Description
Where do droids log things? Run droids0.apk in an emulator, press the button, and check the Android system log for the flag.
Setup
Download the APK file.
Install Android Studio and configure an Android Virtual Device (AVD) emulator.
wget <url>/droids0.apkSolution
Walk me through it- Step 1Install and run the APK in an Android emulatorInstall the APK using ADB, launch it in the emulator, and press the Flag button. The flag is written to the Android system log (logcat) rather than displayed on screen. Watch logcat while pressing the button.bash
adb install droids0.apkbash# Launch the emulator and open the app, then:bashadb logcat | grep picoCTFLearn more
Android's logcat is the system logging output. Apps write to it using
Log.d(tag, message),Log.i(),Log.e(), etc. Log messages are invisible to normal users but fully visible over ADB to developers (and attackers). In this challenge, instead of displaying the flag on screen, the app writes it to the log.adb logcat | grep picoCTFfilters the continuous log stream for lines containing the flag prefix. Alternatively, Android Studio's Logcat window provides a GUI filter. You can also useadb logcat -s picoCTFto show only log entries with the 'picoCTF' tag. - Step 2Read the flag from logcatThe flag appears in the logcat stream when the button is pressed. Copy the full picoCTF{...} string from the output.
Learn more
This challenge demonstrates a common Android security mistake: logging sensitive data. In production apps, log statements should be removed or disabled in release builds because logcat is accessible to any process with the READ_LOGS permission and to anyone with adb access.
To verify this statically:
jadx droids0.apk -d droids0_java/then look at MainActivity to see theLog.d()call that outputs the flag to logcat.
Flag
picoCTF{...}
The flag is logged to Android logcat when the button is pressed - run in an emulator and watch adb logcat output.