Android Pentest Notes
Android Pentest Notes
Applications
Applications is the top layer of android architecture. The pre-installed applications like home, contacts, camera,
gallery etc and third party applications downloaded from the play store like chat applications, games etc. will be
installed on this layer only.
It runs within the Android run time with the help of the classes and services provided by the application framework.
Application framework
Application Framework provides several important classes which are used to create an Android application. It
provides a generic abstraction for hardware access and also helps in managing the user interface with application
resources. Generally, it provides the services with the help of which we can create a particular class and make that
class helpful for the Applications creation.
It includes different types of services activity manager, notification manager, view system, package manager etc.
which are helpful for the development of our application according to the prerequisite.
Application runtime
Android Runtime environment is one of the most important part of Android. It contains components like core libraries
and the Dalvik virtual machine(DVM). Mainly, it provides the base for the application framework and powers our
application with the help of the core libraries.
Like Java Virtual Machine (JVM), Dalvik Virtual Machine (DVM) is a register-based virtual machine and specially
designed and optimized for android to ensure that a device can run multiple instances efficiently. It depends on
the layer Linux kernel for threading and low-level memory management.
The core libraries enable us to implement android applications using the standard JAVA or Kotlin programming
languages as Kotlin is decombiled and understood by the OS as java too.
Platform libraries
The Platform Libraries (Native) includes various C/C++ core libraries and Java based libraries such as Media,
Graphics, Surface Manager, OpenGL etc. to provide a support for android development.
Media library provides support to play and record an audio and video formats.
SGL and OpenGL both cross-language, cross-platform application program interface (API) are used for 2D and
3D computer graphics.
Web-Kit This open source web browser engine provides all the functionality to display web content and to
simplify page loading.
SSL (Secure Sockets Layer) is security technology to establish an encrypted link between a web server and a
web browser.
Security: The Linux kernel handles the security between the application and the system.
Memory Management: It efficiently handles the memory management thereby providing the freedom to develop
our apps.
Process Management: It manages the process well, allocates resources to processes whenever they need them.
Driver Model: It ensures that the application works properly on the device and hardware manufacturers
responsible for building their drivers into the Linux build.
Dalvik
On Android, applications are written in Java but run on the Dalvik virtual machine.
The Java source code is compiled into a different byte format called the Dalvik executable format, optimized for
ARM architecture. This format helps conserve resources and battery life on mobile devices.
The Dalvik executable format is represented as an optimized text file format called .dex . It contains classes that
are generated from the Java source code in the Dalvik executable format. If needed, the .dex file can be
converted back to a regular java file format by jadx to be read, but to edit you need to edit smali.
One important limitation of the .dex file is that it can only contain 65,535 methods. If an application exceeds this
limit, it will result in multiple .dex files, named classes.dex, classes2.dex, and so on. Libraries, frameworks, and
the Android system itself may also lead to multiple .dex files due to the number of methods they contain.
“ghex” tool is suitable to disassemble the code sections of the “classes.dex” file, revealing
the dalvik executable code (smali code)
Smali is an assembly-like programming language used in Android app development and reverse engineering. It is the
output of the Dalvik bytecode decompilation process and represents the low-level code that runs on Android’s Dalvik
Virtual Machine (DVM), Smali can be considered analogous to assembly language, but for Android applications. Both
Smali and assembly are low-level, human-readable representations of code that target specific virtual machines or
processor architectures.
Could be used to bypass any client side validations by editing Smali code
Tests the tamper validations, as APKs shouldn't be working after editing the Smali code and patching it then
recompiling “Building” it back
Flutter applications
Also known as (Non-proxy aware applications) , they dont follow proxy routing and the traffic directed to the
server and uses special certificate in such connection
to validate if the application is Flutter or not, by jadx-gui check the io folder, should contain flutter, io maybe
obfuscated ⇒ p313 io
https://hackmd.io/@runicpl/flutter-android
Xamarin applications
💡 you can make .NET APKs using Xamarin, as well as “IOS and Desktop” application.
https://github.com/x41sec/tools/blob/master/Mobile/Xamarin/Xamarin_XALZ_decompress.py
then use ⇒ dnSpy.exe to reverse the DLL files and fetch the readable code
Security Architecture
Android Security Architecture built on Linux based for OS and android based.
Linux based
its built on the UID separation that aims to organize access ,resources and files of each app.
When an app is installed or uninstalled on the device, the Package Manager updates this file
/data/system/ packages.xml to reflect the changes in the system’s package database. The file is essential for keeping
track of the installed apps and their permissions.
the content is something like is as we see every app has its own userId that can access the data belongs to this app
only.
Android based
it depends on the permissions located on the android manifest.xml file under <permission> & <uses-permission> tags.
