Client-Side Vulnerabilities
Last updated
Last updated
Weak Auth/ Android patching
Hardcoded Information
Insecure Logging
Insecure Data Storage
Launch the installed InsecureBankv2 application on the Emulator. The following screenshot shows the default screen available to a normal user after login.
decompile the application using apktool
Navigate to the folder ~/apktool/InsecureBankv2/res/values and open the file strings.xml for editing. Modify the value of “is_admin” from “no” to “yes”.
Navigate to the folder ~/apktool/InsecureBankv2/res/values and open the file strings.xml for editing. Modify the value of “is_admin” from “no” to “yes”.
Enter the below command to re-compile the application:
Generate private key
Sign it using jarsigner
Then install the new signed APK, below we can see the new function ( Create User )
Many a times developers make mistake of adding sensitive information in Android apps like Encryption keys, passwords, PIN, tokens, development internal information, etc. Sometimes unknowingly or sometimes knowingly to ease up development they store sensitive information within the app.
Open the application folder in any text editor
Start searching for strings like password, secret, Key, token and so on.
We can see in the java code, there is a crypto class that encrypt some data and the private key is hardcoded into the application.
Logging is a method that developers use for tracing the code and watching warnings or errors. Unfortunately, Sometimes developers write sensitive data in logs. In such a situations other applications may gain access and read logs for stealing sensitive data.
Open the application
Run the following command to see the device logs
Or we can open android studio and go for logcat tab
Enter login credentials
Dinesh / Dinesh@123$
You will see the information got logged into the console.
Navigate to the “Change Password” page and enter new credentials. The following screenshot shows that the new credentials are logged on the console which is shared between all the applications.
Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Usage of poor encryption libraries is to be avoided. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.
Navigate to the preference folder /data/data/com.android.insecurebankv2/shared_prefs/
Explore the mySharedPreferences.xml file and you will see the following :
We can see there is a username and password stored encrypted, but it's possible that this encryption occurs in the client-side so let's dig deep.
the username is base64 encoded
The login activity enables users to autofill credentials in order to save them from having to enter in their username and password every time they wish to login. Looking at the “LoginActivity” source code, I can see a method called “fillData()” which performs this function.
The code for this method can be found here
We can see the password got decrypted using a method called "CryptoClass()"
We can use online tool called CyberChef or using the following python code
pip install pycryptodome
python2.7 decrypt.py
