Android Hacking 101

In this room it's time for setting up the environment, here we're going to talk about recommended tools for interact with our applications.

Install Java Development Kit 1.7

The JDK is a development environment for building applications, applets, and components using the Java programming language.

Install Java

Java Development Kit 1.7

For windows and mac users other option is Nox emulator

Nox Emulator

Enable Developer options in your emulator or rooted phone

Is necessary active this function for use debug usb.

You can unlock the Developer options on any Android smartphone or tablet by locating the Build number in your Settings menu and tapping it multiple times. However, the exact location of the aforementioned build number may differ depending on your phone’s manufacturer.

My methodology for pentest android apps.

Information collection is the first thing we need to do, as this information will guide us to the next stage in our penetration tests.

White Box: White box penetration testing can also be called glass box penetration testing or clear box penetration testing. In any case, it's an approach to penetration testing that relies on the knowledge of the target system's internal configuration. It uses this information for the test cases.

In a real scenario the client it will give us the mobile app, users and passwords to perform the login and also a user manual of how the application works.

Important

Not use an online services for download the apk file, don't knows if we're analyzing the real app.

In this part we will extract the legitimate apk from emulator or the device and get the source code.

TOOL

Android Debug Bridge (ADB) is a development tool that facilitates communication between an Android device and a personal computer.

How to Install ADB on Windows, macOS, and Linux

Note: You need debug usb enable in your emulator or device.

How view devices?

adb devices

How extract apk?

For this you need have installed the application in your device and know package name

adb shell pm path package_name

This command print the path to the APK of the given

adb pull <remote> [<locaDestination>]

This command pulls the file remote to local. If local isn’t specified, it will pull to the current folder.

Now,how a get source code?

jadx: The jadx suite allows you to simply load an APK and look at its Java source code. What’s happening under the hood is that jADX is decompiling the APK to smali and then converting the smali back to Java.

Usage:

jadx -d [path-output-folder] [path-apk-or-dex-file]

Dex2Jar: use dex2jar to convert an APK to a JAR file.

d2j-dex2jar.sh or .bat /path/application.apk

Once you have the JAR file, simply open it with JD-GUI and you’ll see its Java code.

jadx-gui:  UI version of jadx

jadx\bin\jadx-gui

Is done without running the program, what are we going to identify in this basic room?

• Weak or improper cryptography use
• Exported Preference Activities
• Apps which enable backups
• Apps which are debuggable
• App Permissions.
• Firebase Instance(s)
• Sensitive data in the code

Weak or improper cryptography use: Incorrect uses of encryption algorithm may result in sensitive data exposure, key leakage, broken authentication, insecure session and spoofing attack.

Example: For Java implementation, the following API is related to encryption. Review the parameters of the encryption implementation.

IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));

SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

How to search this when I have the source code of the application? there is a super advanced tool and wonderful  called grep.

grep -r "SecretKeySpec" *

grep -rli "aes" *

grep -rli "iv"

Open the file with you favorite editor of text. Gedit/Vim/subl, etc… use this for revolse a puzzle in my ctf "LaxCTF".

in real life:

Solution: Use a cryptography asymmetric.

Exported Preference Activities: As we know, Android's activity component is application screen(s) and the action(s) that applied on that screen(s) when we use the application. When as activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

Okay, exploit this in dynamic analysis... How identify the activity is exported?

With your favorite editor of text. Gedit/Vim/subl, etc… open the AndroidManifest.xml or use cat and grep.

cat AndroidManifest.xml | grep "activity" --color

Apps which enable backups: This is considered a security issue because people could backup your app via ADB and then get private data of your app into their PC.

1. Shared preference.
2. directory returned by getFilesDir().
3. getDataBase(path) also includes files created by SQLiteOpenHelper.
4. files in directories created with getDir(Sring, int).
5. files on external storage returned by getExternalFilesDir (String type).

Solution: android:allowBackup="false"

Apps which are debuggable: Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.

Firebase Instance(s): Last year, security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial financial records such as banking and cryptocurrency transactions.

Google's Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.

How identify this? 

FireBase Scanner, The scripts helps security analsts to identify misconfigured firebase instances.

git clone https://github.com/shivsahni/FireBaseScanner

python FireBaseScanner.py -p /path/apk

Sensitive data in the code: Users, passwords, internal IP and more ... 

With your favorite editor of text, Gedit/Vim/subl, etc…, grep or GUI decompiler back to reversing and experiment with your favorite tool.

Features:

APK Manifest Analysis

Extract Intents

Extract exported activities

Extract receivers

Extract exported receivers

Extract Services

Extract exported services

Check if apk is debuggable

Check if apk allows backups

Check if apk allows sending of secret codes

Check if apk can receive binary SMS

Security Analysis

Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist

MARA is capable of performing either single or mass analysis of apk, dex or jar files.

and more....

QARK

Is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based, available to everyone and free for use. QARK educates developers and information security personnel about potential risks related to Android application security, providing clear descriptions of issues and links to authoritative reference sources. QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible.”