<permission>
<permission> is used to define custom permissions that you create and control within your app. It does not request
access to device features or data directly; instead, it sets up access controls within your app or allows you to share
functionality with other apps while maintaining controlled access.
Value Meaning
The default value. A lower-risk permission that gives requesting applications access to
isolated application-level features with minimal risk to other applications, the system, or the
"normal" user. The system automatically grants this type of permission to a requesting application at
installation, without asking for the user's explicit approval, though the user always has the
option to review these permissions before installing.
A higher-risk permission that gives a requesting application access to private user data or
control over the device that can negatively impact the user. Because this type of permission
"dangerous"
introduces potential risk, the system might not automatically grant it to the requesting
application. For example, any dangerous permissions requested by an application might be
displayed to the user and require confirmation before proceeding, or some other approach
might be taken to avoid the user automatically granting the use of such facilities.
A permission that the system grants only if the requesting application is signed with the same
"signature"
certificate as the application that declared the permission. If the certificates match, the
system automatically grants the permission without notifying the user or asking for the user's
explicit approval.
A permission that the system grants only if the requesting application is signed with an
"knownSigner" allowed certificate. If the requester's certificate is listed, the system automatically grants the
permission without notifying the user or asking for the user's explicit approval.
<uses-permission>
<uses-permission> is used to request permissions required by your app to access device features or data. It is a
declaration that informs the Android system of your app's permission requirements and is presented to the user
during installation for their approval.
Specifies a system permission that the user must grant for the app to operate correctly. The user grants permissions
when the application installs, on devices running Android 5.1 and lower, or while the app runs, on devices running
Android 6.0 and higher.
Assume you have an app that provides some sensitive data, and you want to allow other apps to access this data
only if they have a specific permission.
<permission
android:name="com.example.providerapp.PERMISSION_ACCESS_DATA"
android:label="Access Provider App Data"
android:protectionLevel="dangerous" />
Assume you have another app that wants to access the data provided by the first app. This app needs to request
and be granted the custom permission defined in the provider app’s manifest.
<!-- Request permission to access data from the Provider App -->
<uses-permission android:name="com.example.providerapp.PERMISSION_ACCESS_DATA" />
jadx-gui apkName
2. By using vs code, it has apkLap extension that can be used in reversing. To use it press ctrl+shift+p then open apk
then choose the file
💡 APKLab vsCode extension is better than apktool in dealing with decombiling and building after editing the smali
Static analysis is typically performed during the early stages of app development or before the app is deployed.
Static analysis is effective at identifying potential security issues within the code, such as hardcoded credentials,
insecure data storage, insecure code patterns or any insecure component implementations.
Static analysis can identify issues that might not be apparent during dynamic analysis, such as hardcoded
secrets or hidden vulnerabilities in the code
AndroidManifest.xml
The AndroidManifest.xml file is a critical configuration file in an Android application. It's located in the root directory of
the app's source code and contains essential information about the app's structure, components, permissions,
and metadata.
The package attribute in the Android manifest file specifies the unique identifier for the
Android application. The package name is used to uniquely identify the app on the device
and in the Google Play Store which is here “com.mwr.example.sieve”.
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.INTERNET"/>
Review these permissions to ensure they are necessary and not overly permissive.
- These lines define custom permissions for the app. These custom permissions are related
to reading and writing keys and are marked with a protection level of “dangerous.”
- Evaluate how these custom permissions are used in the app and if they are correctly
protected and justified, custom permissions are related to the context of the app.
android:minSdkVersion : This attribute specifies the minimum Android version (API level) that your application can run
on.
android:targetSdkVersion : This attribute specifies the target Android version that your application was designed for.
If the targetSDK version is <= 17, and the stars align you could have RCE via CVE-2012–
6636.
Components
<activity> tag which contains all the activities on the app UI like buttons, headers and so on.
Exported Components
android:exported="true" This means, that activity is Explicitly Exported “can be called by other apps”.
Intents:
<intent> are messages that allow components to request actions from other components or apps.
broadcast intent ⇒ is broadcast system-wide and can be received by any component that has
registered to receive such broadcasts. like ACTION_BATTERY_LOW , ACTION_BOOT_COMPLETED
implicit intent ⇒ there’s Action defined inside it, don’t define the component it addresses , just the
action, and see which component will listen using an intent-filter ⇒ that will lead to allowing user to
choose by which activity to continue with “ex. Location”
it contains: <action> that specifies the action(s) associated with an intent filter. Each <action> element
defines a particular type of action that the component can respond to.
<service> activities run on the background “NOT SEEN by user” like music apps, battery life monitoring or app
onStartCommand Function
incoming broadcast intents and perform some action based on the content of those intents.
