The write-up will be covering the basics about android and how to set up an android pentesting lab also will be coming across the two vulnerabilities that are common in all android applications.
Android is an open-source mobile operating system. As it is open-source, android is the first choice for developers as well as consumers.
The Android Operating System is divided into 4 layers.
As shown above, the first layer is the application layer, In which all the applications are being installed on the mobile phone. It runs within the Android run time with the help of the classes and services provided by the application framework.
The Application Framework layer provides many higher-level services to applications in the form of Java classes. Application developers are allowed to make use of these services in their applications. Content providers and activity managers are examples.
Dalvik Virtual Machine | Android Run Time
These are external libraries which are used for additional features or additional functions.
This layer is responsible for allocating hardware for the applications. And this layer contain all the drivers.It provides Android with several key security features, like
Android security architecture consists of two models. They are:
Linux Security Model
The Linux security model is were each app runs through a unique Linux user ID. Linux helps in isolating applications from each other.
Here you can witness that it’s inside the package folder of the application diva that is installed on the virtual device. The system has formed a user id (u0_a74) for every resource that is inside the package. So if there is any malicious application in the device they can’t affect or access other applications.
Android Security Model
In the android security model, the user’s privacy is protected by means of permissions. We all are familiar with the image shown above, we allow some of the permission that the application asking for. The permission is required by the application id declared in the AndroidManifest.xml file.
So, what is AndroidManifest.xml?
What is an APK?
The AndroidManifest.xml file is the control file that tells the system what to do with all the top-level components (specifically activities, services, broadcast receivers, and content providers described below) in an application. This also specifies which permissions are required. This file may be in Android binary XML that can be converted into human-readable plaintext XML with tools such as android apktool.
The classes are compiled in the dex file format understandable by the Dalvik virtual machine.
The directory containing the compiled code that is specific to a software layer of a processor, the directory is split into more directories within it:
The directory containing resources not compiled into resources.arsc.
A directory containing application’s assets, which can be retrieved by AssetManager.
A file containing precompiled resources, such as binary XML, for example.
Setting up a lab
If you have already installed virtualbox on your pc then download Genymotion from the second option or if you have not installed virtualbox then download genymotion with virtualbox.
After completing the installation you have to download any virtual device. We choose to download Google Nexus 6. After that click the install button.
It’s time to customize your device. You can set the Network mode and other settings as you wish or you can follow the same settings shown in the above image. After completing, click install and wait until the installation to be completed.
We have almost gone across the processes for the completed setting up of the virtual device. The next step is to install Google Play Store on your virtual device, to do that click on the “OpenGapps” icon and the download will be started. After the installation is completed you can reboot the device.
Configuring virtual device with Burp suite
So firstly you have to configure the proxy settings of the virtual device .
Now you completed the configuration in the Burp Suite.
The last step is to add a cacert to the virtual device.
Perfect! We successfully captured the requests from the virtual device.
Practical Time 🙂
Let’s discuss two vulnerabilities that have a high chance to be found in real world applications.
1. Hardcoding Issues
Hard-coding issues means developers hard-code some sensitive strings inside the source code. Hardcoded data might be password, access token etc..
Now we are going to connect to the device using adb.
adb connect [ip address : port]
You have successfully connected with the device. Next thing is to get the shell of the device. In order to do that run the following command:
We are going to practice the testing on the application named DIVA (Damn Insecure and Vulnerable Application).
As you can see, diva is already installed in my device.
You can install apk using adb, for that use the following command:
adb install diva.apk
Now open diva app and click on the challenge named Hardcoding Issue Part 1.
So it is asking for a key for the users to access. When you type any value and click access it shows access denied.
So now you have to inspect the source code of the activity.
First, you need to unzip the apk.
As the next step, you have to read the contents inside the file “classes. dex” but it is not in a human-readable format. The next step is to convert the dex file to jar format, to do that you can use the d2j-dex2jar tool.
After executing this command there will be a new file in .jar format.
After executing this command there will be a new file in .jar format.
Here you can find the source code of every activity that is in the application. You are here to inspect the source code of the Hardcoded Issue, so open the corresponding file:
Here you can see that the developer hardcoded a sensitive string in the source code. So when the user enters any value in the box it validates with this key.
Now let’s enter this key in the box and see what happens.
These types of security vulnerabilities are known as Hard-coding Issues. That’s all about Hard-coding issues. Now you have to move to another vulnerability.
2. Insecure Data Storage
Insecure data storage means sometimes developers store sensitive information without encryption. Here the issue is storing user’s data like passwords, tokens in plain text cause any other application reads those sensitive data.
Let’s practice this on the diva.
We have opened the Insecure Data Storage challenge in diva.
Now we can save our credentials. For that, we entered a username and password and click save.
It says that credentials are saved successfully. Now let’s inspect the source code of the activity. To do that repeat the process we did the last challenge. That is open the .jar file using jd-gui.
We can see that the credentials are stored in the SharedPreferences folder.
So let’s navigate to that folder.
Now we are inside the package folder of the application diva. Inside this folder, there is the folder that we are looking for that is “SharedPreferences”. The source code of this application says that the credentials are stored inside this folder.
The next step is inspecting the contents of this folder.
We can see that there is one xml file. Let’s read the contents of this file
Here we can see that the credentials that are entered are stored in plain text and also in insecure locations.