Scribd
Upload
159 views20 pages

Aditya Gupta (@adi1391)

The document discusses challenges for assessing the security of the Damn Insecure and Vulnerable App (DIVA) Android application. It outlines 13 challenges involving insecure logging, hardcoding issues, insecure data storage, input validation vulnerabilities, and access control issues. The challenges provide hands-on examples for learning about Android security exploitation and penetration testing. Solutions to the challenges are available in an online Android security course.

Uploaded by

Ваня Баран
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
159 views20 pages

Aditya Gupta (@adi1391)

The document discusses challenges for assessing the security of the Damn Insecure and Vulnerable App (DIVA) Android application. It outlines 13 challenges involving insecure logging, hardcoding issues, insecure data storage, input validation vulnerabilities, and access control issues. The challenges provide hands-on examples for learning about Android security exploitation and penetration testing. Solutions to the challenges are available in an online Android security course.

Uploaded by

Ваня Баран
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Android Security & Exploitation

Aditya Gupta (@adi1391)

Founder, Attify (http://attify.com)

[email protected]
Certifications : http://securitytube-training.com
Pentester Academy : http://PentesterAcademy.com
Check the complete course

• Tons of more exercises, techniques, hands-on examples and


exploitation .

• Check out the complete training at

• http://securitytube-training.com/online-courses/android-
security-for-pentesters/index.html

• pentesteracademy.com


Full course available at securitytube-training.com and pentesteracademy.com


Damn Insecure and Vulnerable App

• DIVA - Vulnerable Android application

• Created by Aseem Jakhar (@aseemjakhar) of Payatu


Technologies

• Good starting point to explore Android Security

• Other vulnerable apps include - GoatDroid, InsecureBank,


Intrepidus Learner

Full course available at securitytube-training.com and pentesteracademy.com


Damn Insecure and Vulnerable App

Download binary from http://goo.gl/sPvimd


Download source from https://github.com/payatu/diva-android
Full course available at securitytube-training.com and pentesteracademy.com
Challenges in DIVA

1. Insecure Logging

2. Hardcoding Issues

3. Insecure Data Storage

4. Input Validation vulnerabilities

5. Access Control Issues

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 1 : InsecureLogging

• Video 9 of “Android Security for Pentesters” at 



SecurityTube-Training and PentesterAcademy

• Android maintains a centralised logcat

• Typically used by developers for debugging purposes

• Accessible via ADB or to other applications (<4.1)

•adb shell ps | grep -i ‘diva’ 



adb shell logcat | grep [pid]

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 2 : HardCoding Issues - 1

• Video 10 of “Android Security for Pentesters” at 



SecurityTube-Training and PentesterAcademy

• Reverse the Android application using jadx or dex2jar

• Analyse the application source code

• Find the “Secret key”

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 3 : Insecure Data Storage 1

• Video 8 of “Android Security for Pentesters” at 



SecurityTube-Training and PentesterAcademy

• Check the application local data storage

• Uses Shared Preferences for Data storage

• Used by a lot of developers to store “sensitive data”

•/data/data/[package-name]/shared_prefs

• Check the xml file if you can find the sensitive information

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 4 : Insecure Data Storage I1

• Video 8 of “Android Security for Pentesters” at 



SecurityTube-Training and PentesterAcademy

• Check the application local data storage

• Uses database for Data storage

•/data/data/[package-name]/databases

• database with the name ids2

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 5 : Insecure Data Storage III

• Video 8 of “Android Security for Pentesters” at 



SecurityTube-Training and PentesterAcademy

• Check the application local data storage

• Uses temporary files for Data storage

•/data/data/[package-name]/

• New file created with the name uinfo-*tmp

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 6 : Insecure Data Storage IV

• Video 8 of “Android Security for Pentesters” at 



SecurityTube-Training and PentesterAcademy

• Uses external data storage

•/mnt/sdcard

• New file created with the name .uinfo.txt

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 7 : Input Validation Issues 1

• Classical case of SQL Injection vulnerability

• Lack of input validation

• Taking user input and executing the SQL query

• 1’ or ‘1’ =‘1’-- makes it true always

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 8 : Input Validation Issues 2

• Uses the user input to show the browser content

• Does it allow file:// ?

• If yes, can you read local data storage using this ?

• How about external storage ?

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 9 : Access Control Issues 1

• API creds are accessible to the user

• We want to access it from outside the application

• Check out the AndroidManifest.xml file

• Defines an intent filter with the name


jakhar.aseem.diva.action.VIEW_CREDS

• Can use am to invoke this intent-filter 



adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 10 : Access Control Issues 2

• Previous way does not work - brings us to a passcode screen

• Takes another argument chk_pin of the type boolean

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 10 : Access Control Issues 2

• Using Drozer : 


run app.activity.info -a jakhar.aseem.diva 


run app.activity.start --component jakhar.aseem.diva
jakhar.aseem.diva.APICreds2Activity --extra boolean chk_pin
false

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 11 : Access Control Issues 3

• Asks us to set a pin for the notes

• Pretty similar to what we did with the “Catch Notes”


application in the Android Security for Pentesters course

• Uses a content provider

• Will use Drozer to exploit this vulnerability

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 12 : Hardcoding Issues - 2

• JNI is used to perform validation in this case

• Look inside the lib folder

• Pull out the .so file

• Run objdump and readelf in order to understand more about it

• Check out .rodata section (segment to store constant data)

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 12 : Hardcoding Issues - 2

• Read more about the ELF structure here - http://wiki.osdev.org/


ELF

•objdump -s -j .rodata *.so

• -s : show the full content

• -j : specifying the segment name

•readelf -x .rodata *.so

• -x : specifying the section name

Full course available at securitytube-training.com and pentesteracademy.com


Challenge 13 : Input Validation Issues - 3

• Left as a challenge :) 


• Check out the complete training at

• securitytube-training.net

• pentesteracademy.com


• Reach out to me at [email protected] or @adi1391

Full course available at securitytube-training.com and pentesteracademy.com

You might also like