and steal the user data.
Update : As few few visitors like Ajay (see comment section below) doesn’t like me being subtle about the scope of the vulnerability mentioned above, I would like to clarify it further.
1. shared_preferences by design cannot be accessed by another app in a non-rooted Android device,
Unless !
The developer has put in a android:sharedUserId with the hope of sharing is own preferences with his future apps. You can create same application context used in the target app using the UserId and access the shared_preferences.
And you know how to access the UserId, right ? See my Ultimate Android Decompilation Guide.
2. In rooted android devices, you can just build an app which would parse through the .xml in the /data and display the shared_preferences of other app or just mail it to your server !
So for the developers it is foolish to store sensitive data in preferences, unless if you want to steal the user data some how ! and for the users it is foolish to install any app you see on the Google Play without looking through it . Think well, when you see an app asking for your user credentials and take some time to contact the developer to know how your data is being stored and for what it is used for.
There are other risks involved in web view applications using third party websites by exploiting the javascript exploits, I will keep it for the next session. Take care.
Thanks to AndrewChamp for the great Evil Android picture !

Author: indiandragon

Developer, Hacker, Researcher

6 thoughts on “Security Vulnerability in third party IRCTC android applications in Google Play”

  1. Hi. Good R &D. But it will be valuable if you did it after understanding the Sand Boxing concept of Android.

    Accessing the Phone Physically (through ADB SHELL) and exposing its contents will not be considered as Vulnerability. 🙂

    I’m also depends on shared preferences to store use data for my personal application.

    Any other application can’t able to access the PRIVATE shared preferences of the other application (unless u’r device is physically rooted or accessing the device through ADB Shell).

    I’m a good fan of your android IRCTC application, pls keep on updating its features (at least similar to IRCTC Pro).

  2. Hey Ajay thanks for your comment.

    Btw I think you read the article too fast, I am well aware of sandbox used in android, that’s why I have mentioned ‘rooted’ in the start,at the end and in the video when necessary – press Ctrl+F or ⌘-F (Mac) and use the find bar. So you are happy that your credit card data are stored in shared_preferences MODE_PRIVATE, then you must be aware that if he had implement android:sharedUserId ,anyone can access your data even without rooting ? Lucky for you he has not done that, for now !

    As for my IRCTC app is concerned, I update it to fix bugs and to support later platforms only, cause adding features for an webview app based on third party url is useless as you have no control over the web process and if you do so you end up injecting user data over javascript like in IRCTC Pro !

    I like IRCTC Pro as it is the most featured IRCTC app built on webview, but storing sensitive user data in shared_preferences and injecting them through javascript is not just foolish, but also against Google Play App policy. Hope you understand by what I meant by vulnerability, ‘It exists – it is possible to exploit’.

    The IRCTC Mobile Application by RSP is a better choice as like mine it is just a set of links and he has also quit storing username/passwords in his app.

  3. Thanks for your reply.
    Ethically Rooting is not good, that’s why all of the devices are shipped without rooting.
    Mine is brand new & still under warranty so I didn’t rooted yet.I hope I’m safe and protected by the default security provided by Android.
    Even if we rooted, we should think before giving root permissions to the apps. Anyone one can format the entire SD of the rooted device we you provide the root permission to that app.

    Also I never save my full card details (I used to skip the last two digits) and its password, Thankfully that are not a mandatory option. And regarding the username, I don’t think it is that much sensitive. IRCTC is protecting my account by always keeping its server too busy and not accessible…ha.ha. 😉

    I hope theses problem can’t be resolved until IRCTC expose their service API to the 3rd party developers like us.

    I’m using lots of IRCTC related applications, each one is specialized in some criteria..Looking for a single app that good for IRCTC booking and also for Enquirers. Pls suggest if you knows any..

  4. The Irony is, Rooting might also help with security. For eg : Best firewall apps for android works only on rooted devices.
    1. Are you happy with Swype sending every single word you type to their servers ? (Read their TOS). You need firewall to block swype from accessing their server at the same time allow it for updating.

    2. Adblock apps needs rooting inorder to block the adserver IP.

    The trick is to manage rooting and apps with clear understanding. Also rooted mobiles, can be flashed again with official ROMS and even the flash counter can be reset if needed there by regaining warranty (i.e if the device is still in working condition).

    As for IRCTC, there exists API for corporate developers like the Apps like Atom (Which I built it ! ), Ngpay but neither will guarantee a 100% satisfaction as the IRCTC web service is crappy. So for now, the webview based apps would be better than nothing.

  5. I booked a rail ticket for me using irctc vide PNR
    no. 2562870011 (Transaction ID: 0480387060) for journey from DMO-LTT on September 2, 2012
    for the journey on September 22, 2012 in Train No. 11072, the only train plying
    to Mumbai from nearest station from my home town. Unfortunately, I could not travel
    and i had to file TDR on 16/09/2012. I was informed by irctc that refund will
    come within 90 days.

    After 4 months of follow up, the status of TDR is showing as regretted. Please hold
    to get the refund.

    I filed the complaint here http://www.consumercourt.in/railways/116946-irctc-tdr-regretted-despite-not-travel.html
    Consumer Court site also but. Still not got any response. Please help me to get
    some solution.

Leave a Reply

Your email address will not be published. Required fields are marked *