Noobs approach to Android Pentesting- Nullcon Xtreme Android Hacking Training Experience

Trainer Introduction

Day 1

Android Architecture Diagram
Android Application Folder Structure
  • AndroidManifest.xml: Contains project-related information such as intents, permissions, activities, author information.
  • Java: This folder contains all the java source code files of the application.
  • Java (generated): This folder contains the classes and libraries used to build the project.
  • Res: This is the resources folder. It contains drawable, layout, mipmap, values, etc.
  • Build.gradle (Module): This specifies module-specific build configurations.
  • Build.gradle(Project): This defines build configurations that apply to all modules.
  • Proguard: ProGuard is an open-source command-line tool that shrinks, optimizes, and obfuscates Java code.
APK signing process
  1. Activity: The Activity class is a crucial component of an Android app and serves as the entry point, similar to that of main() function in the programming paradigm.
  2. Services: These are background processes. For example Music player running in the background.
  3. Broadcast and Receivers: Example receivers in-app listen for the broadcast of internet connectivity status sent by the android system
  4. Content Providers: Content providers can help an application manage access to data stored by itself, stored by other apps, and provide a way to share data with other apps.
  5. Intents: Intents are the abstracts of operation to be performed and facilitate the runtime binding of the components.
Android Activity Lifecycle

Day 2

am start <exported activity name w/o proper access controls>
pm list packages
jarsigner -verbose -keystore [path-of-keystore] [apkfilepath] alias
  1. Using the naive approach. This process installs the certificate in the user cert section.
  2. The second one is directly installing the certificate in system certificates via the command line. Refer to this for more info.

Day 3

  • M1: Improper Platform Usage: Android as a platform has many features and each feature is peculiar about its functionality. This can sometimes lead to serious vulnerabilities like misuse of intents, activities, debuggable set to true, missing proper security controls, etc.
  • M2: Insecure Data Storage: Data is the new oil as we all know. Storing the data securely must be the primary aim of any application to avoid leaks and unauthorized access. Data can be stored in shared preferences, logs, SQL database, and application memory.
  • M3: Insecure Communication: Communication with the server (if needed) is the key aspect for the functioning of an application and its security is likely important.
  • M4: Insecure Authentication: This class of vulnerability is one with which we are familiar.
  • M5: Insufficient Cryptography: This category of issues arises when developers implement cryptography but it becomes easy for an attacker to decrypt the cipher. For example, keys used to encrypt the text are hardcoded.
  • M6: Insecure Authorization: Failure to properly authorize the user leads to such issues. These issues give birth to issues such as privilege escalation.
  • M7: Client Code Quality: Code-level problems fall under this category. Issues such as buffer overflow, client-side bypasses, etc.
  • M8: Code Tampering: Distributing tampered applications can give rise to various issues. Proper server-side logging of code changes must be enforced to avoid such issues.
  • M9: Reverse Engineering: Reverse engineering the application can allow an attacker to review code and help in finding loopholes.
  • M10: Extraneous Functionality: Certain functionalities such as logging, ease of access to source code, etc. are enabled by the developers to ease development. These open backdoor for attackers.

Day 4

  1. Start by decompiling the application and looking at the source code. After you have the decompiled apk head straight towards “AndroidManifest.xml”.
  2. Look for hardcoded credentials, secrets, hidden paths, etc.
  3. Try to bypass the root checker functionality by editing the function responsible for root check and rebuilding the apk.
  4. Understand the application flow.
  5. If you are not able to proxy your traffic through burp, try installing cert in system certs.
  6. Understand the code which is responsible for encrypting and decrypting some important text. Use cyberchef to decrypt and encrypt things. You can also create a java class locally, replicate the function and encrypt or decrypt the data.

References:

  1. Nullcon Xtreme Android Hacking Training
  2. https://www.appsealing.com/owasp-mobile-top-10-a-comprehensive-guide-for-mobile-developers-to-counter-risks/
  3. https://developer.android.com/guide
  4. https://owasp.org/www-project-mobile-top-10/

Connect me on:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store