For example when System send message “Broadcast Intent” that the battery is low.
onRecieve Function
<provider> This is for the content provider component which used to deal with data when the application want
to access the database, it talks to the content provider that deals with database and brings data for the
application.
onCreate Function
we have three files are part of the Android operating system and are related to various
aspects of the system’s configuration and permissions. Here’s a brief overview of each
file
1. /data/system/packages.xml
The packages.xml file is located in the /data/system/ directory of an Android device. This file is used by the
Android Package Manager (PackageManager) to store information about installed packages (applications) on the
device. It contains details about each installed app, such as package name, version, installation status, granted
permissions, and other package-related information.
When an app is installed or uninstalled on the device, the Package Manager updates this file to reflect the
changes in the system’s package database. The file is essential for keeping track of the installed apps and their
permissions.
the content is something like is as we see every app has its own userid that can access the data belongs to this
app only.
2. /etc/permissions/platform.xml
The platform.xml file is part of the Android operating system’s configuration and is located in the /etc/permissions/
directory. This file defines the system-wide permissions for all applications on the device. It contains a list of
permission definitions, each with a unique name and protection level.
<permissions>
<!-- Define permission groups -->
<permission-group name="android.permission-group.LOCATION" >
<item name="android.permission.ACCESS_FINE_LOCATION" />
<item name="android.permission.ACCESS_COARSE_LOCATION" />
</permission-group>
3. Android_filesystem_config.h
The Android_filesystem_config.h file is a header file in the Android source code. It defines the permissions and
attributes for various directories and files in the Android filesystem. Each entry in this file specifies the default
permissions (owner, group, others) and the SELinux context for a specific path in the Android filesystem.
When the Android system is built, this file is used to set the appropriate permissions and attributes for different
directories and files. It ensures that the correct security context and permissions are applied to system resources
during runtime.
note that these files are part of the Android operating system’s internal configuration and
are not meant to be directly modified or accessed by regular users “until you root the
device” or third-party applications. Making changes to these files without proper
understanding or authorization can lead to system instability or security issues. They are
primarily used by the Android OS itself to manage app installations, permissions, and
filesystem configurations.
Current Activity
Your device should be set in Developer mode, and the USB Debug is enabled or whatever way you will connect
Ensure that your Windows firewall allows incoming connections on port 62001.
adb shell
You can execute shell adb commands directly using ⇒ adb shell ….
Port Tunneling
WebView
We want to be able to control the input to the webView
Check for Exported activity supports Webview in manifest by searching fot webView or loadUrl
we will pass the activity by extra string value to the reg_url variable, to load our URL
loadUrl(…..) is a built-in function in java ⇒ loads the url and it also support the file scheme as long as the APK
has the Permission READ_EXTERNAL_STORAGE
By this method we can also load Files by the permission of the APP if it has access to some files
Diva example
in AndroidManifest.xml , the activity that has the above intent-filter, will execute the action
in i.putExtra(getString(R.string.chk_pin), chk_pin);
and
false is the value of the chk_pin
💡 if the WebView.setWebContentDebuggingEnabled(true)
Remote Debugging
if you click on inspect in the bottom of the image, you can directly access the web view and also you can then
execute js code from the developer tool inside the browser and it will appear on the victim’s screen and also
you can execute xhr object to read files from the system and send it to me
If you set setAllowUniversalAccessFromFileURLs(true) This setting primarily affects JavaScript's ability to access
content from local files within the WebView. While it can be used to relax the Same-Origin Policy for file
URLs
setAllowUniversalAccessFromFileURLs(true) here allow js execution from your local files using file schema URLs and
this removes any restrictions to same origin policy and permit the web view to send web requests from
local file in the system. if it’s true we can use it to make JS file that sends sensitive data to a remote
attacker server with web requests.
https://beeceptor.com/ ⇒ allow you to make Endpoint to forward your request and see its body
Web views in android allows you to use JavaScript and can be enabled through this line.
This line makes an interface between JavaScript used in web view and java source code used inside the app.
So, JavaScript can call any public method defined from WebAppInterface() objects or in this class actually.
2- the reference that will be called from the JavaScript code. in our example "Android"
This can be used to invoke native utilities from your phone like sending SMS to anyone or stealing your account
information. Here is an js example of calling function inside this class :
In the past from android 4, if you can render the java code from web view then you can control the whole app and
get to RCE from it. For example :
NOW , the android apps have protection from all reflection based attacks. by using this option :
This option permits checking to the loaded URL and make validations on it to stop the injection attacks.
Deep links
What is a IMPLICIT Deep Link? URL points to an activity
is detected in Manifest <data android:scheme="EXAMPLE" .... >
In the above image, we can see the deep link for an activity.
