droids0 picoCTF 2019 Solution

Published: April 2, 2026

Description

Where do droids log things? Run droids0.apk in an emulator, press the button, and check the Android system log for the flag.

Download the APK file.

Install Android Studio and configure an Android Virtual Device (AVD) emulator.

bash
wget <url>/droids0.apk

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Install and run the APK in an Android emulator
    Observation
    I noticed the challenge description said to 'check the Android system log,' which indicated the flag is not displayed on screen but instead written via a log call accessible through adb logcat.
    Install the APK using ADB, launch it in the emulator, and press the Flag button. The flag is written to the Android system log (logcat) rather than displayed on screen. Watch logcat while pressing the button.
    bash
    adb install droids0.apk
    bash
    # Launch the emulator and open the app, then:
    bash
    adb logcat | grep picoCTF

    Expected output

    D/PICO_FLAG( 1234): picoCTF{a.moose.once.bit.my.sister}
    What didn't work first

    Tried: Run 'strings droids0.apk | grep picoCTF' to extract the flag without an emulator

    strings on the APK itself returns nothing useful because the flag is assembled and emitted at runtime via Log.d(), not stored as a literal string in the binary. The flag only exists as logcat output after the button is pressed, so static extraction tools will come up empty.

    Tried: Use 'adb logcat -s PICO_FLAG' expecting to filter by tag name

    The -s flag filters by tag, which works, but only if you know the exact tag name in advance. Using 'grep picoCTF' on the raw stream is more reliable when the tag is unknown; guessing a wrong tag (e.g. 'picoCTF' or 'FLAG') silently produces no output and appears as if the flag was never logged.

    Learn more

    Android's logcat is the system logging output. Apps write to it using Log.d(tag, message), Log.i(), Log.e(), etc. Log messages are invisible to normal users but fully visible over ADB to developers (and attackers). In this challenge, instead of displaying the flag on screen, the app writes it to the log.

    adb logcat | grep picoCTF filters the continuous log stream for lines containing the flag prefix. Alternatively, Android Studio's Logcat window provides a GUI filter. You can also use adb logcat -s PICO_FLAG to show only log entries with the 'PICO_FLAG' tag.

  2. Step 2
    Read the flag from logcat
    Observation
    I noticed the logcat stream produced a line tagged PICO_FLAG after pressing the button, which confirmed the flag value was fully assembled at runtime and just needed to be copied from that output.
    The flag appears in the logcat stream when the button is pressed. Copy the full picoCTF{...} string from the output.
    Learn more

    This challenge demonstrates a common Android security mistake: logging sensitive data. In production apps, log statements should be removed or disabled in release builds because logcat is accessible to any process with the READ_LOGS permission and to anyone with adb access.

    To verify this statically: jadx droids0.apk -d droids0_java/ then look at MainActivity to see the Log.d() call that outputs the flag to logcat.

Flag

Reveal flag

picoCTF{a.moose.once.bit.my.sister}

The flag is logged to Android logcat when the button is pressed - run in an emulator and watch adb logcat output.

Key takeaway

Android logcat is a broadcast channel, not a private one. Any app with READ_LOGS permission, any connected ADB session, and any developer tool can read every log message produced by every app on the device. Logging credentials, tokens, flags, or other sensitive values is a CWE-532 (Insertion of Sensitive Information into Log File) finding and appears routinely in mobile app penetration test reports. ProGuard and R8 can strip log calls from release builds, but the safer practice is to never log sensitive data in the first place.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for Reverse Engineering

What to try next