AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 3 - Insecure Data Storage 1 - Shared Preferences


INSECURE DATA STORAGE 1 - SHARED PREFERENCES

- Layout for this exercise:




- Connecting from Santoku to Nexus 5 with ADB:




- Launching the application: 




- The third challenge is based on the fact that some applications store sensitive information, for instance small name or key value pairs, at local storage files like the Shared Preferences folder (shared_prefs). Although not recommended, a lot of developers use this method.


- Clicking the challenge 3 tab:




- The application prompts for credentials (username + password) to be saved:

 

- Let's introduce these simple credentials:

       username: Bob
       password: PasswordForBob


- The applications tells that the credentials have been successfully saved:

 


- Going to the activity for this challenge, InsecureDataStorage1Activity.java (see how to do it here):



- Opening the file to analyze the Java source code. The saveCredentials method uses the default Shared Preferences folder to store the credentials entered by the user:





- Going to the /data/data/jakhar.aseem.diva (name of the package) the shared_prefs folder is found:


 

- Checking its content:

 

- Opening the .xml file, we find the credentials previously introduced by the user:
Posted by at
Labels:

ANDROID PT - DIVA / 2 - Harcoding Issues 1



HARDCODING ISSUES 1

- Layout for this exercise:




- Connecting from Santoku to Nexus 5 with ADB:




- Launching the application: 




- The challenge 2 is based of the fact that many Android applications hardcode sensitive information in the source code. 

- This is an important vulnerability because using reverse engineering it would be possible to see that sensitive information. Examples could be access keys, passwords, etc ...

- Clicking the second challenge:




- The application prompts the user to introduce the vendor key to grant the access:



 - Testing any invalid key, the applications denies the access, as expected:



 - Once the application is decompiled with jadx, as done in the first post of this series (see here), there is access to the source code of the activity related with this challenge 2:




- Opening the Java source code for the activity of this challenge 2 (HardcodeActivity.java), it is very clear how the access is implemented. 

- In case of the hardcoded key "vendorsecretkey" matching (equals) the key entered by the user the access is granted, and denied otherwise:






- Checking that hardcoded key "vendorsecretkey" is the right one, the access is granted:





Posted by at
Labels:

ANDROID PT - DIVA / 1 - Insecure Logging


INSECURE LOGGING

- Layout for this exercise:



- Connecting from Santoku to Nexus 5 with ADB:




- Launching the application: 




- The first challenge is about how insecure logging may leak sensitive information introduced by users unaware of the vulnerability:




- The application prompts the user to introduces a credit card number:




- From Santoku, the PID of the process is discovered:




- Android holds a centralized logging system that is accessible to all applications on the device. The ADB shell logcat command grepped to the DIVA's PID number outputs in real time debugging information about the application:




- To test the vulnerability, the user introduces his 16 digits credit card number. The answer by the app is an error message:




- However, the logcat command from Santoku shows in plain text the credit number introduced by the user of the application:
Posted by at
Labels:

ANDROID PT - DIVA / 0 - Introduction


INTRODUCTION

- Layout for this exercise:




1 - What is DIVA? 

- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.

https://github.com/payatu/diva-android

- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.

- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.































2 - Installing DIVA from Santoku Linux to Android device

- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:




- Santoku connects to the mobile device:




- Installing DIVA on Nexus, using ADB (Android Debug Bridge):







- Launching the application:




- DIVA includes 13 challenges:



























3 - Decompiling, reversing and analyzing the application

- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:




- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:




- As a result of executing jadx a diva-beta folder is created:




- The folder diva-beta contains all the components of the application:












- The manifest file tells that the package of the application is jakhar.assem.diva:










- Going down the path of the folders indicated by the package:





- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges:
Posted by at
Labels:
Subscribe to: Posts (Atom)