2. Intent-filter defines the capability of a activity component based on the type of URI.
3. <action> Specify the ACTION_VIEW intent action, so that the intent filter can be reached from Google,
DuckDuckGo or Any other Search Engine.
4. <category> Include the BROWSABLE category. It is required in order for the intent filter to be accessible from a web
browser. Without it, clicking a link in a browser cannot resolve to your app.
Also include the DEFAULT category. This allows your app to respond to implicit intents. Without this, the activity can
be started only if the intent specifies your app component name.
5. Add one or more <data> tags, each of which represents a URI format that resolves to the activity. At minimum,
the tag must include the android:scheme attribute.
You can add more attributes to further refine the type of URI that the activity accepts. For example, you might
have multiple activities that accept similar URIs, but which differ simply based on the path name. In this case, use
the android:path attribute or its pathPattern or pathPrefix variants to differentiate which activity the system should
open for different URI paths.
Types of Deep links in Android
Explicit Deep Link
An explicit deep link is a single instance of a deep link that uses a PendingIntent to take users to a specific
location within your app.
is typically associated with a specific URI (Uniform Resource Identifier) that directly maps to a particular
activity or content within the app. It's explicit because the URI directly specifies what content or activity
should be opened when the link is triggered.
An Implicit deep link is a deep link in the form of URL when clicked, takes you to t
he content directly within the respected application.
An implicit deep link is often associated with deep linking based on URL patterns or content metadata. In
this case, the app is configured to handle URLs that match a certain pattern, and the system automatically
opens the relevant activity or content based on the URL structure. Implicit deep linking allows for a more
flexible approach where various URLs can lead to different parts of the app without explicitly specifying
each one in advance.
Ex: when a user clicks a link, Android can then open your app to the corresponding destination (Play store
link).
2. Now head to onCreate function to check if there’re extras to be handeled as URL parameter
Insecure Shop
1. <data> tags to collect the URL
DeepLink ⇒ insecureshop://com.insecureshop
2. head to onCreate
1. onCreate() is a life cycle event in Android. There are 6 core set of life cycle events in Android’s activity
lifecycle onCreate() , onStart() , onResume() , onPause() , onStop() , and onDestroy() which are self-explanatory.
2. webview settings for the defined webview activity. ⇒ WebViews are effectively web browsers embedded
into Android Apps.
4. intent.getData() fetches the uri and stores in uri object and checks if uri is empty.
uri format
1. checks for path if it has /web in it and execute the respective code.
2. checks for path if it has /webview in it and execute the respective code.
3. finish the checks, if both check fails and webview will not be loaded.
if 1 or 2 passes, it will fetch the uri and extract the value from the url query and store it on data variable and
will be loaded via webview.
From the above image, we will try to complete the uri to load the arbitrary web page in the webview.
insecureshop://com.insecureshop/web?url=https://3kal.medium.com (or)
insecureshop://com.insecureshop/webview?url=https://3kal.medium.com
we will use ADB to initiate the webview with our uri and we need to be logged into the insecureshop application.
if you are not able to find the credentials, then here it is shopuser:!ns3csh0p , once we login the screen looks like
below.
https://8ksec.io/android-deeplink-and-webview-exploitation-8ksec-blogs/
Native function
If you find a native functions , that means its code is inside native library not in java code, you will find it in the
lib Directory inside the APK after decomposing its components using APKtool
IDA tool to reverse non java code to see the assembly code
Broadcast Receivers
Broadcast receivers are components in an Android app that enable the app to respond to system-wide events or
custom events. These events, known as broadcasts, can originate from the system itself, other apps, or even the
app's own code. Broadcast receivers can be categorized into static and dynamic based on how they are registered.
1. Static Receivers:
Static receivers refer to
broadcast receivers that are declared in the AndroidManifest.xml file of the application. They are set up to listen
for specific broadcast events, such as device booting, network connectivity changes, or custom events. Static
receivers are registered automatically when the application is installed and do not require the app to be running
actively.
2. Dynamic Receivers:
Dynamic receivers, on the other hand,
are not declared in the AndroidManifest.xml file. Instead, they are registered and unregistered programmatically
within the app's code using registerReceiver function. This allows the app to control when the receiver is active
and listening for specific broadcast events. Dynamic receivers can enhance security to some extent, as they are
not exposed for potential exploitation via static declaration in the manifest.
Its Not a must to be exported ⇒ it may be used to respond to broadcast within the app
2. Jump to onRecieve Function in both static and dynamic ⇒ to check for extras needed
3. search by the action name to check any functions call the receiver action to check for example
In our example here’s the Function that required a Receiver , receives 3 strings as extras
we can use Medusa to sniff all exported intents and broadcast receivers
Firebase Database
Firebase Realtime Database is a cloud-hosted NoSQL database provided by Google as part of the Firebase suite of
mobile application development tools. It is designed to store and synchronize data in real-time between clients,
making it particularly well-suited for building real-time and collaborative applications such as chat apps, online
games, collaborative document editing, and more.
