About Me

  1. Creator of "VyAPI – A Modern Cloud Based Vulnerable Android App"

  2. Application Security Analyst at Appsecco​ (@appseccouk)

  3. Chapter Leader at null Bangalore​ (@nullblr)

The Goal

To provide Android security enthusiasts a platform to practice hacking a cloud-based vulnerable Android app

Your Takeaways

  1. What is VyAPI​
  2. How to setup your personal VyAPI test environment​
  3. OWASP - Mobile Top 10 2016 in VyAPI​​
  4. Built-in features for you to explore ​
  5. Reference materials​​

What is VyAPI?

  • It's a cloud based vulnerable Android app built using modern technologies like ​AWS Amplify, Amazon Cognito, Glide, Room Persistence, etc.

7 steps to get started

#1: Install Required Softwares

  1. Node.js
  2. NPM
  3. Amplify CLI
  4. AWS CLI
  5. Android Studio
  6. Android Emulator

#2: Configure Amazon Cognito

$ git clone git@github.com:appsecco/VyAPI.git ​​

$ cd VyAPI/

#3: Create Android Emulator

#4: Run VyAPI

#5: Register a user

#6: Login

#7: Start Hacking

OWASP Mobile Top 10 2016 in VyAPI

M1-Improper Platform Usage​

A Vulnerable Activity

dz> run app.activity.start --component com.appsecco.vyapi com.appsecco.vyapi.MainActivity

A Vulnerable Service

dz> run app.service.start --component com.appsecco.vyapi com.appsecco.vyapi.service.PlayMusicService

SQL Injection Through Content Provider

dz> run app.provider.query content://com.appsecco.vyapi.ContactDBProvider/contacts/ --projection "*"

M2-Insecure Data Storage​

M3-Insecure Communication​

Can you intercept the secret SMS?

M4-Insecure Authentication​​

M5-Insufficient Cryptography​

Where is the encryption key?​​

M6-Insecure Authorization​

First, find a Cognito Identity Pool ID

Can unauthenticated users access sensitive AWS services?​
E.g., us-east-1:f0e6168e-4865-4890-97e5-489cd6106g83

Is access to unauthenticated identities enabled?​

 Use Boto 3 to fetch credentials for an identity pool​ ID

Access Key, Secret Key, and Session Token

Use enumerate-iam Python script

Which of the AWS services could be accessed by unauthorized users?

M7-Poor Code Quality

Vulnerable Broadcast Receiver

dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name dz_file1 --extra string temp_file_path etc/hosts
dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name ../../../../../../../../../../sdcard/Android/data/com.appsecco.vyapi/files/Pictures/dz_file2 --extra string temp_file_path etc/hosts

M8-Code Tampering​

M9-Reverse Engineering​

Sensitive File in APK Bundle

M10-Extraneous Functionality​

What's Visible

What's NOT Visible

Hands-On Training Material

Built-in features for you to explore

Summary

VyAPI is a cloud-based vulnerable Android app for Android security enthusisats.

 

To get started, you need to

  1. Setup Amazon Cognito login using Amplify
  2. Explore security misconfigurations in cloud setup
  3. Explore Android app specific vulnerabilities
  4. Use your favorite tools to exploit the identified vulnerabilities 

nullcon.net

@Winja_CTF

References

  • VyAPI Codebase - https://github.com/appsecco/VyAPI
  • Android Hacking in 7 Steps - https://slides.com/riddhishreechaurasia/breaking-an-android-app-in-7-steps#/
  • Android Pentesting Training - https://android-pentesting-at-appsecco.netlify.com/
  • Internet-Scale analysis of AWS Cognito Security - https://andresriancho.com/internet-scale-analysis-of-aws-cognito-security/
  • OWASP - Mobile Top 10 2016 - https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
  • Amplify CLI - https://aws-amplify.github.io/docs/cli-toolchain/quickstart

References

  • Boto 3 - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-identity.html
  • Amplify - https://aws.amazon.com/amplify/faqs/
  • Amazon Cognito - https://aws.amazon.com/cognito/
  • Glide - https://bumptech.github.io/glide/doc/getting-started.html