hacktricks/mobile-pentesting/android-app-pentesting/README.md

883 lines
56 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
# Android Applications Pentesting
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2022-12-27 16:55:40 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2022-10-27 23:22:18 +00:00
2023-07-14 15:03:41 +00:00
**HackenProof is home to all crypto bug bounties.**
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Get rewarded without delays**\
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Get experience in web3 pentesting**\
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Become the web3 hacker legend**\
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
[**Sign up on HackenProof**](https://hackenproof.com/register) start earning from your hacks!
{% embed url="https://hackenproof.com/register" %}
2022-10-27 23:22:18 +00:00
2022-05-01 13:25:53 +00:00
## Android Applications Basics
2021-04-21 14:06:28 +00:00
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
{% content-ref url="android-applications-basics.md" %}
[android-applications-basics.md](android-applications-basics.md)
{% endcontent-ref %}
2021-04-20 15:03:28 +00:00
2022-05-01 13:25:53 +00:00
## ADB (Android Debug Bridge)
This is the main tool you need to connect to an android device (emulated or physical).\
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
2022-12-27 16:55:40 +00:00
Take a look to the following list of [**ADB Commands**](adb-commands.md) to learn how to use adb.
2022-05-01 13:25:53 +00:00
## Smali
Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). This could be very useful as an **alternative for several tests during the dynamic analysis** that are going to presented. Then, **keep always in mid this possibility**.
2022-05-01 13:25:53 +00:00
## Other interesting tricks
* [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
* **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/)
2022-03-01 00:31:19 +00:00
* Extract APK from device:
```bash
2022-03-01 00:31:19 +00:00
adb shell pm list packages
com.android.insecurebankv2
adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
```
2022-05-01 13:25:53 +00:00
## Static Analysis
First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.\
Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
2022-05-01 13:25:53 +00:00
### Looking for interesting Info
Just taking a look to the **strings** of the APK you can search for **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** and anything interesting... look even for code execution **backdoors** or authentication backdoors (hardcoded admin credentials to the app).
2022-04-28 23:27:22 +00:00
**Firebase**
2022-05-01 13:25:53 +00:00
Pay special attention to **firebase URLs** and check if it is bad configured. [More information about whats is FIrebase and how to exploit it here.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
2022-05-01 13:25:53 +00:00
### Basic understanding of the application - Manifest.xml, strings.xml
Using any of the **decompilers** mentioned [**here** ](apk-decompilers.md)you will be able to read the _Manifest.xml_. You could also **rename** the **apk** file extension **to .zip** and **unzip** it.\
Reading the **manifest** you can find **vulnerabilities**:
2022-02-12 12:08:47 +00:00
* First of all, check if **the application is debuggeable**. A production APK shouldn't be (or others will be able to connect to it). You can check if an application is debbugeable looking in the manifest for the attribute `debuggable="true"` inside the tag _\<application_ Example: `<application theme="@2131296387" debuggable="true"`
* [Learn here](drozer-tutorial/#is-debuggeable) how to find debuggeable applications in a phone and exploit them
2022-02-12 12:08:47 +00:00
* **Backup**: The **`android:allowBackup`** attribute defines whether application data can be backed up and restored by a user who has enabled usb debugging. If backup flag is set to true, it allows an attacker to take the backup of the application data via adb even if the device is not rooted. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting explicitly set to **false** because by default it is set to **true** to prevent such risks.
* `<application android:allowBackup="false"`
2022-02-12 12:08:47 +00:00
* **NetworkSecurity:** The application network security can be overwritten the defaults values with **`android:networkSecurityConfig="@xml/network_security_config"`**. A file with that name may be put in _**res/xml.**_ This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains:
* `<domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>`
* **Exported activities**: Check for exported activities inside the manifest as this could be dangerous. Later in the dynamic analysis it will be explained how [you can abuse this behaviour](./#exploiting-exported-activities-authorisation-bypass).
2021-06-04 10:39:12 +00:00
* **Content Providers**: If an exported provider is being exposed, you could b able to access/modify interesting information. In dynamic analysis [you will learn how to abuse them](./#exploiting-content-providers-accessing-and-manipulating-sensitive-information).
* Check for **FileProviders** configurations inside the attribute `android:name="android.support.FILE_PROVIDER_PATHS"`. [Read here to learn more about FileProviders](./#fileprovider).
* **Exposed Services**: Depending on what the service is doing internally vulnerabilities could be exploited. In dynamic analysis [you will learn how to abuse them](./#exploiting-services).
* **Broadcast Receivers**: [You will learn how you can possibly exploit them](./#exploiting-broadcast-receivers) during the dynamic analysis.
* **URL scheme**: Read the code of the activity managing the schema and look for vulnerabilities managing the input of the user. More info about [what is an URL scheme here](./#url-schemes).