Row: 0 id=1, user=admin, note=I can not believe that Jill is still using 123456 as her pa
sswor
Row: 1 id=2, user=elliot.alderson, note=A bug is never just a mistake. It represents
Row: 2 id=3, user=darlene.alderson, note=That’s the trick about money.
Row: 3 id=4, user=gideon.goddard, note=You’re never sure about anything unl
by using another exported activity that can receive whole intent and redirerct it to this activity
Dynamic analysis
Definition
Known as "black-box" analysis, is the execution of the APK in a controlled environment (e.g., emulator or physical
device). During execution, the tester monitors the app's behavior, network traffic, and interactions with the
device's resources to identify vulnerabilities and security weaknesses.
Dynamic analysis is usually conducted after the app has been deployed or during the testing phase. It assesses
how the app behaves in a real-world scenario, including its interaction with external servers and services.
Dynamic analysis focuses on runtime vulnerabilities, including improper data handling, sensitive data leakage,
insecure communication, and runtime behavior anomalies.
While dynamic analysis can involve automation for certain tasks (e.g., automated testing scripts), it often requires
manual interaction to explore the app thoroughly.
Common dynamic analysis tools for Android include mobile app penetration testing frameworks like Frida ,
Drozer, Burp Suite, and various mobile security testing platforms.
Logs
logcat is a tool to monitor all logs from the device, to specify a pid we use --pid arg
#In case of Diva ⇒ Dynamic allocation to the PID , now we can monitor Diva logs
adb logcat --pid=$(adb shell pidof -s jakhar.aseem.diva)
as shown above the error is because of the Log.e part as it dumps the cc.txt as a string in the logs
Jadx can search in the entire App with keywords or Regex , so we can specify a Regex ⇒ ^Log.. to search for all
types of logs , remove ^ if u didn’t find outputs
Also, its recommended checking for Hardcoded creds or crypto keys as well as checking in Strings.xml
Check for Insecure Data storage, as it may be stored locally in shared_prefs directory in preferences.xml file
in ⇒ /data/data/YOUR_PACKAGE_NAME/shared_prefs/YOUR_PREFS_NAME.xml
https://www.notion.so/02aae17ad648406bb91477d99704c0fc?pvs=25#8d1d1e1d14254e299a2836e74eeadee3
If data is stored in a local database, we can examine it using sqlite3 and navigate through tables to dump creds
Task Hijacking (StrandHogg) “2 versions”
Version1
A task is a collection of activities that users interact with when performing a certain job.
The activities are arranged in a stack—the back stack)—in the order in which each activity is opened.
The activity that is displayed on the screen is called a foreground activity and its task is called the foreground
task. At a time, only one foreground task is visible on the screen.
Activities are stack structured, every activity u do in app is put on a stack, when u apply moveToBack it makes it go
back down to the stack which makes it not the current active activity.
excludeFromRecent: This attribute hides the app from both foreground and background while it's loaded and
running in memory.
Task Affinity: Task affinity is an attribute defined in each <activity> tag in the AndroidManifest.xml file. It's a way of
saying, "These activities belong together.”. By default, every activity has the same affinity as the package name.
Developers can use this tag to group activities that work together. By default, activities in an app share the same
task affinity.
Launch Modes: Launch modes tell Android how to handle new instances of an activity.
Standard
Single Top
Single Instant
Single Task
When an activity is set to "singleTask," Android checks if there's already an instance of that activity. If yes,
it brings it to the front; if not, it creates a new one.
The [launchMode] attribute specifies set of instructions for Android on how to open an activity.
Different activities in an app might need to be opened in different ways. This attribute helps developers tell
Android the preferred way.
For simplicity
Imagine you have a book open on a table. If you want to read it again, you don't go find a new copy; you
just pick up where you left off. Similarly, if an activity is already open, Android brings it to the front instead
of creating a new one.
Now, let's say you want to read a different book, one that's not open. Android needs to decide where to
put this new book. It looks at all the bookshelves (tasks) it has and finds one that matches (same task
affinity). If there's a match, it puts the new book on that shelf. This is why specifying the same task affinity
in our malicious app helps it launch in the same "bookshelf" as the vulnerable app.
If you bring in a brand new book that doesn't match any existing bookshelf (task), Android creates a new
shelf just for that book. It becomes the first book on a new shelf. This is what happens if no existing task
matches the new activity.
Attack
The victim needs to have the malicious app installed in his device.
Then, when the vulnerable application is opened, the malicious application will be opened instead.
If this malicious application presents the same login as the vulnerable application the user won't have any means to
know that he is putting his credentials in a malicious application.
Conclusion:
Task Hijacking (StrandHogg) is a security vulnerability that can allow malicious apps to exploit certain attributes
and behaviors of Android activities. By using task affinity, launch modes, and other mechanisms, attackers can
inject a malicious app into an affinity, make it hidden, and exclude it from recent tasks. This can deceive users and
lead them to interact with the malicious app, thinking it's part of a legitimate app.
Mitigation:
To mitigate the risk of Task Hijacking and similar attacks:
consider changing the launch mode of your activities from "single task" to "single instance" if the app does
not want other activities to join tasks belonging to it.
StrandHogg v2 :
StrandHogg 2.0 allows for broader attacks and is much more difficult to detect, making it, in effect, its predecessor’s
‘evil twin’. StrandHogg 2.0 doesn’t require a declaration in an Android manifest file, any special permissions, or
root access.
Drozer
drozer agent and drozer in lab is used together as a C2 to make Enumeration, drozer don’t have any permissions
except Internet perms. that means if it catch any data that means a vulnerability in the third party app not a
permission given to drozer
it can aslo enumerate all exported components in the APK then you have to go check manually, since the manifest
file in real life is very large so it would be much easier to start with drozer
Provide some basic information about the package using the app.package.info command
Launching Activities
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList
Drozer provides a scanner module that brings together various ways to guess paths and divine a list of
accessible content URIs:
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/ ...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
We can now use other drozer modules to retrieve information from those content URIs, or even modify the
data in the database:
id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded) email: incognitoguy50@gmai
Android returns a very verbose error message, showing the entire query that it tried to execute.
We can fully exploit this vulnerability to list all tables in the database:
to test LFI OR file path travesals Or reading local files via vulnerble content providers in the app
to read
$ pidcat com.mwr.example.sieve
Attacking Services
Attacking Activities
The components listed in the AndroidManifest.xml file
dz> org.owasp.goatdroid.fourgoats -u
Package: org.owasp.goatdroid.fourgoats
Exported Activities:
org.owasp.goatdroid.fourgoats.activities.Main
If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is
org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as
org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these
parameters in drozer accordingly.
adb kill-server
adb -a nodaemon server start
Frida
Intro
Is a powerful open-source dynamic instrumentation toolkit that is used for a variety of security-related tasks,
including analyzing and testing Android applications.
Allows to inject code into running processes, including Android apps, to monitor their behavior, manipulate
their runtime execution, and analyze their security vulnerabilities.
Frida provides
1. Code Injection: into the target application's runtime. This can be used to intercept function calls, modify
behavior, or gather information for analysis.
2. Runtime Analysis: to monitor the runtime behavior of an application, including tracking API calls, data flows,
and interactions with the system.
3. Dynamic Hooking: into specific functions or methods within an app to intercept and modify their behavior,
which is useful for security analysis and testing.
4. SSL Pinning Bypass: bypass SSL certificate pinning, which is a security mechanism used by apps to ensure
that they communicate with trusted servers. This is often done to analyze app-server communications for
vulnerabilities.
5. Reverse Engineering: by providing insights into code execution, memory manipulation, and more.
6. Behavior Monitoring: By injecting Frida scripts, you can observe an app's runtime behavior and interactions,
helping you identify potential security flaws or vulnerabilities.
Frida Moods
1- Injected mood → we put Frida server on the device in order to spawn or attach Frida script on a running
process in an app. In this mood, the device should be rooted.
2- Embedded mood → use a component called Frida-gadget instead of Frida server. We use it when we want
to run the app on a non-rooted device.
To use Frida for Android penetration testing, you typically write Frida scripts in JavaScript that define the
injections and hooks you want to apply to the target application. Frida works with both rooted and non-rooted
devices and supports various modes of interaction.
hooking
#Pending trial:
💡 To compose the .js file we can use jadx-gui ⇒ right clicking the class and select Copy as Frida
snippet(f):
Here’s an example to intercept activity in APK and over write a function named fun
Now lets deal with the function that is not called in the entire APK ⇒ secret()
Use Frida to hook PID of any service in Kali, for example to monitor any Deep-links coming out from the APK
For monitoring deep links across the system here we will use frida framework. To install the frida server and
agent we can refer to the frida documentation here https://frida.re/docs/android/, or take a look at using
FridaLoader (https://github.com/dineshshetty/FridaLoader) that automates the process for us.
After setting up the necessary components, we can utilize the enhanced version of a publicly available version
– modified to handle intensive operations.
This script will to monitor the deep links across the system.
With this script, we can monitor deep links across systems and gain a comprehensive understanding of
application functioning, and how we as attackers can exploit it
Medusa.py for Frida scripts
https://github.com/Ch0pin/medusa.git
reset
show all # to show all modules in Medusa
the above example starts monitoring the APK if it stored anything in shared prefrences
Objection
Similar to Medusa, also based on Frida and communicate through Frida server.
# android [[Choose]]
Memory Dumping
https://github.com/Nightbringer21/fridump
Root detection
to bypass this function Boolean validition:
rootCls.a.implementation = function () {
console.log("Check A bypassed");
return false;}
rootCls.b.implementation = function () {
console.log("Check B bypassed");
return false;}
rootCls.c.implementation = function () {
console.log("Check C bypassed");
return false;}
});
Frida CodeShare
"If I have seen further, it is by standing on the shoulders of giants." -Sir Issac Newton
https://codeshare.frida.re/
Project: fridantiroot
💡 There are two types of keys in android, its related to how android kernel signed while its compiling at the
beginning
1. test keys → means its signed by android AOSP keys (Android Open Source Project), its public keys
and known to anyone so the installed apps signed with this test keys. so this means that you can
change or hijack system applications without detection. So finding a test keys may be an indication
that this kernel has been hijacked.
2. release keys → its preferable that the kernel should sign with special release key with the access of
the developer or manufacturer only
Magisk
Its System less root way. Its an easy way to install and uninstall root on devices. Its specially made to bypass
safety net (its the official implementation from google in root detection).
Safety net
When you call this API, SafetyNet downloads a binary package containing the device validation code
provided from Google, and the code is then dynamically executed via reflection. An analysis by John
Kozyrakis showed that SafetyNet also attempts to detect whether the device is rooted, but exactly how
that's determined is unclear.
To use the API, an app may call the SafetyNetApi.attest method (which returns a JWS message with
the Attestation Result) and then check the following fields:
ctsProfileMatch : If 'true', the device profile matches one of Google's listed devices.
basicIntegrity : If 'true', the device running the app likely hasn't been tampered with.
timestampMs : To check how much time has passed since you made the request and you got the
response. A delayed response may suggest suspicious activity.
https://github.com/OWASP/owasp-mastg/blob/master/Document/0x05j-Testing-Resiliency-Against-
Reverse-Engineering.md
💡 Any application installed from google play store can call the safety net API and check for ctsProfile
Recently, Magisk has a new version called Zygisk and this injects the Magisk app inside the zygot process (this
process is responsible for spawning the applications in android) of the android directly. This makes the
bypassing of root detection more efficient and stealthy.
💡 Magisk app has a feature called hide Magisk app and this allows you to make the appears as another
one.
Magisk ⇒ safe Root batching and the ability of returning back is easy by just un installing it through the app
SaftyNet API is for google play installed app, check is the device is rooted
after Android 10, Root detection is harder since its based now more on hardware
Zygisk : is what the Magisk developers call running Magisk in the Zygote Process of Android.
The Zygote Process is the first process that the OS starts when it boots up, similar to PID 1 on other Linux-based
operating systems.
Since zygote starts first after system, it can hide root without sending data to apps.
Also it can bypass root detection to given Apps though Deny-List , you check app then restart
In Android, the Trust Manager is responsible for managing certificates and deciding which certificates should be
trusted when establishing secure connections using SSL/TLS. If a trust manager is compromised or not properly
implemented, it can lead to security vulnerabilities.
It can be used to intercept function calls, including those related to SSL/TLS connections. If an application is not
using certificate pinning and relies solely on the default trust manager, a Frida script could potentially intercept and
modify SSL/TLS traffic.
but Frida script won’t run on a Majisk or jygisk rooted device as they intercept traffic to bypass root detection:
this above won’t run in old Majisk ⇒ therefore to run Frida scripts while Majsik we use Frida on an already running
process
this script is a solution but it wont always go well from the first trial, You need to retry until u catch the right time
before initialization of the Trust manager
SSL Pinning
In dealing with APKs, Burp would cause issues, since the APK dont see the Burp as a valid Certificate pinned to it
form the server, and cause the connection not to be established correctly
2- apktool decompile
https://github.com/patrickfav/uber-apk-signer.git
finally adb install it and replace it with the real indeed apk
You Can bypass SSL Pinning using Frida Code Share , Medusa , Objection
Frida use the universal SSl pinning Code share
Objection:
MOBSF, or the Mobile Security Framework, is an open-source mobile application (Android and iOS) automated testing
framework that facilitates mobile app security assessment. It provides a set of tools and features to identify security
vulnerabilities and weaknesses in mobile applications. Here are some key activities you can perform with the help of
MOBSF:
1. Static Analysis:
Source Code Review: MOBSF allows you to perform static analysis on the source code of Android applications.
It can identify potential vulnerabilities and security issues by analyzing the codebase.
Binary Analysis: MOBSF can analyze the binary (APK) of an Android application without access to the source
code, providing insights into potential security risks.
2. Dynamic Analysis:
Dynamic Analysis with Emulation: You can use MOBSF to dynamically analyze the behavior of mobile
applications by emulating their execution in a controlled environment. This helps identify runtime vulnerabilities
and behaviors.
Network Traffic Analysis: MOBSF captures and analyzes network traffic generated by the mobile application.
This is crucial for identifying potential security risks related to data transmission.
3. Vulnerability Scanning:
MOBSF incorporates various tools and scanners (e.g., OWASP ZAP, MobSF API, and QARK) to scan for common
vulnerabilities such as insecure data storage, insecure network communication, and code vulnerabilities.
MOBSF assists in testing the security of APIs that mobile applications interact with. It helps identify
vulnerabilities such as improper authentication, insecure data transmission, and other API-related security
issues.
MOBSF provides comprehensive reports summarizing the findings of the analysis. These reports include details
on identified vulnerabilities, their severity, and recommendations for remediation.
MOBSF is customizable and extensible, allowing security professionals to add their custom rules, plugins, or
modules for tailored security assessments.
8. Compliance Checks:
MOBSF includes checks for compliance with mobile application security standards and best practices, including
the OWASP Mobile Security Testing Guide.
9. Reverse Engineering:
While not a primary feature, MOBSF can assist in basic reverse engineering tasks by providing insights into the
structure and behavior of an application.
MOBSF is designed to cover the OWASP Mobile Top 10, a list of the most critical security risks to mobile
applications.
Sayed Abdelhafiz Session and Blog
https://dphoeniixx.medium.com/exploiting-request-forgery-on-mobile-applications-e1d196d187b3
Request Forgery
CSRF or SSRF is the most popular web vulnerabilities, both depending on the same concept.
Forgery a part of an authenticated request to perform an unwanted action or access sensitive data.
In the mobile application, the same vulnerability class exists. There might be some differences from a web
application, but it leads to the same thing. It came from the most common attack surface in a mobile application,
which is deep links.
It’s simple, the application will try to match the deep link path to get target activity, or its configure then parse the
inputs to pass it to the next stage. The above case will retrieve username parameter value from the deep link then pass
it to the profile activity.
Profile Activity will send a request to the server to retrieve the user’s profile. Some APIs use parameters only for their
inputs; some may use parameter and path segments. let’s imagine the
following: https://api.example.com/v1/users/{username} is the endpoint that the application will send a request to it to
retrieve the user’s profile
Here is the problem come, in this case, the attacker can forgery the request path using path traversal,
e.g.: example://app/users?username=../../unwanted-endpoint%3fparam=value will request -> https://api.example.com/unwated-endpoint?
param=value
Some deep links don’t parse their inputs from parameters, maybe path segments! e.g. : example://app/users/dphoeniixx .
It’s still vulnerable; the attacker can encode the path traversal payload like that: example://app/users/..%2f..%2funwanted-
endpoint%3fparam=value , don’t worry about the encoded input, Uri.getPathSegments Method will decode every path
segment:
Sometimes developers don’t use getPathSegments method to retrieve the URI’s path segments, but anyway, almost
all web-server will decode the path and redirect to the canonicalized path, e.g.:
GET /v1/users/..%2f..%2funwated-endpoint%3fparam=value HTTP/1.1 -> HTTP/1.1 302..\nLocation: /unwanted-endpoint?param=value
We can exploit it and forgery the request path to any endpoint that can do harmful things to the user,
e.g.: example://app/promo?code=../users/me%[email protected] -> POST /v1/users/[email protected] (Account
Takeover)
Please notice most of the time. You can put the POST body on the query string:
password=123456
Same as
4- if the app has storage permission access then he can access /sdcard
https://github.com/AleDiBen/APLBreaker
https://github.com/sch3m4/androidpatternlock
this tools are for applications but for the device pattern itself, you can use another tools.
💡 IF you have kali-hunter on your mobile you can install this tool
physically to another one and crack its password.
Android-PIN-BruteForce and connect the device
Good Resources
https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting
https://github.com/OWASP/owasp-mastg/tree/master/Document
CTFs:
GitHub - xtiankisutsa/awesome-mobile-CTF: This is a curated list of mobile based CTFs, write-ups and vulnerable apps. Most of them are an
This is a curated list of mobile based CTFs, write-ups and vulnerable apps. Most of them are android based due to the popularity of the platform. - GitHub - xt
https://github.com/xtiankisutsa/awesome-mobile-CTF#mobile-ctf-challenges