About Me
-
Creator of "VyAPI – A Modern Cloud Based Vulnerable Android App"
-
Application Security Analyst at Appsecco (@appseccouk)
- Chapter Leader at null Bangalore (@nullblr)
-
Serjeant-at-arms at Garden City Toastmasters Club, Bangalore (@Toastmasters)
The Goal
To provide Android security enthusiasts a platform to practice hacking a cloud-based vulnerable Android app
Your Takeaways
- What is VyAPI
- Technology stack in use
- How to setup your personal VyAPI test environment
- OWASP - Mobile Top 10 2016 in VyAPI
- Built-in features for you to explore
- Reference materials
What is VyAPI?
VyAPI
-
VyAPI is a hybrid Android app that's vulnerable by design. We call it VyAPI, because its flaws are pervasive and it communicates not just via IPC calls but API calls, too.
-
It's a modern cloud based vulnerable Android app
What technologies have been used?
The Building Blocks
-
AWS Amplify CLI
-
AWS SDK for Android 10
-
Amazon Cognito
-
OpenJDK 1.8.0_152-release
-
Glide v4
-
Room Persistence Library
-
Gradle 5.1.1
AWS Amplify
- Development framework + Development services
- It's fast and easy
- Build mobile and web applications on AWS
Further Reading:
Amazon Cognito
- A simple user identity and data synchronization service
- Provides authentication, authorization and user management
- i.e., user sign-up, sign-in and access control
Further Reading:
- https://aws.amazon.com/cognito/
- https://gorillalogic.com/blog/java-integration-with-amazon-cognito/
Glide v4
- Loading images with Glide is easy and in many cases requires only a single line:
Further Reading:
Room Persistence Library
- Provides an abstraction layer over SQLite to allow fluent database access while harnessing the full power of SQLite.
How to setup your personal VyAPI test environment
7 Steps
- Install Required Softwares
- Configure Amazon Cognito
- Create Android Emulator
- Run VyAPI
- Register a user
- Login
- Start Hacking
#1. Software Requirements
- Node.js
- NPM
- Amplify CLI
- AWS CLI
- Android Studio
- Android Emulator
Note -
For more details visit https://github.com/appsecco/VyAPI
#2. Amazon Cognito
$ git clone git@github.com:appsecco/VyAPI.git
$ cd VyAPI/
#3. Android Emulator
How to create an emulator
#4. Run VyAPI
#5. Register a user
#6. Login
#7. Start Hacking
Hint: Look for data in...
- Internal Storage
- External Storage
- Content Provider
What type of storage is it?
- File storage
- SQLite database
- Cloud storage
In what form is the data stored?
- Plaintext data
- Encrypted data
OWASP - Mobile Top 10 2016 in VyAPI
M1-Improper Platform Usage
A Vulnerable Activity
dz> run app.activity.start --component com.appsecco.vyapi com.appsecco.vyapi.MainActivity
A Vulnerable Service
dz> run app.service.start --component com.appsecco.vyapi com.appsecco.vyapi.service.PlayMusicService
SQL Injection Through Content Provider
dz> run app.provider.query content://com.appsecco.vyapi.ContactDBProvider/contacts/ --projection "*"
M2-Insecure Data Storage
M3-Insecure Communication
Can you intercept the secret SMS?
M4-Insecure Authentication
M5-Insufficient Cryptography
Where is the encryption key?
M6-Insecure Authorization
- Find a Cognito Identity Pool ID
- Check if access to unauthenticated identities is enabled in AWS for this identity pool?
- Use Boto 3 script to fetch credentials (i.e., Access Key, Secret Key, and Session Token) for an identity pool ID
- Enumerate permissions associated with obtained AWS credentials
Can unauthenticated users access sensitive AWS services?
E.g., us-east-1:f0e6168e-4865-4890-97e5-489cd6106g83
Is access to unauthenticated identities enabled?
Use Boto 3 to fetch credentials for an identity pool ID
Access Key, Secret Key, and Session Token
Use enumerate-iam Python script
Which of the AWS services could be accessed by unauthorized users?
M7-Poor Code Quality
Vulnerable Broadcast Receiver
dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name dz_file1 --extra string temp_file_path etc/hosts
dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name ../../../../../../../../../../sdcard/Android/data/com.appsecco.vyapi/files/Pictures/dz_file2 --extra string temp_file_path etc/hosts
M8-Code Tampering
M9-Reverse Engineering
Sensitive File in APK Bundle
M10-Extraneous Functionality
What's Visible
What's NOT Visible
Built-in features for you to explore
Summary
VyAPI is a cloud-based vulnerable Android app for Android security enthusisats.
To get started, you need to
- Setup Amazon Cognito login using Amplify
- Explore security misconfigurations in cloud setup
- Explore Android app specific vulnerabilities
- Use your favorite tools to exploit the identified vulnerabilities
References
- VyAPI Codebase - https://github.com/appsecco/VyAPI
- Android Hacking in 7 Steps - https://slides.com/riddhishreechaurasia/breaking-an-android-app-in-7-steps#/
- Android Pentesting Training - https://android-pentesting-at-appsecco.netlify.com/
- Internet-Scale analysis of AWS Cognito Security - https://andresriancho.com/internet-scale-analysis-of-aws-cognito-security/
- OWASP - Mobile Top 10 2016 - https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
- Amplify CLI - https://aws-amplify.github.io/docs/cli-toolchain/quickstart
References
- Boto 3 - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-identity.html
- Amplify - https://aws.amazon.com/amplify/faqs/
- Amazon Cognito - https://aws.amazon.com/cognito/
- Glide - https://bumptech.github.io/glide/doc/getting-started.html
VyAPI - A Modern Cloud Based Vulnerable Android App
By Riddhi Shree Chaurasia
VyAPI - A Modern Cloud Based Vulnerable Android App
- 870