QuickBooks Internals | Security | Apps and LGB files
External applications "Apps" are a standard way to extend QuickBooks functionality and exchange data with external services. Intuit Sync Manager is a notable example configured in many company files.
There are two operational modes: interactive - user action or presence is required in order to start any data exchange; and unattended - application can start QuickBooks, login and perform necessary actions independently. LGB files are created to support unattended mode.
QuickBooks Forensics loads list of applications authorized to interact with QB from company file and associated lgb file. QB Apps verification is based on name reported by application and its digital signature (Authenticode) serial number. This is not a bad way except for special class of applications based on VBA code in MS Access.
Quite a few popular Apps are created in MS Access (e.g. compiled VBA macros in MDE or ACCDE database) and actual verification is based on MS Access digital signature! Any other MS Access database can report the same name to QB SDK to bypass QB verification (App name can be extracted from LGB file for example), thus it is good idea to limit access rights for this type of applications. App with MS Access signature is shown on the following QuickBooks Forensics screenshot.
As we mentioned before LGB files are created to support unattended mode operations and unfortunately they are easy to decode (information is simply base64 encoded including user credentials) and that is one more hole in QB security.
The typical LGB file have the following format:
xx xx 00 00 - length of data string to follow.
AQAB777K - algorithm used, RSA signature is this case
xxxx...xxx= - base64 encoded RSA signature (172 chars).
xxxx...xxx= - the rest is base64 encoded plain text data including user's internal password hash used in sensitive data keys encryption for example.
Decoded data starts like this: "appname=Intuit%20Sync%20Manager&appsrc=0&certexpire=03%2F17%2F2013&certname=VeriSign ..."
In unattended mode user credentials are decoded from LGB and used to auto-login into company file.
All trademarks are the property of their respective holders.