About Me

  1. Creator of "VyAPI – A Modern Cloud Based Vulnerable Android App"

  2. Application Security Analyst at Appsecco​ (@appseccouk)

  3. Chapter Leader at null Bangalore​ (@nullblr)

  4. Serjeant-at-arms at Garden City Toastmasters Club, Bangalore (@Toastmasters)

The Goal

To provide Android security enthusiasts a platform to practice hacking a cloud-based vulnerable Android app

Your Takeaways

  1. What is VyAPI
  2. Technology stack in use
  3. How to setup your personal VyAPI test environment
  4. OWASP - Mobile Top 10 2016 in VyAPI
  5. Built-in features for you to explore
  6. Reference materials​​

What is VyAPI?

VyAPI

  1. VyAPI is a hybrid Android app that's vulnerable by design. We call it VyAPI, because its flaws are pervasive and it communicates not just via IPC calls but API calls, too.

  2. It's a modern cloud based vulnerable Android app

What technologies have been used?

The Building Blocks

  1. AWS Amplify CLI

  2. AWS SDK for Android 10

  3. Amazon Cognito

  4. OpenJDK 1.8.0_152-release

  5. Glide v4

  6. Room Persistence Library

  7. Gradle 5.1.1

AWS Amplify

  1. Development framework + Development services
  2. It's fast and easy
  3. Build mobile and web applications on AWS

Further Reading:

https://aws.amazon.com/amplify/faqs/

Amazon Cognito

  1. A simple user identity and data synchronization service
  2. Provides authentication, authorization and user management
  3. i.e., user sign-up, sign-in and access control

Further Reading:

  1. https://aws.amazon.com/cognito/​
  2. https://gorillalogic.com/blog/java-integration-with-amazon-cognito/

Glide v4

  • Loading images with Glide is easy and in many cases requires only a single line:

Further Reading:

https://bumptech.github.io/glide/doc/getting-started.html

Room Persistence Library

  • Provides an abstraction layer over SQLite to allow fluent database access while harnessing the full power of SQLite.

Further Reading:

https://www.slideshare.net/Reinvently/data-persistence-in-android-with-room-library

How to setup your personal VyAPI test environment

7 Steps

  1. Install Required Softwares
  2. Configure Amazon Cognito
  3. Create Android Emulator
  4. Run VyAPI
  5. Register a user
  6. Login
  7. Start Hacking

#1. Software Requirements

  1. Node.js
  2. NPM
  3. Amplify CLI
  4. AWS CLI
  5. Android Studio
  6. Android Emulator

Note -

For more details visit https://github.com/appsecco/VyAPI

#2. Amazon Cognito

$ git clone git@github.com:appsecco/VyAPI.git 

$ cd VyAPI/

#3. Android Emulator

How to create an emulator

#4. Run VyAPI

#5. Register a user

#6. Login

#7. Start Hacking

Hint: Look for data in...

  1. Internal Storage
  2. External Storage
  3. Content Provider

 

What type of storage is it?

  1. File storage
  2. SQLite database
  3. Cloud storage

 

In what form is the data stored?

  • Plaintext data
  • Encrypted data

OWASP - Mobile Top 10 2016 in VyAPI

M1-Improper Platform Usage​

A Vulnerable Activity

dz> run app.activity.start --component com.appsecco.vyapi com.appsecco.vyapi.MainActivity

A Vulnerable Service

dz> run app.service.start --component com.appsecco.vyapi com.appsecco.vyapi.service.PlayMusicService

SQL Injection Through Content Provider

dz> run app.provider.query content://com.appsecco.vyapi.ContactDBProvider/contacts/ --projection "*"

M2-Insecure Data Storage​

M3-Insecure Communication​

Can you intercept the secret SMS?

M4-Insecure Authentication​​

M5-Insufficient Cryptography​

Where is the encryption key?​​

M6-Insecure Authorization​

  1. Find a Cognito Identity Pool ID
  2. Check if access to unauthenticated identities is enabled in AWS for this identity pool?​
  3. Use Boto 3 script to fetch credentials (i.e., Access Key, Secret Key, and Session Token) for an identity pool​ ID
  4. Enumerate permissions associated with obtained AWS credentials​

Can unauthenticated users access sensitive AWS services?​

E.g., us-east-1:f0e6168e-4865-4890-97e5-489cd6106g83

Is access to unauthenticated identities enabled?​

 Use Boto 3 to fetch credentials for an identity pool​ ID

Access Key, Secret Key, and Session Token

Use enumerate-iam Python script

Which of the AWS services could be accessed by unauthorized users?

M7-Poor Code Quality

Vulnerable Broadcast Receiver

dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name dz_file1 --extra string temp_file_path etc/hosts
dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name ../../../../../../../../../../sdcard/Android/data/com.appsecco.vyapi/files/Pictures/dz_file2 --extra string temp_file_path etc/hosts

M8-Code Tampering​

M9-Reverse Engineering​

Sensitive File in APK Bundle

M10-Extraneous Functionality​

What's Visible

What's NOT Visible

Built-in features for you to explore

Summary

VyAPI is a cloud-based vulnerable Android app for Android security enthusisats.

 

To get started, you need to

  1. Setup Amazon Cognito login using Amplify
  2. Explore security misconfigurations in cloud setup
  3. Explore Android app specific vulnerabilities
  4. Use your favorite tools to exploit the identified vulnerabilities 

References

  • VyAPI Codebase - https://github.com/appsecco/VyAPI
  • Android Hacking in 7 Steps - https://slides.com/riddhishreechaurasia/breaking-an-android-app-in-7-steps#/
  • Android Pentesting Training - https://android-pentesting-at-appsecco.netlify.com/
  • Internet-Scale analysis of AWS Cognito Security - https://andresriancho.com/internet-scale-analysis-of-aws-cognito-security/
  • OWASP - Mobile Top 10 2016 - https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
  • Amplify CLI - https://aws-amplify.github.io/docs/cli-toolchain/quickstart

References

  • Boto 3 - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-identity.html
  • Amplify - https://aws.amazon.com/amplify/faqs/
  • Amazon Cognito - https://aws.amazon.com/cognito/
  • Glide - https://bumptech.github.io/glide/doc/getting-started.html