Saturday, December 31, 2016

ANDROID PT - DIVA / 2 - Harcoding Issues 1


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application: 

- The challenge 2 is based of the fact that many Android applications hardcode sensitive information in the source code. 

- This is an important vulnerability because using reverse engineering it would be possible to see that sensitive information. Examples could be access keys, passwords, etc ...

- Clicking the second challenge:

- The application prompts the user to introduce the vendor key to grant the access:

- Testing any invalid key, the applications denies the access, as expected:

- Once the application is decompiled with jadx, as done in the first post of this series (see here), there is access to the source code of the activity related with this challenge 2:

- Opening the Java source code for the activity of this challenge 2 (, it is very clear how the access is implemented. 

- In case of the hardcoded key "vendorsecretkey" matching (equals) the key entered by the user the access is granted, and denied otherwise:

- Checking that hardcoded key "vendorsecretkey" is the right one, the access is granted:

ANDROID PT - DIVA / 1 - Insecure Logging


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application:

- The first challenge is about how insecure logging may leak sensitive information introduced by users unaware of the vulnerability:

- The application prompts the user to introduces a credit card number:

- From Santoku, the PID of the process is discovered:

- Android holds a centralized logging system that is accessible to all applications on the device. The ADB shell logcat command grepped to the DIVA's PID number outputs in real time debugging information about the application:

- To test the vulnerability, the user introduces his 16 digits credit card number. The answer by the app is an error message:

- However, the logcat command from Santoku shows in plain text the credit number introduced by the user of the application:

ANDROID PT - DIVA / 0 - Introduction


- Layout for this exercise:

1 - What is DIVA? 

- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.

- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.

- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.

2 - Installing DIVA from Santoku Linux to Android device

- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:

- Santoku connects to the mobile device:

- Installing DIVA on Nexus, using ADB (Android Debug Bridge):

- Launching the application:

- DIVA includes 13 challenges:

3 - Decompiling, reversing and analyzing the application

- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:

- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:

- As a result of executing jadx a diva-beta folder is created:

- The folder diva-beta contains all the components of the application:

- The manifest file tells that the package of the application is jakhar.assem.diva:

- Going down the path of the folders indicated by the package:

- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges:

Friday, December 30, 2016

ANDROID PT / Analysis with Androguard


- Androguard is an open source framework for iPython designed to analyze and perform reverse engineering with Android applications.

- Some of Androguard's functionalities include automated and scripting analysis of dex, odex, apk and xml binaries files, disassemble, decompiler, malware dissection, ...

- It can be found here:

- Once downloaded, let's unzip the file:

- The tool androlyze is part of the Androguard platform and allows static analysis of .apk applications:

- Let's take the application box.apk as example. The whole path:

- Getting permissions of the application:

- Detailing the permissions, for example .INTERNET is considered "dangerous" because allows full access to the network, for instance creating sockets:

- Identifying the activities of the application:

- Services:

- Broadcast receivers:

- Signature in hexadecimal:

- The package name:

- Determining whether the application is valid or not:

- Files:

- Now, let's retrieve classes and methods from the application:

 - Writing a small script for getting the classes:

- Same thing for the methods:

- The options and the scope of Androguard is immense. So far just a small approach to all the possibilities of this very handy framework for Android analysis.