MobSF

My favorite tool :3 is Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

1. Information

Display data such as app icon, app name, size, package name etc.MD5 & SHA1 are also shown. They can be useful to detect known malicious applications.

2. Scan options

· Rescan the application

· Start the dynamic analysis

· Check the java code & the manifest file

3. Signer certificate

·Display certificate info

·Determine if an application has come from its original source.

4. Permissions

· Analyzes the permissions

· Determines its status concerning critically & the description of permissions.

5. Binary analysis

· It is threat assessment & vulnerability testing at the binary code level.

· It can also be used to analyze third party libraries, allowing a richer analysis & better visibility into how applications will interact with libraries.

· This is analysis of binary code to identify security issues. For complex systems using third party libraries for which source code is not available binary code analysis helps to identify issues.

6. Android API

You can view android API used in app like java reflection, location.

7. Browsable activities

That can be safely invoked from a browser.

8. Security analysis

Manifest analysis:

Find vulnerability inside one of the components in the AndroidManifest.xml file.

Code analysis:

· Analysis result of java code by a static analyzer.

· Identifies potential vulnerabilities, determines their severity & the files in which this type of vulnerability was found.CVSS :

· Common Vulnerability Scoring System

· Vulnerability is assigned a CVSS base score between 0.0 & 10.0.

0.0 → No risk

0.1–3.9 → Low risk

4.0–6.9 → Medium risk

7.0–8.9 → High risk

9.0–10.0 → Critical risk score

CWE :

· Common Weakness Enumeration

· It is a list of software architecture, design or a code weakness.

File analysis:

Shows analysis of files.

9. Malware analysis

Determine the functionality, origin & potential impact of a given malware sample such as virus.

10. Reconnaissance

URL :

Display list of URLs, IP addresses & the files in which they are stores or called. Analyzes where the android app sends the data & where it stores the info.

Emails 

Strings :

· Analyzes the text files that are in the res directory.

· May contain sensitive data.

11. Components

Display a complete list of components (activity, service, content provider & receiver), imported libraries & files without defining the extension.

Obfuscate Code:

is the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the output of the program. To be clear, with enough time and effort, almost all code can be reverse engineered. However, on some platforms (such as Java, Android, iOS and .NET) free decompilers can easily reverse-engineer source code from an executable or library in virtually no time and with no effort. Automated code obfuscation makes reverse-engineering a program difficult and economically unfeasible. 

Proguard:

To obfuscate the code, use the Proguard utility, which makes these actions:

    Removes unused variables, classes, methods, and attributes;

    Eliminates unnecessary instructions;

    Removes Tutorial information: obfuscate Androiddepuración code;

    Renames classes, fields, and methods with unlegible names.

DEXGUARD

The enhanced commercial version of Proguard. This tool is capable of implementing the text encryption technique and renaming classes and methods with non-ASCII symbols.

Static analysis – Deobfuscation

Deguard: 

It is based on powerful probabilistic graphical models learned from thousands of open source programs. Using these models, Deguard retrieves important information in Android APK, including method and class names, as well as third-party libraries. Deguard can reveal string decoders and classes that handle sensitive data in Android malware.

is done running the program, 

How install applications with adb?

adb install apkfilename.apk

okay, now how intercept traffic of the application?

Burp Suite: Is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Configure the Burp Proxy listener

PID Cat

Tool for shows log entries for a specific application package when debug=true is enable in the app.

Drozer

drozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

drozer is a comprehensive security audit and attack framework for Android.

Basic example, Abusing unprotected activities:

The requirement for this is you have install drozer in your computer and drozer agent in your emulator or devices. Click in the title, for the tutorial of how install...

Commands:

adb forward tcp:31415 tcp:31415

drozer console connect

Now download and install apk for this example

Retrieving package information:

run app.package.list -> see all the packages installed

run app.package.info -a -> view package information.

Identifying the attack surface -> activities unprotected and more....

run app.package.attacksurface package_name

view what activities can be exploited.

run app.activity.info -f package_name

start activities unprotected !

run app.activity.start --component package name component_name

Basic Cheatsheet of Drozer

Exploiting Content Provider

run app.provider.info -a package_name

run scanner.provider.finduris -a package_name

run app.provider.query uri

run app.provider.update uri --selection conditions selection_arg column data

run scanner.provider.sqltables -a package_name

run scanner.provider.injection -a package_name

run scanner.provider.traversal -a package_name

Exploiting Service

run app.service.info -a package_name

run app.service.start --action action --component package_name component_name

run app.service.send package_name component_name --msg what arg1 arg2 --extra type key value --bundle-as-obj

Inspeckage - Android Package Inspector

My favorite tool, Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. Inspeckage will let you interact with some elements of the app, such as activities and providers (even unexported ones), and apply some settings on Android.

Since dynamic analysis of Android applications (usually through hooks) is a core part of several mobile application security tests, the need of a tool that can help us do said tests is real. Even though there are other tools that promise to help you do that, I’ve run across some limitations when testing them:

• Lack of interaction with the user doing the tests;
• Only work in emulators;
• Plenty of time to update the tool after an Android update;
• Very poor output;
• Very costly setup.

Android Package Inspector Features

With Inspeckage, we can get a good amount of information about the application’s behavior:

Information gathering

• Requested Permissions;
• App Permissions;
• Shared Libraries;
• Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;
• Check if the app is debuggable or not;
• Version, UID and GIDs;
• etc.

Hooks

With the hooks, we can see what the application is doing in real time:

• Shared Preferences (log and file);
• Serialization;
• Crypto;
• Hashes;
• SQLite;
• HTTP (an HTTP proxy tool is still the best alternative);
• File System;
• Miscellaneous (Clipboard, URL.Parse());
• WebView;
• IPC.

How to use:

END OF Dynamic Analysis.

IMPORTANT:

Insecure Data Storage

We've totally interacted with our app now it's time to see the files created locally.

Many developers assume that storing data on client-side will restrict other users from having access to this data. Interestingly, most of the top mobile application security breaches have been caused by insecure or unnecessary client-side data storage. File systems on devices are no longer a sandboxed environment and rooting or jailbreaking usually circumvents any protections.

One needs to understand what different types of data are there and how are these stored insecurely.

Data - Usernames, Authentication tokens or passwords, Cookies, Location data, Stored application logs or Debug information, Cached application messages or transaction history, UDID or EMEI, Personal Information (DoB, Address, Social, etc), Device Name, Network Connection Name, private API calls for high user roles, Credit Card Data or Account Data, etc.

All apps (root or not) have a default data directory, which is /data/data/<package_name>. By default, the apps databases, settings, and all other data go here.

• databases/: here go the app's databases
• lib/: libraries and helpers for the app
• files/: other related files
• shared_prefs/: preferences and settings
• cache/: well, caches

For interact with device or emulator 

adb shell

Sqlite database file

Once you are able to access the SQLite database file on an emulator, rooted device or via adb shell / run as [package name], there are a few options to inspect the schema and your SQLite database on device.

Inspect SQLite db via a GUI tool

Pull the file from device first, then use a GUI software to look the schema and content. I use SQLite browser which allows you to see the database schema, table content, as well as executing some simple SQL scripts.

adb pull /data/data/package-name/databases/sqlitedatabse

Inspect SQLite db via sqlite3 command line tool

For me the easier option is to use sqlite3 command line tool to inspect the database from adb shell.

cd data/data/package-name/databases/

sqlite3 db-name

.tables

.schema table-name

Example in the real life:

Shared Preferences Files

The SharedPreferences API is commonly used to permanently save small collections of key-value pairs. Data stored in a SharedPreferences object is written to a plain-text XML file. The SharedPreferences object can be declared world-readable (accessible to all apps) or private. Misuse of the SharedPreferences API can often lead to exposure of sensitive data. Consider the following example:

SharedPreferences sharedPref = getSharedPreferences("key", MODE_WORLD_READABLE);
SharedPreferences.Editor editor = sharedPref.edit();
editor.putString("username", "administrator");
editor.putString("password", "supersecret");
editor.commit();

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
  <string name="username">administrator</string>
  <string name="password">supersecret</string>
</map>

Root Detection in Android device:

My explanation for this is:

if(device && emulator = rooted):

    print "app going to the shit!"

else:

    print "app found"  

So it is the best way to check in your application whether the device is rooted or not to avoid data theft but there’s no 100% way to check for root.

Hooking applications:

Techniques used to alter the behaviour of applications. 

Frida

In short, it is a dynamic instrumentation framework, which enables function hooking and allows to provide a definition to it during runtime. Basically, it injects JavaScript code into a process. Suppose, there is a function called “foo” in a program with a specific body/implementation. Using “Frida”, one can change the body/implementation of the “foo” function during runtime. “Frida” supports a variety of platforms like Windows, macOS, GNU/Linux, iOS, Android, and QNX. More information on “Frida” can be found here.

for install 

pip install frida-tools

Now check version and download the server, in my case is 12.6.8

frida --version

unzip file and push the server in the local system /data/local/tmp

adb push /path/serverfrida /data/local/tmp

Permissions

adb shell chmod 777 /data/local/tmp/frida-server

run frida server

adb shell /data/local/tmp/frida-servername&

now execute in your command line frida-ps -U

Bypass SSL pinning tutorial

More hooks :v is your mision :33 

This is a basic introduction to what is android hacking. Applications in CTFs are much more difficult than a real-life application.

Questions? 

In discord: stuxnet, in twitter: _stuxnet, telelegram: stuxnet

You want to know more? 

Check this

Owasp Mobile Top 10 

Mobile Security Testing Guide (MSTG)

Mobile Security Twitter

See you in other occasion! good luck hacker 

Try Harder!