Saturday, December 24, 2016

ANDROID PT / Backup Vulnerability


- Layout for this exercise:

- Connecting Santoku to Nexus 5:

- Backup and restoration processes in some Android applications are vulnerable because the backup contents can be altered and later restore back without root privileges.  

- Some of these vulnerabilities were discovered and investigated by Chris John Riley and Aditya Gutpa.

- In this exercise the Android Backup Extractor (abe) will be used:

- Once downloaded to Santoku, let's unzip abe:

- On the other hand, to test the backup vulnerability, the application box.apk will be used:

- Installing box.apk to the mobile device:

- Going to Settings, a passcode is introduced:

- From now, to access the application a passcode is needed after 1 minute of timeout: 

- Detecting the name of the package used by the application:

- ADB helps to backup the application, from box.apk, creating the new file box.ab. The extension .ab means "android backup":

- The user is prompted to perform the backup at the mobile device:

- The backup process is successful:

-  hexdump shows the hexadecimal content of box.ab, checking that it is actually an Android backup:

- It is important to notice that an Android Backup (*.ab) file is actually a compressed tar file, that can be created with the Android Backup Extractor, so unpacking box.ab to box.tar:

- Extracting with tar, all the files of box.tar are displayed:

- Listing the files of box.tar to a file box.list:

- Now, the whole package is available to be analyzed:

- Going deeper into the folder's structure down to sp (shared preferences):

- Looking up into apps:

- A hardcoded encrypted pin is found at the file myPreference.xml:

- Opening myPreference.xml, the line with the encrypted pin is detected:

- With the purpose of altering the application, the line corresponding to the encrypted pin is just removed:

- Now, to rebuild the application once it has been altered, the pax command is used:

- Redirecting the list of files of box.list (altered) to a new file box1.tar:

- The Android Backup Extractor does the reverse process than before, now packing instead of unpacking, and creating a file box1.ab from the altered box1.tar:

-  hexdump shows the hexadecimal content of box1.ab, checking that it is actually an Android backup:

- Restoring the backup with ADB:

- The user is prompted to perform the restoration (notice that neither passcode nor pin is requested):

- The restoration of data is eventually successful:

- We can also verify that the alteration is effective, by checking that now the Settings configuration says Require passcode = Never, although we set previously a required passcode: