AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 0 - Introduction


INTRODUCTION

- Layout for this exercise:




1 - What is DIVA? 

- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.

https://github.com/payatu/diva-android

- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.

- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.































2 - Installing DIVA from Santoku Linux to Android device

- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:




- Santoku connects to the mobile device:




- Installing DIVA on Nexus, using ADB (Android Debug Bridge):







- Launching the application:




- DIVA includes 13 challenges:



























3 - Decompiling, reversing and analyzing the application

- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:




- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:




- As a result of executing jadx a diva-beta folder is created:




- The folder diva-beta contains all the components of the application:












- The manifest file tells that the package of the application is jakhar.assem.diva:










- Going down the path of the folders indicated by the package:





- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges:
Posted by at
Labels:

Friday, December 30, 2016

ANDROID PT / Analysis with Androguard


ANALYSIS WITH ANDROGUARD

 - Androguard is an open source framework for iPython designed to analyze and perform reverse engineering with Android applications.

 - Some of Androguard's functionalities include automated and scripting analysis of dex, odex, apk and xml binaries files, disassemble, decompiler, malware dissection, ...

 - It can be found here:

 https://github.com/androguard/androguard



- Once downloaded, let's unzip the file:


- The tool androlyze is part of the Androguard platform and allows static analysis of .apk applications:

 https://androlyze.readthedocs.io/en/latest/


- Let's take the application box.apk as example. The whole path:


- Getting permissions of the application:


- Detailing the permissions, for example .INTERNET is considered "dangerous" because allows full access to the network, for instance creating sockets:


- Identifying the activities of the application:


- Services:


- Broadcast receivers:


- Signature in hexadecimal:


- The package name:




- Determining whether the application is valid or not:


- Files:




- Now, let's retrieve classes and methods from the application:




 - Writing a small script for getting the classes:




- Same thing for the methods:




- The options and the scope of Androguard is immense. So far just a small approach to all the possibilities of this very handy framework for Android analysis.


Posted by at
Labels:

Tuesday, December 27, 2016

ANDROID PT / Reversing and Bypassing Authentication with d2j-dex2jar and jd-gui


REVERSING AND BYPASSING  AUTHENTICATION WITH D2J-DEX2JAR AND JD-GUI

- Layout for this exercise:



- Connecting Santoku to Nexus 5:



1 - D2J-DEX2JAR

dex2jar decompiles the Dalvik bytecode (dex) into readable Java source. The resulting source is useful to read and understand the functionality of an app. However, it is important to notice that the code cannot be modified and repackaged with dex2jar.



2 - JAVA DECOMPILER - JD GUI

- The Java Decompiler project (JD) aims to develop tools in order to decompile and analyze Java 5 byte code and the later versions.


- JD-Core is a library that reconstructs Java source code from one or more .class files. JD-Core may be used to recover lost source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type “enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library.

- JD-GUI is a standalone graphical utility that displays Java source codes of .class files. The reconstructed source code can be browsed with the JD-GUI for instant access to methods and fields.

- JD-Eclipse is a plug-in for the Eclipse platform. It allows to display all the Java sources during the debugging process, even if not having them all.

- JD-Core, JD-GUI & JD-Eclipse are open source projects released under the GPLv3 License.


3 - BYPASSING AUTHENTICATION OF THE APPLICATION LISTLOCK 

- To illustrate the usage of d2j-dex2jar and jd-gui the application ListLock is downloaded from this link:




- Once downloaded all the content, let's unzip:




- Going to the ListLock APK folder, there is the .apk file com.gdssecurity.listlock.apk:




- Installing the application to the mobile device:



- Clicking the icon:



- The user is prompted to enter a password. Using a bad password, the list keeps on being locked:




 - Let's reverse the application with d2j-dex2jar:


-  A new .jar file is created:




- Opening the .jar file with jd-gui:



- Going to the classes, there is an Authenticate.class that includes the method validatePassword. This method compares the saved password (PasswordStore.class) and the password entered by the user. In case of matching (equals) the list is unlocked:



- However, PasswordStore.class hardcodes the password to be compared, what is a common vulnerability in many applications:



- Using the hardcoded password (C@ntSeeMyList!) the list is successfully unlocked:







Posted by at
Labels:
Subscribe to: Posts (Atom)