2021-04-20 15:03:28 +00:00
* **minSdkVersion**, **targetSDKVersion**, **maxSdkVersion**: They indicate the versions of Android the app will run on. It's important to keep them in mind because from a security perspective, supporting old version will allow known vulnerable versions of android to run it.
2020-10-13 11:29:54 +00:00
Reading **resources.arsc/strings.xml** you can find some **interesting info**:
* API Keys
* Custom schemas
* Other interesting info developers save in this file
2022-05-01 13:25:53 +00:00
### Tapjacking
2021-04-22 11:37:18 +00:00
**Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\
In effect, it is **blinding the user from knowing they are actually performing actions on the victim app**.
2021-05-29 13:27:23 +00:00
Find more information in:
{% content-ref url="tapjacking.md" %}
[tapjacking.md](tapjacking.md)
{% endcontent-ref %}
2021-04-22 11:51:49 +00:00
2022-05-01 13:25:53 +00:00
### Task Hijacking
An **activity** with the **`launchMode`** set to **`singleTask` without any `taskAffinity`** defined is vulnerable to task Hijacking. This means, that an **application** can be installed and if launched before the real application it could **hijack the task of the real application** (so the user will be interacting with the **malicious application thinking he is using the real one**).
More info in:
{% content-ref url="android-task-hijacking.md" %}
[android-task-hijacking.md](android-task-hijacking.md)
{% endcontent-ref %}
2022-05-01 13:25:53 +00:00
### Insecure data storage
2022-04-28 23:27:22 +00:00
**Internal Storage**
Files **created** on **internal** storage are **accessible** only by the **app**. This protection is implemented by Android and is sufficient for most applications. But developers often use `MODE_WORLD_READBALE` & `MODE_WORLD_WRITABLE` to give access to those files to a different application, but this doesnt limit other apps(malicious) from accessing them.\
During the **static** analysis **check** for the use of those **modes**, during the **dynamic** analysis **check** the **permissions** of the files created (maybe some of them are worldwide readable/writable).\
[More information about this vulnerability and how to fix it here.](https://manifestsecurity.com/android-application-security-part-8/)
2022-04-28 23:27:22 +00:00
**External Storage**
Files created on **external storage**, such as SD Cards, are **globally readable and writable**. Because external storage can be removed by the user and also modified by any application, you should **not store sensitive information using external storage**.\
As with data from any untrusted source, you should **perform input validation** when handling **data from external storage**. We strongly recommend that you not store executables or class files on external storage prior to dynamic loading. If your app does retrieve executable files from external storage, the files should be signed and cryptographically verified prior to dynamic loading.\
Info taken from [here](https://manifestsecurity.com/android-application-security-part-8/).
2021-04-22 10:23:13 +00:00
External storage can be **accessed** in `/storage/emulated/0` , `/sdcard` , `/mnt/sdcard`
{% hint style="info" %}
Starting with Android 4.4 (**API 17**), the SD card has a directory structure which **limits access from an app to the directory which is specifically for that app**. This prevents malicious application from gaining read or write access to another app's files.
2021-04-22 10:23:13 +00:00
{% endhint %}
2022-04-28 23:27:22 +00:00
**Sensitive data stored in clear-text**
2021-04-22 12:26:30 +00:00
* **Shared preferences**: Android allow to each application to easily save xml files in the path `/data/data/<packagename>/shared_prefs/` and sometimes it's possible to find sensitive information in clear-text in that folder.
2021-04-22 12:26:37 +00:00
* **Databases**: Android allow to each application to easily save sqlite databases in the path `/data/data/<packagename>/databases/` and sometimes it's possible to find sensitive information in clear-text in that folder.
2021-04-22 12:26:30 +00:00
2022-05-01 13:25:53 +00:00
### Broken TLS
2021-04-21 16:33:42 +00:00
2022-04-28 23:27:22 +00:00
**Accept All Certificates**
2021-04-21 16:33:42 +00:00
For some reason sometimes developers accept all the certificates even if for example the hostname does not match with lines of code like the following one:
```java
2021-04-22 09:27:31 +00:00
SSLSocketFactory sf = new cc(trustStore);
2021-04-21 16:33:42 +00:00
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
```
A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.
2022-05-01 13:25:53 +00:00
### Broken Cryptography
2022-04-28 23:27:22 +00:00
**Poor Key Management Processes**
Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information.
2022-04-28 23:27:22 +00:00
**Use of Insecure and/or Deprecated Algorithms**
Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt.
2022-05-01 13:25:53 +00:00
### Other checks
* It's recommended to **obfuscate the APK** to difficult the reverse engineer labour to attackers.
* If the app is sensitive (like bank apps), it should perform it's **own checks to see if the mobile is rooted** and act in consequence.
* If the app is sensitive (like bank apps), it should check if an **emulator** is being used.
* If the app is sensitive (like bank apps), it should **check it's own integrity before executing** it to check if it was modified.
2021-06-01 09:46:44 +00:00
* Use [**APKiD**](https://github.com/rednaga/APKiD) to check which compiler/packer/obfuscator was used to build the APK
2022-05-01 13:25:53 +00:00
### React Native Application
2021-02-01 09:24:10 +00:00
Read the following page to learn how to easily access javascript code of React applications:
{% content-ref url="react-native-application.md" %}
[react-native-application.md](react-native-application.md)
{% endcontent-ref %}
2021-02-01 09:24:10 +00:00
2022-05-01 13:25:53 +00:00
### Xamarin Applications
2021-08-11 20:47:23 +00:00
Read the following page to learn how to easily access C# code of a xamarin applications:
2021-08-11 20:47:23 +00:00
{% content-ref url="../xamarin-apps.md" %}
[xamarin-apps.md](../xamarin-apps.md)
{% endcontent-ref %}
2021-08-11 20:47:23 +00:00
### Superpacked Applications
According to this [**blog post**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) superpacked is a Meta algorithm that compress the content of an application into a single file. The blog talks about the possibility of creating an app that decompress these kind of apps... and a faster way which involves to **execute the application and gather the decompressed files from the filesystem.**
2022-05-01 13:25:53 +00:00
### Automated Static Code Analysis
2021-11-07 16:13:04 +00:00
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
2021-11-30 16:46:07 +00:00
With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
2021-11-07 16:13:04 +00:00
2022-05-19 12:02:10 +00:00
### Secrets leaked
An application may contain secrets (API keys, passwords, hidden urls, subdomains...) inside of it that you might be able to discover. You could us a tool such as [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks)
2022-10-26 09:06:33 +00:00
### Bypass Biometric Authentication
{% content-ref url="bypass-biometric-authentication-android.md" %}
[bypass-biometric-authentication-android.md](bypass-biometric-authentication-android.md)
{% endcontent-ref %}
2022-05-01 13:25:53 +00:00
### Other interesting functions
2022-02-12 12:08:47 +00:00
* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
* **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
* **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
2021-08-22 19:19:47 +00:00
* [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
2022-05-01 13:25:53 +00:00
### **Other tricks**
2021-05-04 11:44:49 +00:00
{% content-ref url="content-protocol.md" %}
[content-protocol.md](content-protocol.md)
{% endcontent-ref %}
***
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
**HackenProof is home to all crypto bug bounties.**
**Get rewarded without delays**\
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Get experience in web3 pentesting**\
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Become the web3 hacker legend**\
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
2022-10-27 23:22:18 +00:00
2023-07-14 15:03:41 +00:00
[**Sign up on HackenProof**](https://hackenproof.com/register) start earning from your hacks!
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
{% embed url="https://hackenproof.com/register" %}
2022-10-27 23:22:18 +00:00
***
2022-05-01 13:25:53 +00:00
## Dynamic Analysis
> First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.
2022-05-01 13:25:53 +00:00
### Online Dynamic analysis
You can create a **free account** in: [https://appetize.io/](https://appetize.io). This platform allows you to **upload** and **execute** APKs, so it is useful to see how an apk is behaving.
You can even **see the logs of your application** in the web and connect through **adb**.
![](<../../.gitbook/assets/image (60).png>)
Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emulators.
2022-05-01 13:25:53 +00:00
### Local Dynamic Analysis
#### Using an emulator
2022-02-23 17:27:41 +00:00
* [**Android Studio**](https://developer.android.com/studio) (You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
* Learn to set it up in this page:
{% content-ref url="avd-android-virtual-device.md" %}
[avd-android-virtual-device.md](avd-android-virtual-device.md)
{% endcontent-ref %}
* [**Genymotion**](https://www.genymotion.com/fun-zone/) **(Free version:** Personal Edition, you need to create an account. _It's recommend to **download** the version **WITH**_ _**VirtualBox** to avoid potential errors._)
* [**Nox**](https://es.bignox.com) (Free, but it doesn't support Frida or Drozer).
{% hint style="info" %}
When creating a new emulator on any platform remember that the bigger the screen is, the slower the emulator will run. So select small screens if possible.
{% endhint %}
To **install google services** (like AppStore) in Genymotion you need to click on the red marked button of the following image:
2022-10-22 15:26:54 +00:00
![](<../../.gitbook/assets/image (200) (1).png>)
Also, notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** (this will be useful if you will be connecting to the Android VM from a different VM with the tools).
#### Use a physical device
You need to activate the **debugging** options and it will be cool if you can **root** it:
1. **Settings**.
2. (FromAndroid 8.0) Select **System**.
3. Select **About phone**.
4. Press **Build number** 7 times.
5. Go back and you will find the **Developer options**.
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so will will be able to **learn how the application works** while MobSF **capture** a lot of **interesting** **data** you can review later on.
2022-05-01 13:25:53 +00:00
### Unintended Data Leakage
2022-04-28 23:27:22 +00:00
**Logging**
Often Developers leave debugging information publicly. So any application with `READ_LOGS` permission can **access those logs** and can gain sensitive information through that.\
While navigating through the application use [**pidcat**](https://github.com/JakeWharton/pidcat)_(Recommended, it's easier to use and read_) or [adb logcat](adb-commands.md#logcat) to read the created logs and **look for sensitive information**.
2021-04-22 13:58:44 +00:00
{% hint style="warning" %}
Note that from l**ater versions that Android 4.0**, **applications are only able to access their own logs**. So applications cannot access other apps logs.\
2021-04-22 13:58:44 +00:00
Anyway, it's still recommended to **not log sensitive information**.
{% endhint %}
**Copy/Paste Buffer Caching**
Android provides **clipboard-based** framework to provide copy-paste function in android applications. But this creates serious issue when some **other application** can **access** the **clipboard** which contain some sensitive data. **Copy/Paste** function should be **disabled** for **sensitive part** of the application. For example, disable copying credit card details.
2022-04-28 23:27:22 +00:00
**Crash Logs**
If an application **crashes** during runtime and it **saves logs** somewhere then those logs can be of help to an attacker especially in cases when android application cannot be reverse engineered. Then, avoid creating logs when applications crashes and if logs are sent over the network then ensure that they are sent over an SSL channel.\
As pentester, **try to take a look to these logs**.
2022-04-28 23:27:22 +00:00
**Analytics Data Sent To 3rd Parties**
Most of the application uses other services in their application like Google Adsense but sometimes they **leak some sensitive data** or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can **look by intercepting the traffic** of the application and see whether any sensitive data is sent to 3rd parties or not.
2022-05-01 13:25:53 +00:00
### SQLite DBs
Most of the applications will use **internal SQLite databases** to save information. During the pentest take a **look** to the **databases** created, the names of **tables** and **columns** and all the **data** saved because you could find **sensitive information** (which would be a vulnerability).\
Databases should be located in `/data/data/the.package.name/databases` like `/data/data/com.mwr.example.sieve/databases`
If the database is saving confidential information and is **encrypted b**ut you can **find** the **password** inside the application it's still a **vulnerability**.
Enumerate the tables using `.tables` and enumerate the columns of the tables doing `.schema <table_name>`
2022-05-01 13:25:53 +00:00
### Drozer (Exploit Activities, Content Providers and Services)
**Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Androids Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. From [Drozer Guide](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf).\
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
2022-05-01 13:25:53 +00:00
### Exploiting exported Activities
2021-04-22 12:26:30 +00:00
2022-04-05 22:24:52 +00:00
[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
2022-12-27 16:55:40 +00:00
Also remember that the code of an activity starts with the `onCreate` method.
2021-04-22 12:26:30 +00:00
2022-04-28 23:27:22 +00:00
**Authorisation bypass**
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**\
2022-04-05 22:24:52 +00:00
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)
You can also start an exported activity from adb:
* PackageName is com.example.demo
* Exported ActivityName is com.example.test.MainActivity
```bash
adb shell am start -n com.example.demo/com.example.test.MainActivity
```
**NOTE**: MobSF will detect as malicious the use of _**singleTask/singleInstance**_ as `android:launchMode` in an activity, but due to [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), apparently this is only dangerous on old versions (API versions < 21).
2021-04-22 12:26:30 +00:00
{% hint style="info" %}
Note that an authorisation bypass is not always a vulnerability, it would depend on how the bypass works and which information is exposed.
{% endhint %}
**Sensitive information leakage**
**Activities can also return results**. If you manage to find an exported and unprotected activity calling the **`setResult`** method and **returning sensitive information**, there is a sensitive information leakage.
#### Tapjacking
If tapjacking isn't prevented, you could abuse the exported activity to make the **user perform unexpected actions**. For more info about [**what is Tapjacking follow the link**](./#tapjacking).
2022-05-01 13:25:53 +00:00
### Exploiting Content Providers - Accessing and manipulating sensitive information
2022-04-05 22:24:52 +00:00
[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.\
2022-04-05 22:24:52 +00:00
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)
2022-05-01 13:25:53 +00:00
### **Exploiting Services**
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)\
2022-12-27 16:55:40 +00:00
Remember that a the actions of a Service start in the method `onStartCommand`.
2021-04-22 12:26:30 +00:00
As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\
2022-02-12 12:08:47 +00:00
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)
2022-05-01 13:25:53 +00:00
### **Exploiting Broadcast Receivers**
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
2022-05-31 09:52:22 +00:00
Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
2021-04-22 12:26:30 +00:00
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
2022-05-01 13:25:53 +00:00
### **Exploiting Schemes / Deep links**
You can look for deep links manually, using tools like MobSF or scripts like [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
You can **open** a declared **scheme** using **adb** or a **browser**:
{% code overflow="wrap" %}
```bash
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]
```
{% endcode %}
_Note that you can **omit the package name** and the mobile will automatically call the app that should open that link._
{% code overflow="wrap" %}
```markup
<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>
```
{% endcode %}
2022-04-28 23:27:22 +00:00
**Code executed**
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
2022-04-28 23:27:22 +00:00
**Sensitive info**
2020-12-30 09:57:37 +00:00
Every time you find a deep link check that i**t's not receiving sensitive data (like passwords) via URL parameters**, because any other application could **impersonate the deep link and steal that data!**
2020-12-30 09:57:37 +00:00
2022-04-28 23:27:22 +00:00
**Parameters in path**
2020-12-30 09:57:37 +00:00
You **must check also if any deep link is using a parameter inside the path** of the URL like: `https://api.example.com/v1/users/{username}` , in that case you can force a path traversal accessing something like: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
Note that if you find the correct endpoints inside the application you may be able to cause a **Open Redirect** (if part of the path is used as domain name), **account takeover** (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More [info about this here](http://dphoeniixx.com/2020/12/13-2/).
2020-12-30 09:57:37 +00:00
2022-04-28 23:27:22 +00:00
**More examples**
2020-11-28 17:30:36 +00:00
An [interesting bug bounty report](https://hackerone.com/reports/855618) about links (_/.well-known/assetlinks.json_).
2020-07-29 09:22:22 +00:00
2022-05-01 13:25:53 +00:00
### Insufficient Transport Layer Protection
* **Lack of Certificate Inspection:** Android Application fails to verify the identity of the certificate presented to it. Most of the application ignore the warnings and accept any self-signed certificate presented. Some Application instead pass the traffic through an HTTP connection.
* **Weak Handshake Negotiation:** Application and server perform an SSL/TLS handshake but use an insecure cipher suite which is vulnerable to MITM attacks. So any attacker can easily decrypt that connection.
* **Privacy Information Leakage:** Most of the times it happens that Applications do authentication through a secure channel but rest all connection through non-secure channel. That doesnt add to security of application because rest sensitive data like session cookie or user data can be intercepted by an malicious user.
2022-05-01 13:25:53 +00:00
From the 3 scenarios presented we are going to discuss **how to verify the identity of the certificate**. The other 2 scenarios depends on the **TLS configuratio**n of the server and if the **application sends unencrypted data**. The pentester should check by it's own the TLS configuration of the server ([here](../../network-services-pentesting/pentesting-web/#ssl-tls-vulnerabilites)) and detect if any **confidential information is sent by an unencrypted/vulnerable** channel .\
More information about how to discover and fix these kind of vulnerabilities [**here**](https://manifestsecurity.com/android-application-security-part-10/).
2022-04-28 23:27:22 +00:00
**SSL Pinning**
By default, when making an SSL connection, the client(android app) checks that the servers certificate has a verifiable chain of trust back to a trusted (root) certificate and matches the requested hostname. This lead to problem of **Man in the Middle Attacks(MITM)**.\
In certificate Pinnning, an Android Application itself contains the certificate of server and only transmit data if the same certificate is presented.\
It's recommended to **apply SSL Pinning** for the sites where sensitive information is going to be sent.
2022-05-01 13:25:53 +00:00
### Inspecting HTTP traffic
First of all, you should (must) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.\
2021-04-21 16:33:42 +00:00
**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
2021-12-22 17:43:14 +00:00
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can [**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**](make-apk-accept-ca-certificate.md).
2022-04-28 23:27:22 +00:00
**SSL Pinning**
We have already discuss what is SSL Pinning just 2 paragraphs before. When it's implemented in an application you will need to bypass it to inspect the HTTPS traffic or you won't see it.\
Here I'm going to present a few options I've used to bypass this protection:
* Automatically **modify** the **apk** to **bypass** SSLPinning with [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.
* You could use **Frida** (discussed below) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
2020-09-09 15:42:51 +00:00
* You can also try to **automatically bypass SSL Pinning** using [**objection**](frida-tutorial/objection-tutorial.md)**:** `objection --gadget com.package.app explore --startup-command "android sslpinning disable"`
* You can also try to **automatically bypass SSL Pinning** using **MobSF dynamic analysis** (explained below)
2022-02-12 12:08:47 +00:00
* If you still think that there is some traffic that you aren't capturing you can try to **forward the traffic to burp using iptables**. Read this blog: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
2022-04-28 23:27:22 +00:00
**Common Web vulnerabilities**
Note that in this step you should look for common web vulnerabilities. A lot of information about web vulnerabilities be found in this book so I'm not going to mention them here.
2022-05-01 13:25:53 +00:00
### Frida
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at [www.frida.re](https://www.frida.re).\
**It's amazing, you can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...**\
**If you want to pentest Android applications you need to know how to use Frida.**
**Learn how to use Frida:** [**Frida tutorial**](frida-tutorial/)\
**Some "GUI" for actions with Frida:** [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)\
**Some other abstractions based on Frida:** [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)\
2022-04-05 22:24:52 +00:00
**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
### **Dump Memory - Fridump**
Check if the application is storing sensitive information inside the memory that it shouldn't be storing like passwords or mnemonics.
Using [**Fridump3**](https://github.com/rootbsd/fridump3) you can dump the memory of the app with:
```bash
# With PID
python3 fridump3.py -u <PID>
# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"
```
This will dump the memory in ./dump folder, and in there you could grep with something like:
{% code overflow="wrap" %}
```bash
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"
```
{% endcode %}
### **Sensitive data in Keystore**
In Android the Keystore is the best place to store sensitive data, however, with enough privileges it's still **possible to access it**. As applications tends to store here **sensitive data in clear text** the pentests should check for it as root user or someones with physical access to the device could be able to steal this data.
Even if an app stored date in the keystore, the data should be encrypted.
To access the data inside the keystore you could use this Frida script: [https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js](https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js)
```bash
frida -U -f com.example.app -l frida-scripts/tracer-cipher.js
```
### **Fingerprint/Biometrics Bypass**
Using the following Frida script it could be possible to **bypass fingerprint authentication** Android applications might be performing in order to **protect certain sensitive areas:**
{% code overflow="wrap" %}
```bash
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>
```
{% endcode %}
### **Background Images**
When you put an application in background, Android stores a **snapshot of the application** so when it's recovered to foreground it starts loading the image before the app so ot looks like the app was loaded faster.
However, if this snapshot contains **sensitive information**, someone with access to the snapshot might **steal that info** (note that you need root to access it).
The snapshots are usually stored around: **`/data/system_ce/0/snapshots`**
Android provides a way to **prevent the screenshot capture by setting the FLAG\_SECURE** layout parameter. By using this flag, the window contents are treated as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays.
```bash
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
```
2022-05-01 13:25:53 +00:00
### **Android Application Analyzer**
2021-10-19 00:01:07 +00:00
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android\_application\_analyzer)
2022-05-01 13:25:53 +00:00
### Intent Injection
2021-07-19 19:50:23 +00:00
This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object.\
Many developers make **use** of this **feature** and create **proxy** **components** (activities, broadcast receivers and services) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc.\
This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.
2021-07-19 19:50:23 +00:00
2022-05-01 13:25:53 +00:00
### Android Client Side Injections and others
Probably you know about this kind of vulnerabilities from the Web. You have to be specially careful with this vulnerabilities in an Android application:
* **SQL Injection:** When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
* **JavaScript Injection (XSS):** Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). [More info here](webview-attacks.md#javascript-enabled).
* **Local File Inclusion:** Verify that File System Access is disabled for any WebViews (enabled by default) `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
2022-04-05 22:24:52 +00:00
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
***
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-03-05 19:54:13 +00:00
2023-07-14 15:03:41 +00:00
**HackenProof is home to all crypto bug bounties.**
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Get rewarded without delays**\
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Get experience in web3 pentesting**\
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Become the web3 hacker legend**\
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
[**Sign up on HackenProof**](https://hackenproof.com/register) start earning from your hacks!
{% embed url="https://hackenproof.com/register" %}
2022-10-27 23:22:18 +00:00
2022-05-01 13:25:53 +00:00
## Automatic Analysis
2022-05-01 13:25:53 +00:00
### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
2022-04-28 23:27:22 +00:00
**Static analysis**
2022-09-30 10:43:59 +00:00
![](<../../.gitbook/assets/image (61).png>)
**Vulnerability assessment of the application** using a nice web-based frontend. You can also perform dynamic analysis (but you need to prepare the environment).
```bash
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
Notice that MobSF can analyse **Android**(apk)**, IOS**(ipa) **and Windows**(apx) applications (_Windows applications must be analyzed from a MobSF installed in a Windows host_).\
Also, if you create a **ZIP** file with the source code if an **Android** or an **IOS** app (go to the root folder of the application, select everything and create a ZIPfile), it will be able to analyse it also.
MobSF also allows you to **diff/Compare** analysis and to integrate **VirusTotal** (you will need to set your API key in _MobSF/settings.py_ and enable it: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). You can also set `VT_UPLOAD` to `False`, then the **hash** will be **upload** instead of the file.
2022-05-01 13:25:53 +00:00
### Assisted Dynamic analysis with MobSF
**MobSF** can also be very helpful for **dynamic analysis** in **Android**, but in that case you will need to install MobSF and **genymotion** in your host (a VM or Docker won't work). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** can:
* **Dump application data** (URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files). All of this is done automatically except for the screenshots, you need to press when you want a screenshot or you need to press "**Exported Activity Tester**" to obtain screenshots of all the exported activities.
* Capture **HTTPS traffic**
* Use **Frida** to obtain **runtime** **information**
From android **versions > 5**, it will **automatically start Frida** and will set global **proxy** settings to **capture** traffic. It will only capture traffic from the tested application.
**Frida**
By default, it will also use some Frida Scripts to **bypass SSL pinning**, **root detection** and **debugger detection** and to **monitor interesting APIs**.\
MobSF can also **invoke exported activities**, grab **screenshots** of them and **save** them for the report.
To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").\
2022-12-27 16:55:40 +00:00
MobSF also allows you to load your own **Frida scripts** (to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**").
![](<../../.gitbook/assets/image (215).png>)
Moreover, you have some Auxiliary Frida functionalities:
* **Enumerate Loaded Classes**: It will print all the loaded classes
* **Capture Strings**: It will print all the capture strings while using the application (super noisy)
* **Capture String Comparisons**: Could be very useful. It will **show the 2 strings being compared** and if the result was True or False.
* **Enumerate Class Methods**: Put the class name (like "java.io.File") and it will print all the methods of the class.
2022-02-12 12:08:47 +00:00
* **Search Class Pattern**: Search classes by pattern
* **Trace Class Methods**: **Trace** a **whole class** (see inputs and outputs of all methods of th class). Remember that by default MobSF traces several interesting Android Api methods.
Once you have selected the auxiliary module you want to use you need to press "**Start Intrumentation**" and you will see all the outputs in "**Frida Live Logs**".
**Shell**
Mobsf also brings you a shell with some **adb** commands, **MobSF commands**, and common **shell** **commands** at the bottom of the dynamic analysis page. Some interesting commands:
```bash
help
shell ls
activities
exported_activities
services
receivers
```
**HTTP tools**
When http traffic is capture you can see an ugly view of the captured traffic on "**HTTP(S) Traffic**" bottom or a nicer view in "**Start HTTPTools**" green bottom. From the second option, you can **send** the **captured requests** to **proxies** like Burp or Owasp ZAP.\
To do so, _power on Burp -->_ _turn off Intercept --> in MobSB HTTPTools select the request_ --> press "**Send to Fuzzer**" --> _select the proxy address_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080)).
Once you finish the dynamic analysis with MobSF you can press on "**Start Web API Fuzzer**" to **fuzz http requests** an look for vulnerabilities.
{% hint style="info" %}
After performing a dynamic analysis with MobSF the proxy settings me be misconfigured and you won't be able to fix them from the GUI. You can fix the proxy settings by doing:
```
adb shell settings put global http_proxy :0
```
{% endhint %}
2022-05-01 13:25:53 +00:00
### Assisted Dynamic Analysis with Inspeckage
2021-07-20 10:40:58 +00:00
You can get the tool from [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
2021-07-20 10:41:39 +00:00
This tool with use some **Hooks** to let you know **what is happening in the application** while you perform a **dynamic analysis**.
{% content-ref url="inspeckage-tutorial.md" %}
[inspeckage-tutorial.md](inspeckage-tutorial.md)
{% endcontent-ref %}
2021-07-20 10:40:58 +00:00
2022-05-01 13:25:53 +00:00
### [Yaazhini](https://www.vegabird.com/yaazhini/)
This is a **great tool to perform static analysis with a GUI**
![](<../../.gitbook/assets/image (527).png>)
2022-05-01 13:25:53 +00:00
### [Qark](https://github.com/linkedin/qark)
This tool is designed to look for several **security related Android application vulnerabilities**, either in **source code** or **packaged APKs**. The tool is also **capable of creating a "Proof-of-Concept" deployable APK** and **ADB commands**, to exploit some of the found vulnerabilities (Exposed activities, intents, tapjacking...). As with Drozer, there is no need to root the test device.
```bash
pip3 install --user qark # --user is only needed if not using a virtualenv
2021-07-31 09:02:13 +00:00
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java
```
2022-05-01 13:25:53 +00:00
### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
* Displays all extracted files for easy reference
* Automatically decompile APK files to Java and Smali format
* Analyze AndroidManifest.xml for common vulnerabilities and behavior
* Static source code analysis for common vulnerabilities and behavior
* Device info
* Intents
* Command execution
* SQLite references
* Logging references
* Content providers
* Broadcast recievers
* Service references
* File references
* Crypto references
* Hardcoded secrets
* URL's
* Network connections
* SSL references
* WebView references
```
reverse-apk relative/path/to/APP.apk
```
2022-05-01 13:25:53 +00:00
### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes _.apk_ files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
All rules are centered in a `rules.json` file, and each company or tester could create its own rules to analyze what they need.
Download the latest binaries from in the [download page](https://superanalyzer.rocks/download.html)
```
super-analyzer {apk_file}
```
2022-05-01 13:25:53 +00:00
### [StaCoAn](https://github.com/vincentcox/StaCoAn)
2022-09-30 10:43:59 +00:00
![](<../../.gitbook/assets/image (62).png>)
2021-10-19 00:01:07 +00:00
StaCoAn is a **crossplatform** tool which aids developers, bugbounty hunters and ethical hackers performing [static code analysis](https://en.wikipedia.org/wiki/Static\_program\_analysis) on mobile applications\*.
The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.
Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
```
./stacoan
```
2022-05-01 13:25:53 +00:00
### [AndroBugs](https://github.com/AndroBugs/AndroBugs\_Framework)
AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.\
2021-10-19 00:01:07 +00:00
[Windows releases](https://github.com/AndroBugs/AndroBugs\_Framework/releases)
```
python androbugs.py -f [APK file]
androbugs.exe -f [APK file]
```
2022-05-01 13:25:53 +00:00
### [Androwarn](https://github.com/maaaaz/androwarn)
**Androwarn** is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
The detection is performed with the **static analysis** of the application's Dalvik bytecode, represented as **Smali**, with the [`androguard`](https://github.com/androguard/androguard) library.
This tool looks for **common behavior of "bad" applications** like: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
```
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
2022-05-01 13:25:53 +00:00
### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
2022-09-01 22:02:18 +00:00
![](<../../.gitbook/assets/image (81).png>)
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
It is able to:
* Extract Java and Smali code using different tools
2021-10-19 00:01:07 +00:00
* Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs\_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
* Extract private information from the APK using regexps.
* Analyze the Manifest.
* Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
* Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com)
2022-05-01 13:25:53 +00:00
### Koodous
Useful to detect malware: [https://koodous.com/](https://koodous.com)
2022-05-01 13:25:53 +00:00
## Obfuscating/Deobfuscating code
Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.
2021-04-20 15:03:28 +00:00
2022-05-01 13:25:53 +00:00
### [ProGuard](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
**ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.
2021-10-19 00:01:07 +00:00
From: [https://en.wikipedia.org/wiki/ProGuard\_(software)](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
2022-05-03 09:20:29 +00:00
### [DexGuard](https://www.guardsquare.com/dexguard)
Find a step-by-step guide to deobfuscate the apk in [https://blog.lexfo.fr/dexguard.html](https://blog.lexfo.fr/dexguard.html)
(From that guide) Last time we checked, the Dexguard mode of operation was:
* load a resource as an InputStream;
* feed the result to a class inheriting from FilterInputStream to decrypt it;
* do some useless obfuscation to waste a few minutes of time from a reverser;
* feed the decrypted result to a ZipInputStream to get a DEX file;
* finally load the resulting DEX as a Resource using the `loadDex` method.
2022-05-01 13:25:53 +00:00
### [DeGuard](http://apk-deguard.com)
2022-04-28 23:27:22 +00:00
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
You can upload an obfuscated APK to their platform.
2022-05-01 13:25:53 +00:00
### [Simplify](https://github.com/CalebFenton/simplify)
It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
2022-05-01 13:25:53 +00:00
### [APKiD](https://github.com/rednaga/APKiD)
APKiD gives you information about **how an APK was made**. It identifies many **compilers**, **packers**, **obfuscators**, and other weird stuff. It's [_PEiD_](https://www.aldeid.com/wiki/PEiD) for Android.
2022-05-01 13:25:53 +00:00
### Manual
2022-04-05 22:24:52 +00:00
[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)
2022-05-01 13:25:53 +00:00
## Labs
2022-05-01 13:25:53 +00:00
### [Androl4b](https://github.com/sh4hin/Androl4b)
AndroL4b is an Android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.
2022-05-01 13:25:53 +00:00
### OWASP
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
2022-05-01 13:25:53 +00:00
### Git Repos
[https://github.com/riddhi-shree/nullCommunity/tree/master/Android](https://github.com/riddhi-shree/nullCommunity/tree/master/Android)\
2021-10-19 00:01:07 +00:00
[https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec)
2022-05-01 13:25:53 +00:00
## References
For more information visit:
* [https://appsecwiki.com/#/](https://appsecwiki.com/#/) It is a great list of resources
* [https://maddiestone.github.io/AndroidAppRE/](https://maddiestone.github.io/AndroidAppRE/) Android quick course
* [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
2021-08-19 09:17:14 +00:00
* [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh)
2022-05-01 13:25:53 +00:00
## To Test
2020-09-26 09:34:54 +00:00
* [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
2020-09-26 10:35:08 +00:00
* [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
2022-04-28 16:01:33 +00:00
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
**HackenProof is home to all crypto bug bounties.**
**Get rewarded without delays**\
HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
2023-03-05 19:54:13 +00:00
2023-07-14 15:03:41 +00:00
**Get experience in web3 pentesting**\
Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
**Become the web3 hacker legend**\
Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
[**Sign up on HackenProof**](https://hackenproof.com/register) start earning from your hacks!
2023-02-27 09:28:45 +00:00
2023-07-14 15:03:41 +00:00
{% embed url="https://hackenproof.com/register" %}
2022-10-27 23:22:18 +00:00
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:57:02 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2022-12-27 16:55:40 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>