8. Kaiser Permanente
•I found their Cisco password this way
•Disclosure was difficult, but I managed it
privately
•A journalist's consultant told me it didn't
matter, because
"that password is not a security boundary"
19. Mayo Clinic Medical Transport
• Pull app from phone with adb
• Unpack with apktool
20. Mayo Clinic Medical Transport
• grep for secretpassword
• Disclosure
• I notified the developer about this in June
of 2015. He told me to get lost.
34. Locally Stored Password
• Right away this shows a problem
• WHY store the password?
<string name="encryptedPassword">
CT9SVzhhRaufBzCvmwENWQ==
</string>
35. 1. Best way: Don't. Use a cookie
2. Use Android KeyChain
3. Encrypt with with a public key
• Private key is kept secret on a server
4. Encrypt with with a private key
• Private key is "hidden" on the phone (under the mat)
5. Store data unencrypted on the phone
42. Notification
• Notified Jan 2, 2017
• Automated response said it would be fixed
• No response to follow-up email
• April 13 -- Staples became homework
111. • Management Review
• Do you need this data?
• Is it encrypted?
• What algorithm?
• Where is the key?
All materials freely available at samsclass.info