VTech Innotab Max: it’s getting even worse! Apps run in debug mode

After extracting an image from an Innotab last night using the methods we blogged about yesterday, we mounted it and had a look.

Here’s the /data directory mounted on a Linux VM

Looking at the system/packages list and things get a whole lot scarier

The format below is:

package       UID       debugflag       path

As you can see highlighted, virtually all the com.vtech.* apps have the debugflag enabled.

This means that with an ADB connection you don’t actually need root to read their sandbox or manipulate them.

We covered the significance of this a while back here:
https://www.pentestpartners.com/blog/android-debug-mode-and-apps-a-cautionary-tale/

What will we find next??