Godfrey Nolan
$ adb shell pm path com.united.mobile.android
package:/data/app/com.united.mobile.android-1/base.apk
$ adb pull /data/app/com.united.mobile.android-1/base.apk
4349 KB/s (51855610 bytes in 11.642s)
$ jadx-gui base.apk
$ adb backup com.united.mobile.android
Now unlock your device and confirm the backup operation.
$ java -jar abe.jar unpack backup.ab backup.tar
$ tar -xvf backup.tar
$ sqlite3 apps/com.united.mobile.android/db/united.db
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
GET http://herdfinancial.com/api/v1/balances/1234567899/
{"success":"true","checkingBalance":"0.0","savingsBalance":"0.0"}
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
GET http://herdfinancial.com/api/v1/balances/1234567890/
{"success":"true","checkingBalance":"947.3","savingsBalance":"0.0"}
"actor": {“first_name": "Rita","last_name": "D.","title": "Rita D.","gender": "F",
"is_mvp": false,
"preferred_brand": 32,
"_links": {"self": [{"href": "\/v7.0\/user\/3273986\/","id": "3273986"}]},
"type": "user",
"friendship": null,
"id": 3273986
},"id": "1-3273986-9-1440092847",
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="remember" value="true" />
<string name="password">goatdroid</string>
<string name="username">goatdroid</string>
</map>
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
private static String PUB_KEY = "30820122300d06092a864886f70d0101" +
"0105000382010f003082010a0282010100b35ea8adaf4cb6db86068a836f3c85" +
"5a545b1f0cc8afb19e38213bac4d55c3f2f19df6dee82ead67f70a990131b6bc" +
"ac1a9116acc883862f00593199df19ce027c8eaaae8e3121f7f329219464e657" +
"2cbf66e8e229eac2992dd795c4f23df0fe72b6ceef457eba0b9029619e0395b8" +
"609851849dd6214589a2ceba4f7a7dcceb7ab2a6b60c27c69317bd7ab2135f50" +
"c6317e5dbfb9d1e55936e4109b7b911450c746fe0d5d07165b6b23ada7700b00" +
"33238c858ad179a82459c4718019c111b4ef7be53e5972e06ca68a112406da38" +
"cf60d2f4fda4d1cd52f1da9fd6104d91a34455cd7b328b02525320a35253147b" +
"e0b7a5bc860966dc84f10d723ce7eed5430203010001";
// Pin it!
final boolean expected = PUB_KEY.equalsIgnoreCase(encoded);
if (!expected) {
throw new CertificateException("checkServerTrusted: Expected public key: "
+ PUB_KEY + ", got public key:" + encoded);
}
}
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
public ActivityLaunchAppLoad() {
this.WAY_WAY_TOO_LOW = 49;
this.A_LITTLE_LESS_WAY_TOO_LOW = 50;
this.LESSER_WAY_TOO_LOW = 51;
this.BIT_TOO_LOW = 52;
this.TOO_LOW = 53;
this.MORE = 54;
this.A_LITTLE_MORE = 55;
this.WAY_TOO_MORE = 97;
this.BIG_DADDY = 102;
this.orderOfTheThronesTrois = new int[]{this.BIG_DADDY, this.MORE, this.WAY_TOO_MORE, this.MORE};
this.orderOfTheThronesQuatre = new int[]{this.LESSER_WAY_TOO_LOW, this.MORE, this.LESSER_WAY_TOO_LOW, this.TOO_LOW};
this.orderOfTheThronesUn = new int[]{this.BIT_TOO_LOW, this.BIT_TOO_LOW, this.WAY_WAY_TOO_LOW, this.BIT_TOO_LOW};
this.orderOfTheThronesDeux = new int[]{this.MORE, this.A_LITTLE_MORE, this.A_LITTLE_LESS_WAY_TOO_LOW, this.BIT_TOO_LOW};
}
String createTheHalfBloodPrince() {
String strTemp = StringUtils.EMPTY;
int x = 0;
while (x < 4) {
int[] xyz = null;
if (x == 0) {
xyz = this.orderOfTheThronesTrois;
} else if (x == 1) {
xyz = this.orderOfTheThronesQuatre;
} else if (x == 2) {
xyz = this.orderOfTheThronesUn;
} else if (x == 3) {
xyz = this.orderOfTheThronesDeux;
}
int y = 3;
while (y >= 0) {
strTemp = new StringBuilder(String.valueOf(strTemp)).append(Character.toString((char) xyz[y])).toString();
y--;
}
x++;
}
return strTemp;
}
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="TM_MEMBER_EMAIL">godfrey@riis.com</string>
<int name="TM_MEMBER_MARKET_ID" value="7" />
<string name="TM_MEMBER_TAP_ID">77ef62159ad9c32913dfdbee0e58aea3</string>
<string name="TM_MEMBER_LNAME"></string>
<string name="TM_MEMBER_LANGUAGE">en-us</string>
<int name="TM_BILLING_COUNTRY_CODE" value="-1" />
<string name="TM_MEMBER_POSTCODE">48070</string>
<string name="TM_LAST_BILLING_ID"></string>
<int name="TM_MEMBER_COUNTRY" value="840" />
<string name="TM_MEMBER_PASSWORD">2secret4me</string>
<string name="TM_MEMBER_FNAME">Godfrey</string>
</map>
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
public static String decrypt(String paramString)
throws Exception
{
if (paramString != null)
return new String(decrypt(getRawKey("3lIoM_d0idrn4|4TleD".getBytes()), toByte(paramString)));
return null;
}
private static byte[] decrypt(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2)
throws Exception
{
SecretKeySpec localSecretKeySpec = new SecretKeySpec(paramArrayOfByte1, "AES");
Cipher localCipher = Cipher.getInstance("AES");
localCipher.init(2, localSecretKeySpec);
return localCipher.doFinal(paramArrayOfByte2);
}
