Today we will start here:
To create my Small Android Lab I used:
- apktool (on Kali Linux)
- Android Studio (for Windows)
- jd-gui
As a quick warm-up I decided to check application called DIVA. To install it I prepared 3 different Android (avd) images (versions of API)*:
*If your apk is not working (or can not be installed) try to prepare an older API (that's why I'm using version 19 as well as 29). Installing using:
cmd> adb install diva.apk
We should be somwhere here:
Checking first challenge:
You can check this using:
# logcat | grep PID-of-apk
Next challenge I tried - 3. Insecure Data Storage - Part 1:
Verifying with the source, we are here:
We will get back to that case later ;)
Next challenge - 5. Insecure Data Storage - Part 3:
According to the source, we should see stored (in cleartext) passwords here:
Verifying:
Checking Part 4:
Proof in the adb shell:
Next challenge - related to input validation - was pretty quick and cool:
More results:
Verifying with the source (jd-gui):
Challenge 8 - another input validation case:
(I wish that there will be this kind of bugs during (future) pentest project(s) ;))
At this stage I decided to install drozer agent:
After a while we should have a working agent installed on our emulated Android phone:
If you are not familiar with drozer I will suggest you to read the funky manual first;)
So... after a while with my new lab I decided to check some 'real' APK files. My first guess was to check HackerOne and the app called MobiSystems. Now - remember the case with 'stored credentials'? ;)
Let's add new file (Select file) and add new server location:
It's saved (and now on the phone we should see created g.xml file):
When you will read the (g.xml) file:
You will see save password.
And now bonus info: TL;DR if you're pentesting apk apps from rooted device - HackerOne will not accept this bug. ;)
Anyway...
See you next time! ;)
Cheers
Brak komentarzy:
Prześlij komentarz