Let's hack an Android app!

Hardware Ingredients

1. A rooted Android phone
2. USB cable
3. WiFi setup

Software Ingredients

1. Android Debug Bridge (adb)
2. MobSF
3. Drozer
4. SQLite Browser

Target App

It's deliberately vulnerable

Hacking in 7 Steps

1. Identify Architecture of APK
2. Identify IP Address of Android Phone
3. Connect to Android Phone
4. Install APK
5. Static Analysis
6. Dynamic Analysis
7. Storage Analysis

A Few Vulnerabilities

1. Hardcoded sensitive data
2. Launching an unprotected activity
3. SQL-Injection via content provider
4. Path-traversal via content provider
5. Invoking an unprotected service
6. Reading unencrypted data from SQLite database

#1. Identify Architecture of APK

#2. Identify IP Address of Android Phone

1. Go to Settings > Connections > Wifi
2. Long press on desired network connection
3. Select "Manage Network Settings"
4. Select "Show advanced options"
5. Scroll down to view the IP address of Android phone

#3. Connect to Android phone

1. Connect Android phone to laptop via USB cable 
2. Identify the IP address of target Android phone
3. Run following commands:
4. Unplug the USB cable

#4. Install APK

#5. Static Analysis

Start MobSF

Check 'Android Permissions'

Check 'Manifest Analysis'

Hardcoded Internal IP and port in 'SettingsActivity.java'

#6. Dynamic Analysis

Install Drozer Agent in Android

Turn on 'Embedded Server'

Connect to Drozer Agent using Drozer Console

What is an Activity?

1. Start adb logcat
2. Launch Sieve app
3. Login activity shows up
4. Enter valid Password / PIN
5. PWList activity shows up
6. You can see "Your Passwords"

Identify Vulnerable Activities

Launch a Vulnerable Activity 

Identify Vulnerable Content Providers

What is a Content Provider?

Obtain a List of Accessible Content URIs

content://content_authority/table_name

SQL-Injection Attack via Content Provider

Path Traversal via Content Provider

Identify Vulnerable Services

Let's Analyze 'AuthService.java'

What does 'getKey()' return?

It returns the Master Password!

Brute Force PIN & Retrieve Master Password

#7. Storage Analysis

How to Pull Files from Rooted Phone? 

Welcome "adb-root"!

https://github.com/Jakeler/adb-root

Pull a Database File

Open the Database File in SQLiteBrowser

Compromised Sieve App!

Why Android App Security Matters? 

According to Statistic

http://gs.statcounter.com/os-market-share/mobile/worldwide

What Makes an Android App Vulnerable?

Two Main Reasons

• Non-conformance with security best practices

• Lack of security awareness in users

As a Result ...

#1. Users Using Vulnerable App

#2. Falling Prey To Malware

An Adversary Can

1. Gain physical access to a stolen device
2. Access your device remotely via a malware

Things could go                 here

1. Hard Coded Passwords & Keys

2. Sensitive Data in Local Storage

3. Insecure interaction with the Android OS

4. Data sent over HTTP to API endpoints
5. Broken Authentication and Authorization

As a User, You Should ...

Be Aware of Where You Install Your App From!

1. Google Play

ALWAYS USE THIS.

• Use official app store
• Anything else is 3rd-party store

2. Avoid 3rd-Party App Stores

3. Check App Permissions

4. Install System Updates

Be Informed! Be Safe!

Twitter: @_riddhishree

Email: mirage@null.co.in

Further Reading

References-1

1. http://blog.startwithwhy.com/.a/6a00d834525fff69e201bb08887fa8970d-pi
2. http://fixfirmwares.com/sm-g925i-cf-auto-root-s6
3. http://gs.statcounter.com/os-market-share/mobile/worldwide
4. https://2.bp.blogspot.com/-SyYsE6lCBK4/WpbnmkKnvjI/AAAAAAAAFG4/iALBir1-WU0NzVTf-83eo3MB0kvaHZliQCLcBGAs/s1600/ad_logo_twitter_card.png
5. https://appbrain-app-market.en.uptodown.com/android
6. https://f-droid.org/en/
7. https://forum.xda-developers.com/android/apps-games/app-selinux-switch-t3656502
8. https://forum.xda-developers.com/showthread.php?p=75587044#post75587044
9. https://forum.xda-developers.com/showthread.php?t=1687590
10. https://forum.xda-developers.com/showthread.php?t=1687590&page=27
11. https://fscl01.fonpit.de/userfiles/6727621/image/2nd_YEAR/Random/Play_store_ANDROIDPIT.jpg
12. https://futurestud.io/tutorials/how-to-debug-your-android-app-over-wifi-without-root
13. https://mashable.com/article/apps-malware-google-play-store-breach/

References-2

1. https://securityaffairs.co/wordpress/80057/hacking/es-file-explorer-flaws.html
2. https://stackoverflow.com/questions/25271878/android-adbd-cannot-run-as-root-in-production-builds/28070414
3. https://threatpost.com/microsoft-outlook-android-xss/145924/
4. https://www.androidpolice.com/wp-content/uploads/2018/08/mobile-gaming-samsung.png
5. https://www.cisomag.com/critical-vulnerability-in-outlook-for-android-affects-more-than-100-million-users/
6. https://www.cisomag.com/instagram-data-breach-49-million-users-sensitive-data-exposed-online/
7. https://www.digit.in/news/internet/popular-android-apps-are-sharing-sensitive-data-with-facebook-report-45563.html
8. https://www.google.co.in/url?sa=i&source=images&cd=&ved=2ahUKEwiLqta01pjjAhVaf30KHUPjDvoQjRx6BAgBEAU&url=https%3A%2F%2Fwww.notebookcheck.net%2FOver-700-000-rogue-apps-removed-from-Google-Play-Store-in-2017.280554.0.html&psig=AOvVaw120qqqU9wIkF1h16yAtHFs&ust=1562240719967516
9. https://www.thenational.ae/business/technology/whatsapp-voice-calls-used-to-inject-israeli-spyware-ft-reports-1.861156

References-3

1. https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
2. https://www.xda-developers.com/run-adbd-in-root-mode-with-adbd-insecure/
3. https://www.zdnet.com/article/android-malware-steals-money-from-paypal-accounts-while-users-watch-helpless/
4. https://zdnet3.cbsistatic.com/hub/i/r/2018/12/11/7339c2a1-3116-4f7b-a9cc-12127fffdce9/thumbnail/770x578/5442beca9e6190562fb773e9ec8758f6/android-paypal-steal.jpg
5. https://cdn0.iconfinder.com/data/icons/customer-service-and-feedback-part-2/64/Q_A-session-512.png
   

Troubleshooting

• https://android.stackexchange.com/questions/150120/adb-device-always-unauthorized