Hacking Android Apps : Part 2

If you are new here I recommend you to take a look at Hacking Android Apps : Part 1 where I have covered Setting Up Your Mobile Proxy, Bypassing Certificate Pinning and Anatomy of an APK. In this blog we will take a look on the tools and we will start hunting for vulnerabilities.

Tools to Use

In this section you will need to know how to process the APK file and extract the source code of the APK. You will be needing some tools to analyze the android application. This guide doesn't go into how to use these tools rather when and why to use them. For any doubts you can go through the documentation of the specific tools.

Android Debug Bridge

The Android Debug Bridge (ADB) is a command line tool that allows your computer communicate with an Android device. You can use ADB to copy files from your android device to computer and vice-versa and can easily install modified versions of the application. For more on ADB take a look on https://developer.android.com/tools/adb.

To start using ADB, connect your device to your computer with a USB and turn on USB debugging mode. To enable debugging go to Settings -> System -> Developer Options -> Debugging. This enables you to interact with your computer using ADB. Debugging is not enabled by default. To enable, go to Settings -> About Phone  -> and then tap the Build number seven times. Then you should see a window prompting you to allow the connection.

Open terminal in your computer and try experimenting and learning from the following commands
adb devices -l - This command will display all the mobile devices connected and is ready to use adb
adb install path_to_apk - This command is used to install APKs to the device from the computer
adb pull remote_path local_path - This command is used to download the files from the mobile device to the computer
adb push local_path remote_path - This command is used to copy files from the computer to your mobile device

Android Studio

Android Studio is a software used for developing Android applications and can be used to modify an existing application. It also has emulators which helps us to run the application in a virtual environment if you don't have a physical Android device. You can download and learn more about it on https://developer.android.com/studio/.

Apktool

Apktool is a famous tool used for reverse engineering APK files and is important for hacking Android. It converts APKs into source code which is readable. For more take a look at https://ibotpeaches.github.io/Apktool/.

apktool d name.apk - This command is used to decompile the APK, so that you get the source code and you can modify if required during your analysis
apktool b name - If some modifications are done to the source code, now you can compile it back to APK with this command (name here is the name of the folder)

Frida

Frida (https://frida.re/) is an amazing tool that lets you inject your script into running processes of the application. You can use it to inspect functions that are called, analyze the app's network traffic and bypass certificate pinning. Frida uses JavaScript, if you know JavaScript you can take full advantage of it. There are lots of scripts available in online as well.


Mobile Security Framework

Mobile Security Framework (https://github.com/MobSF/Mobile-Security-Framework-MobSF) is an automated tool used for mobile application testing for both Android and iOS, and can do both static and dynamic testing. It can be used to automating many techniques and will be really useful when you learn Android hacking.



Hunting for Vulnerabilities

All the setup has been ready and now you can start hunting vulnerabilities. Hacking mobile applications is similar from hacking web applications.

To start, extract the application's package and review the source code for vulnerabilities. Compare the authentication and authorization mechanisms for the mobile and web apps for the same organization. Most of the developers test the security for the web based applications and don't test the mobile applications properly as attack surface for web based application is more. Mobile apps often have issues with session management and broken authentication. These can be chained with XSS to acquire session cookies that allow attackers to gain control over accounts even after users log out or change their password. I would personally suggest to have a separate rooted mobile device for testing the vulnerabilities.

Mobile applications are an excellent place to hunt for vulnerabilities. Burp Suite can be used to monitor the http/https  requests and can be used to find the API endpoints of the mobile application. Often organizations use different API endpoints for web applications and mobile applications. Mostly API endpoints of the mobile applications are not tested like web applications as only few attackers try to exploit using the mobile application. You can sometimes discover some API endpoints which are not used in web application.

You can look for common web vulnerabilities like IDORs, SQL injections, XSS and try them with the mobile application you are analyzing. Look into AndroidManifest.xml for basic information about the application. This is a good starting point while analyzing the application. Sometimes sensitive information like API keys will be hardcoded in the source code. Do check /res/values/strings.xml for secret values. If you manage to find .db or .sqlite files, those are database files which could contain sensitive data. To end up closely look at the http/https traffic from the client to server and vice-versa. Go deep into the source code. Hardcoded strings may contain sensitive data which could lead to information leaks and last forgot to look into AndroidManifest.xml before starting.

0 Comments