![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6637448/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6665268/pasted-from-clipboard.png)
About Me
-
Creator of "VyAPI – A Modern Cloud Based Vulnerable Android App"
-
Application Security Analyst at Appsecco (@appseccouk)
- Chapter Leader at null Bangalore (@nullblr)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6304851/myself.jpg)
The Goal
To provide Android security enthusiasts a platform to practice hacking a cloud-based vulnerable Android app
Your Takeaways
- What is VyAPI
- How to setup your personal VyAPI test environment
- OWASP - Mobile Top 10 2016 in VyAPI
- Built-in features for you to explore
- Reference materials
What is VyAPI?
- It's a cloud based vulnerable Android app built using modern technologies like AWS Amplify, Amazon Cognito, Glide, Room Persistence, etc.
7 steps to get started
#1: Install Required Softwares
- Node.js
- NPM
- Amplify CLI
- AWS CLI
- Android Studio
- Android Emulator
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/7068865/pasted-from-clipboard.png)
#2: Configure Amazon Cognito
$ git clone git@github.com:appsecco/VyAPI.git
$ cd VyAPI/
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6640455/pasted-from-clipboard.png)
#3: Create Android Emulator
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6640489/pasted-from-clipboard.png)
#4: Run VyAPI
#5: Register a user
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6640575/pasted-from-clipboard.png)
#6: Login
#7: Start Hacking
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6640875/pasted-from-clipboard.png)
OWASP Mobile Top 10 2016 in VyAPI
M1-Improper Platform Usage
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6640978/pasted-from-clipboard.png)
A Vulnerable Activity
dz> run app.activity.start --component com.appsecco.vyapi com.appsecco.vyapi.MainActivity
A Vulnerable Service
dz> run app.service.start --component com.appsecco.vyapi com.appsecco.vyapi.service.PlayMusicService
SQL Injection Through Content Provider
dz> run app.provider.query content://com.appsecco.vyapi.ContactDBProvider/contacts/ --projection "*"
M2-Insecure Data Storage
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641106/pasted-from-clipboard.png)
M3-Insecure Communication
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641135/pasted-from-clipboard.png)
Can you intercept the secret SMS?
M4-Insecure Authentication
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641364/pasted-from-clipboard.png)
M5-Insufficient Cryptography
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641373/pasted-from-clipboard.png)
Where is the encryption key?
M6-Insecure Authorization
First, find a Cognito Identity Pool ID
Can unauthenticated users access sensitive AWS services?
E.g., us-east-1:f0e6168e-4865-4890-97e5-489cd6106g83
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641395/pasted-from-clipboard.png)
Is access to unauthenticated identities enabled?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641405/pasted-from-clipboard.png)
Use Boto 3 to fetch credentials for an identity pool ID
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641409/pasted-from-clipboard.png)
Access Key, Secret Key, and Session Token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641417/pasted-from-clipboard.png)
Use enumerate-iam Python script
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641423/pasted-from-clipboard.png)
Which of the AWS services could be accessed by unauthorized users?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641427/pasted-from-clipboard.png)
M7-Poor Code Quality
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641359/pasted-from-clipboard.png)
Vulnerable Broadcast Receiver
dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name dz_file1 --extra string temp_file_path etc/hosts
dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name ../../../../../../../../../../sdcard/Android/data/com.appsecco.vyapi/files/Pictures/dz_file2 --extra string temp_file_path etc/hosts
M8-Code Tampering
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641187/pasted-from-clipboard.png)
M9-Reverse Engineering
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641145/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641355/pasted-from-clipboard.png)
Sensitive File in APK Bundle
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641126/pasted-from-clipboard.png)
M10-Extraneous Functionality
What's Visible
What's NOT Visible
Hands-On Training Material
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/7146748/pasted-from-clipboard.png)
Built-in features for you to explore
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641429/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641457/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641442/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641443/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641445/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/6641459/pasted-from-clipboard.png)
Summary
VyAPI is a cloud-based vulnerable Android app for Android security enthusisats.
To get started, you need to
- Setup Amazon Cognito login using Amplify
- Explore security misconfigurations in cloud setup
- Explore Android app specific vulnerabilities
- Use your favorite tools to exploit the identified vulnerabilities
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/7068893/pasted-from-clipboard.png)
nullcon.net
@Winja_CTF
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/7068903/pasted-from-clipboard.png)
References
- VyAPI Codebase - https://github.com/appsecco/VyAPI
- Android Hacking in 7 Steps - https://slides.com/riddhishreechaurasia/breaking-an-android-app-in-7-steps#/
- Android Pentesting Training - https://android-pentesting-at-appsecco.netlify.com/
- Internet-Scale analysis of AWS Cognito Security - https://andresriancho.com/internet-scale-analysis-of-aws-cognito-security/
- OWASP - Mobile Top 10 2016 - https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
- Amplify CLI - https://aws-amplify.github.io/docs/cli-toolchain/quickstart
References
- Boto 3 - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-identity.html
- Amplify - https://aws.amazon.com/amplify/faqs/
- Amazon Cognito - https://aws.amazon.com/cognito/
- Glide - https://bumptech.github.io/glide/doc/getting-started.html
VyAPI - A Modern Cloud Based Vulnerable Android App
By Riddhi Shree Chaurasia
VyAPI - A Modern Cloud Based Vulnerable Android App
null Bangalore
- 1,413