piątek, 27 grudnia 2019

Testing Android apps - mini lab

Last time when we talked about Android apps on the blog we tried to play "Assasin's Creed". Today I decided to build a small lab to prepare it for future projects. Below you'll find few notes about it. Here we go...

Today we will start here:



To create my Small Android Lab I used:
- apktool (on Kali Linux)
- Android Studio (for Windows)
- jd-gui

As a quick warm-up I decided to check application called DIVA. To install it I prepared 3 different Android (avd) images (versions of API)*:


*If your apk is not working (or can not be installed) try to prepare an older API (that's why I'm using version 19 as well as 29). Installing using:

cmd> adb install diva.apk


We should be somwhere here:


Checking first challenge:


You can check this using:
# logcat | grep PID-of-apk


Next challenge I tried - 3. Insecure Data Storage - Part 1:


Verifying with the source, we are here:


We will get back to that case later ;)

Next challenge - 5. Insecure Data Storage - Part 3:


According to the source, we should see stored (in cleartext) passwords here:


Verifying:


Checking Part 4:


Proof in the adb shell:

Next challenge - related to input validation - was pretty quick and cool:


More results:


Verifying with the source (jd-gui):


Challenge 8 - another input validation case:


(I wish that there will be this kind of bugs during (future) pentest project(s) ;))

At this stage I decided to install drozer agent:


After a while we should have a working agent installed on our emulated Android phone:


If you are not familiar with drozer I will suggest you to read the funky manual first;)

So... after a while with my new lab I decided to check some 'real' APK files. My first guess was to check HackerOne and the app called MobiSystems. Now - remember the case with 'stored credentials'? ;)

Let's add new file (Select file) and add new server location:


It's saved (and now on the phone we should see created g.xml file):


When you will read the (g.xml) file:


You will see save password.

And now bonus info: TL;DR if you're pentesting apk apps from rooted device - HackerOne will not accept this bug. ;)

Anyway...


See you next time! ;)

Cheers









Brak komentarzy:

Prześlij komentarz