When you are planning a new project, you might be tempted to get a leg up on the long road ahead by downloading and/or purchasing the source code to an app which does some of what you want and then modify it to get you the rest of the way.
That is a perfectly fine (and smart) way to go.
However, if you get your source code from an unknown source, you do have to beware of hidden traps.
Sounds scary and alarmist? That’s what I generally thought too 😃 My reasoning was, if it’s open source software, then it probably is scrutinized by a lot of people, so why would anybody put any harmful code in there when they would be discovered fairly quickly? And if the person was selling their source code, why would they put any malicious code in there since that would harm their reputation and impede their ability to make money?
But I was proven wrong yesterday, and I wanted to detail what happened in case this might be happening to you as well.
I like going through source code 😃 It helps me see how someone else tackled a problem. It also helps me envision how I might do things differently. So, I was going through some third-party source code which was for sale online when I found a bit of code which puzzled me 😕
The code simply connected to a remote site, downloaded a JSON payload — payload is basically techno jargon for some data which was downloaded, in this case a particular format named JSON, in case you’re wondering — and then wrote the information from the JSON to the device’s preferences. This would ensure that the data was there at least for as long as the app was installed on the device.
My question was, why was this being done?
At first, I thought that this was perhaps a copy protection mechanism. Perhaps they wanted to find out how many apps used their source code and to detect unauthorized — say pirated — uses of their source.
But that didn’t make sense since then there should have been data flowing the other way too. When they made the request to the remote server to get the JSON data, the app should also have sent some data from the device which would identify that particular user or the app. That wasn’t happening.
The data written to the preferences was saved under keys such as “ba” and “ia” — so my next step was to see where these stored values were used. But a search for “ba” or “ia” did not turn up anything.
Hmm … I decided to dig a little deeper since there had to be a reason for those values to have been saved on device. After some digging, I discovered that instead of reading values directly as “ba”, there was code which read back the values as “b” + “a” — that would prevent a search for the term “ba” to fail — sneaky 😀
What was this code doing?
It appeared to be a customized version of Google’s Ad Mob code which would randomly (50% of the time) replace the ad ID for any ads displayed by the app to be one of the values downloaded via the JSON code. So I guess that the values in the JSON code were probably ad IDs belonging to whoever who crafted this sneaky exploit.
In case you’re interested in the code, this is an example of what the modified version of the code looked like:
And this is the original code from the actual Google Ad Mob plugin:
As you’ll notice, the Google code is a single method call, but the exploit code does it’s own thing — which is to sometimes replace the ad unit ID with a different value — before calling the original code.
So there are a few lessons to be learnt here:
- Do not implicitly trust any code you get from an unknown source — even if you buy it. Go through the code yourself.
- If the code includes third-party libraries from Google (or Apple or Amazon or whatever) do not implicitly trust that the library is safe because it comes from a known source — the library code could have been meddled with. Generally, it’s best to replace any third-party library code bundled like this with the latest version from the original source.
If you’ve bought any source online, you might want to check if you are affected by this (or similar) exploit. The details I provided above should help you figure out if you are affected.
If you don’t know what to do, or would like some help auditing your source code, feel free to reach out to me 😄 I like diving into code and I also like uncovering this kind of nefarious activity … After all, why should you help somebody else enrich themselves at your cost?