0% found this document useful (0 votes)
1K views14 pages

AndroGoat Application Vulnerability Assessment

Sadiq Sonalkar analyzed vulnerabilities in the AndroGoat application as part of a cyber security internship. He identified 6 vulnerabilities of varying severity levels, including insecure logging, sensitive data copied to the clipboard, cryptographic storage issues, insecure hardcoding, application denial of service, and insecure protocols. For each vulnerability, he provided steps to reproduce, proof of concept, and recommendations for mitigation.

Uploaded by

Sadiq Sonalkar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
1K views14 pages

AndroGoat Application Vulnerability Assessment

Sadiq Sonalkar analyzed vulnerabilities in the AndroGoat application as part of a cyber security internship. He identified 6 vulnerabilities of varying severity levels, including insecure logging, sensitive data copied to the clipboard, cryptographic storage issues, insecure hardcoding, application denial of service, and insecure protocols. For each vulnerability, he provided steps to reproduce, proof of concept, and recommendations for mitigation.

Uploaded by

Sadiq Sonalkar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Name: Sadiq Sonalkar

Position: Cyber Security Intern

Application Name: Androgoat


INDEX
Vulnerability No. Vulnerability Vulnerability Level
Name
1 Insecure Logging High
Security Issues
2 Sensitive Data Medium
Copied to Clipboard
3 Cryptographic Critical
Storage Issues
4 Insecure Sensitive Critical
Hardcoding Issues
5 Application-Level Low
Denial-of-Service
6 Insecure Protocols High
Vulnerability Number: 1
Vulnerability Name: Insecure Logging Security Issues
Vulnerability Critical Level: High
Vulnerable Application Name: AndroGoat
Vulnerability Description: Logging is a method that developers use
for tracing the code and watching warnings or errors. Unfortunately,
sometimes developers write sensitive data in logs. In such a situations
attacker may gain access and read logs for stealing sensitive data.
Steps to reproduce:
1. Install AndroGoat in your Android.
2. Start Appie, and in appie type ‘pidcat’. Pidcat is already
installed.
3. Pidcat is already started and it will store all the Log
4. Now go to your AndroGoat application and insert data into
insecure logging. And pidcat will capture it.
Proof of Concept:

-Sadiq S.
How to Mitigate the Vulnerability:

1. Involve Security at every phase of SDLC when implement log


function.
2. Implement a standard and centralized logging function.
3. Consistent monitoring and scan your log data.
4. Understand that data you are logging.

Vulnerability Number: 2

Vulnerability Name: Sensitive Data Copied to Clipboard


Vulnerability Critical Level: Medium
Vulnerable Application Name: AndroGoat
Vulnerability Description: Sensitive data may be stored,
recoverable, or could be modified from the clipboard in clear text,
regardless of whether the source of the data was initially encrypted. If
it is in plaintext at the moment the user copies it, it will be in plaintext
when other applications access the clipboard.
Steps to reproduce:
1. Start Appie, and in your AndroGoat application go to clipboard
copy and paste.
2. In appie, type ‘adb shell ps | grep owasp.sat.agoat’
3. We will get the UID, mine is u0_a52.
4. In Androgoat enter credit card no and generate OTP.
5. In appie, type ‘adb shell su u0_a52 service call clipboard 2 s16
owasp.sat.agoat’.
6. Now in appie, we can see the same OTP copied to clipboard.

-Sadiq S.
Proof of Concept:

How to Mitigate the Vulnerability:


1. Where appropriate, disable copy/paste for areas handling
sensitive data.
2. Eliminating the option to copy can help avoid data exposure.
3. On Android the clipboard can be accessed by any application
and so it is recommended that appropriately configured Content
Providers be used to transfer complex sensitive data.

-Sadiq S.
4. In addition, it can be interesting to clear the clipboard after
taking the contents, to avoid other apps read them and leak what
the user is doing.

Vulnerability Number: 3

Vulnerability Name: Cryptographic Storage Issues


Vulnerability Critical Level: Critical
Vulnerable Application Name: AndroGoat
Vulnerability Description: Insecure Cryptographic Storage
vulnerability occurs when an application fails to encrypt sensitive data
or encrypt data with poorly designed older cryptographic algorithms.
This flaw can lead to sensitive information disclosure to attackers.
Steps to reproduce:
Part 1:
1. In appie type ‘adb shell’
2. Then type ‘cd data/data’
3. Using ‘ls’ we will get the package name
4. Now type ‘cd owasp.sat.agoat’
5. Now type ‘ls’ and then change the directory to shared preference
using ‘cd shared_prefs’.
6. We can see users.xml. Open users.xml using ‘cat users.xml’.
7. Then we can see our username and password.
Part 2:
1. In appie type ‘adb shell’
2. Then type ‘cd data/data’
3. Using ‘ls’ we will get the package name
4. Now type ‘cd owasp.sat.agoat’
5. Now type ‘ls’ and then change the directory to shared preference
using ‘cd shared_prefs’.
6. We can see score.xml. Open score.xml using ‘cat score.xml’.
7. Then we can see our Level as well as Score.

-Sadiq S.
Proof of Concept:
Part 1:

-Sadiq S.
Part 2:

How to Mitigate the Vulnerability:


1. Make your application secure and try to patch common
vulnerabilities.
2. Store Sensitive data only when needed.
3. Only use Widely Accepted Cryptographic Algorithms.
4. Use secure way of Password encryption to avoid risks.
5. Generate keys offline and never transmit over insecure channels.
6. Ensure Offsite Backups are encrypted.