// NDK code - still see the code in disassembler
jstring Java_com_riis_decompilingandroid_getPassword(JNIEnv* env, jobject thiz)
{
return (*env)->NewStringUTF(env, "xeHnwfiy4uzefrabruebeb");
}
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
select * from login where USERNAME = '' OR 1=1 --'
and PASSWORD = 'test'
public boolean checkLogin(String param1, String param2)
{
boolean bool = false;
Cursor cursor = db.rawQuery("select * from login where USERNAME = '" +
param1 + "' and PASSWORD = '" + param2 + "';", null);
if (cursor != null) {
if (cursor.moveToFirst())
bool = true;
cursor.close();
}
return bool;
}
select * from login where USERNAME = '' OR 1=1 --' and PASSWORD = 'test'
public boolean checkLogin(String param1, String param2)
{
boolean bool = false;
Cursor cursor = db.rawQuery("select * from login where " +
"USERNAME = ? and PASSWORD = ?", new String[]{param1, param2});
if (cursor != null) {
if (cursor.moveToFirst())
bool = true;
cursor.close();
}
return bool;
}
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
WebView myWebView = (WebView) findViewById(R.id.webview);
WebSettings webSettings = myWebView.getSettings();
webSettings.setJavaScriptEnabled(true);
<script>alert("xss");</script>
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.riis.login"
android:versionCode="1"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="8" />
<application
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name="com.riis.login.LoginActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity
android:name="com.riis.login.IntentReceiverActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="com.riis.login.IntentReceiverActivity" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
</application>
</manifest>
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.riis.hellointent"
android:versionCode="1"
android:versionName="1.0" >
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="18" />
<application
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name="com.riis.hellointent.MainActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
<intent-filter>
<action android:name="com.riis.login.IntentReceiverActivity" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
</application>
</manifest>
// implicit
Intent intent = new Intent();
// explicit
Intent intent = new Intent(this, IntentReceiverActivity.class);
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
if (dao.isDevicePermanentlyAuthorized(deviceID)) {
String newAuthToken = Utils.generateAutToken();
doa.updateAuthrizedDeviceAuth(deviceID, newAuthToken);
login.setAuthToken(newAuthToken);
login.setUserName(dao.getUserName(newAuthToken));
login.setAccountNumber(dao.getAccountNumber(newAuthToken));
login.setSuccess(true);
}
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
/**
* Logs you into your SIP provider, registering this device as the location to
* send SIP calls to for your SIP address.
*/
public void initializeLocalProfile() {
if (manager == null) {
return;
}
if (me != null) {
closeLocalProfile();
}
SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(getBaseContext());
String username = prefs.getString("namePref", "");
String domain = prefs.getString("domainPref", "");
String password = prefs.getString("passPref", "");
Weak Server Side Controls
Insecure Data Storage
Insufficient Transport Layer Protection
Unintended Data Leakage
Poor Authorization and Authentication
Broken Cryptography
Client Side Injection
Security Decision via Untrusted Input
Improper Session Handling
Lack of Binary Protections
java -jar apktool.jar d -d test.apk -o out
<activity android:label="@string/app_name" android:name="com.riis.helloworld.MainActivity">
a=0;// # virtual methods
a=0;// .method protected onCreate(Landroid/os/Bundle;)V
a=0;// invoke-static {}, Landroid/os/Debug;->waitForDebugger()V
a=0;//
a=0;// .locals 1
a=0;// .param p1, "savedInstanceState" # Landroid/os/Bundle;
java -jar apktool.jar b -d out -o debug.apk
http://www.decompilingandroid.com
http://www.owasp.org
https://github.com/nelenkov/android-backup-extractor
http://www.charlesproxy.com
http://www.programering.com/a/MjM5UTMwATg.html
http://www.cs.ru.nl/~joeri/papers/spsm14.pdf
https://www.mwrinfosecurity.com/products/drozer
https://github.com/skylot/jadx
http://keyczar.org
https://www.nccgroup.trust/us/about-us/resources/intent-sniffer/
http://www.saikoa.com
http://sqlitebrowser.org
http://bit.ly/1JlPoiY - How to hide your android API key
http://bit.ly/1hIeNNi - Where to store your password
https://github.com/google/nogotofail
https://codio.com/godfreynolan/AnDevCon-Bulletproof
godfrey@riis.com
@godfreynolan
slideshare.com/godfreynolan