🔏
Mobile Application
  • Setting up the environment
  • Reversing APK
  • Device Rooting
  • Client-Side Vulnerabilities
  • Android Components
  • Android Debugging
  • Network Traffic
  • Android Checklist
Powered by GitBook
On this page
  • Weak Auth / Android patching
  • Hardcoded Sensitive Information
  • Insecure Logging
  • Insecure Data Storage

Was this helpful?

Client-Side Vulnerabilities

PreviousDevice RootingNextAndroid Components

Last updated 4 years ago

Was this helpful?

  • Weak Auth/ Android patching

  • Hardcoded Information

  • Insecure Logging

  • Insecure Data Storage

Weak Auth / Android patching

  • Launch the installed InsecureBankv2 application on the Emulator. The following screenshot shows the default screen available to a normal user after login.

  • decompile the application using apktool

apktool d InsecureBankv2.apk
  • Navigate to the folder ~/apktool/InsecureBankv2/res/values and open the file strings.xml for editing. Modify the value of “is_admin” from “no” to “yes”.

  • Navigate to the folder ~/apktool/InsecureBankv2/res/values and open the file strings.xml for editing. Modify the value of “is_admin” from “no” to “yes”.

  • Enter the below command to re-compile the application:

apktool b InsecureBankv2
  • Generate private key

    keytool -genkey -v -keystore foo.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000

    Sign it using jarsigner

    jarsigner -sigalg SHA1withRSA -digestalg SHA1 - keystore foo.keystore test.apk myalias
  • Then install the new signed APK, below we can see the new function ( Create User )

Hardcoded Sensitive Information

Many a times developers make mistake of adding sensitive information in Android apps like Encryption keys, passwords, PIN, tokens, development internal information, etc. Sometimes unknowingly or sometimes knowingly to ease up development they store sensitive information within the app.

  • Open the application folder in any text editor

  • Start searching for strings like password, secret, Key, token and so on.

  • We can see in the java code, there is a crypto class that encrypt some data and the private key is hardcoded into the application.

Insecure Logging

Logging is a method that developers use for tracing the code and watching warnings or errors. Unfortunately, Sometimes developers write sensitive data in logs. In such a situations other applications may gain access and read logs for stealing sensitive data.

  • Open the application

  • Run the following command to see the device logs

adb logcat
  • Or we can open android studio and go for logcat tab

  • Enter login credentials

    • Dinesh / Dinesh@123$

  • You will see the information got logged into the console.

  • Navigate to the “Change Password” page and enter new credentials. The following screenshot shows that the new credentials are logged on the console which is shared between all the applications.

Insecure Data Storage

Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Usage of poor encryption libraries is to be avoided. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.

  • Navigate to the preference folder /data/data/com.android.insecurebankv2/shared_prefs/

  • Explore the mySharedPreferences.xml file and you will see the following :

  • We can see there is a username and password stored encrypted, but it's possible that this encryption occurs in the client-side so let's dig deep.

    • the username is base64 encoded

  • The login activity enables users to autofill credentials in order to save them from having to enter in their username and password every time they wish to login. Looking at the “LoginActivity” source code, I can see a method called “fillData()” which performs this function.

  • The code for this method can be found here

  • We can see the password got decrypted using a method called "CryptoClass()"

  • We can use online tool called CyberChef or using the following python code

    • pip install pycryptodome

    • python2.7 decrypt.py

from Crypto.Cipher import AES
import base64

key = b'<KEY>'
iv = 16 * b'<IV>'
password = base64.b64decode("<EncryptedValue>")

aes = AES.new(key,AES.MODE_CBC, iv)

decrypted_password = aes.decrypt(password)
print("Decrypted Password : "+ decrypted_password)