Vulnerability Number: 4

Vulnerability Name: Insecure Sensitive Hardcoding Issues


Vulnerability Critical Level: Critical
Vulnerable Application Name: AndroGoat
Vulnerability Description: Hard coding sensitive information, such
as passwords, server IP addresses, and encryption keys can expose the
information to attackers. Anyone who has access to the class files can
decompile them and discover the sensitive information. Leaking data
can also have legal consequences. Consequently, programs must not
hard code sensitive information.

-Sadiq S.
Steps to reproduce:
1. Using ApkTool we will decompile the application.
2. And we can go to ‘C:\Appie\bin\adt\sdk\platform-
tools\AndroGoat\res\values’ and we can go in strings and get
hard coded information.
3. And to get the source code we will use dex2jar and jd gui.
4. We will put our apk into dex2jar folder. And open cmd in that
folder.
5. Then type: ‘d2j-dex2jar.bat AndroGoat.apk’. And we will get a
jar file.
6. And we will open the jar file in JD-gui. And we will get the
source code.
7. There we can see our package name ‘owasp.sat.agoat’. In that
folder we can see HardCodeActivity.class. Inside that class file
we can get the promocode as ‘NEW2019’.
Proof of Concept:

-Sadiq S.
How to Mitigate the Vulnerability:
1. Developer should not hardcode sensitive information.
2. Developers should prevent from leaking data in the source code.
3. If hardcoding is needed, use cryptography to encrypt that
information
Vulnerability Number: 5
Vulnerability Name: Application-Level Denial-of-Service
Vulnerability Critical Level: Low
Vulnerable Application Name: AndroGoat
Vulnerability Description: Application layer DoS attacks are
designed to attack the application itself, focusing on specific
vulnerabilities or issues, resulting in the application not being able to
deliver content to the user.
Steps to reproduce:
1. Install drozer agent in android.
2. In appie type ‘adb forward tcp:31415 tcp:31415’
3. Then type ‘drozer console connect’

-Sadiq S.
This will start a drozer console.
4. In drozer console type ‘run app.package.list -f agoat’ – This will
give us package name.
5. Type ‘run app.package.attacksurface owasp.sat.agoat’ – This
will return attacksurface.
6. We can see there are 2 Activities and 1 service exported.
7. First, we will exploit application using activity. Type ‘run
app.activity.info -a owasp.sat.agoat’- This will return the
activities name.
8. To exploit this type ‘run.app.activity.start --component
owasp.sat.agoat owasp.sat.agoat.SplashActivity’ – This will
crash the application and show splash screen.
9. Type ‘run.app.activity.start --component owasp.sat.agoat
owasp.sat.agoat.AccessControlViewActivity’ – This will crash
the application and take us to unprotected Android Component.
10. After using activity we will use the service to exploit. Type
‘run app.service.info -a owasp.sat.agoat’ - This will return the
service name.
11. To exploit this type ‘run.app.service.start --component
owasp.sat.agoat owasp.sat.agoat.DownloadInvoiceService’ –
This will crash the application and it will create a service first
then it will download an invoice.
Proof of Concept:
For activity:

-Sadiq S.
Splash Screen: Access Control View Activity:

For service:

-Sadiq S.
How to Mitigate the Vulnerability:
1. Use flow telemetry analysis supplemented with behavioral
analysis to detect abnormalities and attacks. Focus on
understanding what is normal. This will simplify the
identification of abnormalities.
2. Use an IDMS to detect abnormal behavior and application layer
attacks that require advanced and active mitigation; and using
this approach in conjunction with BGP FlowSpec Offload when
and where appropriate.

Vulnerability Number: 6
Vulnerability Name: Insecure Protocols
Vulnerability Critical Level: High
Vulnerable Application Name: AndroGoat
Vulnerability Description: A protocol, service, or port that
introduces security concerns due to the lack of controls over
confidentiality and/or integrity.
These security concerns include services, protocols, or ports that
transmit data or authentication credentials (for example,
password/passphrase) in clear-text over the Internet, or that easily
allow for exploitation by default or if misconfigured.
Examples of insecure services, protocols, or ports include but are not
limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.
Steps to reproduce:
1. Just Connect Burpsuite proxy to our android. Once connected
start the intercept. It will intercept each and every request
coming from our android.
2. Now in androgoat application go to Network intercept. And
click on http. It will send a http request using demo.testfire.net.
And we can see burpsuite have intercept it. Also if there was any
password in the request we could have seen it in clear text.

-Sadiq S.
3. Now click on https. It will send a https request using owasp.org.
And we can see burpsuite have intercept it. Also if there was any
password in the request we could have seen it in clear text.
Proof of Concept:
HTTP request:

HTTPS request:

-Sadiq S.
How to Mitigate the Vulnerability:
1. The first and most obvious is to find devices running services
like Telnet and SNMPv1/2, and to replace them with a more
secure option.
2. Locating devices like these is easy with a network operations
system that keeps track of which ports and services are
running on which devices.
3. Once you’ve identified the insecure devices, replace Telnet with
SSH-2, and upgrade installations of SNMPv1 and SNMPv2 with
SNMPv3, which is much more secure than its predecessors.

-Sadiq S.

You might also like