Wednesday, 2 March 2016

Cracking Damn Insecure and Vulnerable App (DIVA) – Part 1

0 comments Posted by srini0x00 on 19:50

What is DIVA?

DIVA is a vulnerable Android Application. According to their official website, “DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure. The aim of the App is to teach developers/QA/security professionals, flaws that are generally present in the Apps due poor or insecure coding practices” 

Getting ready with the lab:

We are going to solve all these challenges on an emulator. So, below are the steps to follow.

Download the application and extract the APK from the compressed tar file. You can download the application from here.

$ ls
diva-beta.apk diva-beta.tar
$

Launch an emulator and install the apk file using as shown below.

$ adb install diva-beta.apk 
1863 KB/s (1502294 bytes in 0.787s)
pkg: /data/local/tmp/diva-beta.apk
Success
$

If you have done everything successfully, launch your application and you should see the following screen.

                           

We are ready with the target application now. Lets also setup some important tools to crack these challenges.

We will use both manual and automated techniques to crack these challenges. So, set up the following tools preferably on a Unix based machine. I am using Mac OSX.

Download and install (if required) the following tools.

  • Dex2jar & JD-GUI
  • APKTOOL
  • Drozer
  • Android utilities – adb, sqlite3, aapt etc.
With this, you are ready with the setup. Now, lets see how to solve the challenges provided in this application.

Reversing the target application:

One of the first steps to find vulnerabilities is static analysis by reversing the app. So, lets reverse engineer our target application to get ready to crack the challenges. 

Note: This step is must, as some of the challenges require you to look at the source code.

Getting .java files Using Dex2Jar & JD-GUI:


Getting the readable java files is always helpful during an assessment. So, lets get .java files using dex2jar and JD-GUI tools we set up earlier. As mentioned earlier, I have set up my lab on a Machine running Mac OSX. So, run the following command to convert the dex file into a jar file.

$ sh dex2jar.sh diva-beta.apk 
this cmd is deprecated, use the d2j-dex2jar if possible
dex2jar version: translator-0.0.9.15
dex2jar diva-beta.apk -> diva-beta_dex2jar.jar
Done.

Once done, you should see diva-beta_dex2jar.jar file in the same directory where you have dex2jar.

Open up this newly created diva-beta_dex2jar.jar file using JD-GUI as shown below.

                           

Nice! As we can see above, we now have .java files. 

Getting AndroidManifest.xml and smali code using apktool:

Another important thing in static analysis of Android apps is having access to Androidmanifest.xml file. This gives us great deal of information about the app and it’s internal structure. Additionally, apktool provides us the smali code. So, lets use apktool to get the AndroidManifest.xml file and smali code as shown below.

$ java -jar apktool_2.0.3.jar d diva-beta.apk -o output


Contents of AndroidManifest.xml file(truncated)

                           
List of smali files extracted

If you want to have more details on how to setup the above mentioned tools, please refer to my article on Reverse Engineering here.

Cracking the challenges

All set to crack the challenges. Lets crack some of the challenges now.

Challenge 1: “1.INSECURE LOGGING”

Steps to solve:

Click on “1.INSECURE LOGGING” in your application. The goal is to find out where the user-entered information is being logged and also the code making this vulnerable.

It is common that Android apps log sensitive information into logcat. So, lets see if this application is logging the data into logcat. 

Run the following command in your terminal.

$adb logcat

Now, enter some data into the application’s edit text field.

                               

Check your logs after clicking “CHECK OUT”. 

Output in logcat:

D/MobileDataStateTracker(  469): default: setPolicyDataEnable(enabled=true)
D/LightsService(  469): Excessive delay setting light: 86ms
D/dalvikvm( 1695): GC_CONCURRENT freed 136K, 6% free 3845K/4060K, paused 7ms+4ms, total 93ms
E/diva-log( 1695): Error while processing transaction with credit card: 0000000000
E/SoundPool(  469): error loading /system/media/audio/ui/Effect_Tick.ogg

As you can see in the above logs, the data entered by the user is being logged.

Vulnerable code:

Open up LogActivity.class file using JD-GUI and check the following piece of code.

                         
As you can see in the above figure, the following line is used log the data entered by the user into logcat.

Log.e("diva-log", "Error while processing transaction with credit card: " + localEditText.getText().toString());


Challenge 2: “2.HARDCODING ISSUES – PART 1”

                                

Steps to solve:

Click on “2.HARDCODING ISSUES - PART 1” in your application. The goal is to find out the vendor key and enter it into the application to gain access.

It is common that developers hardcode sensitive information in the application’s source code. So, open up HardcodeActivity.class file using JD-GUI once again and observe the following piece of code.

                             

The secret key has been hardcoded to match it against the user input as shown in the line below.

if (((EditText)findViewById(2131492987)).getText().toString().equals("vendorsecretkey"))

Just enter this secret key found in the source code and you are done ☺

                         
Access granted!

We will discuss “INSECURE DATA STORAGE” solutions in the next article.

More Links:


Wednesday, 16 December 2015

Android Tamer – A walk through

0 comments Posted by srini0x00 on 17:02

Introduction

Are you a Backtrack/kali freak? Ever thought of having a similar distribution in your arsenal dedicated for Android Security? “Android Tamer” is the solution to fulfill your needs.

What is Android Tamer?

Android Tamer is a Linux based distribution developed for Android Security Professionals. This distribution is based on Ubuntu 10.04LTS which includes various popular tools available for Android Development, Penetration Testing, Malware Analysis, ROM Analysis and Modification, Android Forensics etc.
This article walks you through various tools available in “Android Tamer” and how they fulfill our real life android Security needs.

Prerequisites:

Machine with Virtual Box installed.
RAM: 512Mb (minimum)

Bringing it UP:

We can download the latest version of android tamer from its official website (http://www.androidtamer.com). Currently there are two versions available. Once after downloading, extract the zip file which gives a VMDK file which can be opened with virtual machines like VMware Workstation or VirtualBox. It is suggested to use this VMDK file in virtual box rather than VMware since it is optimized for Virtual Box. To know more about VMDK files, please visit  http://en.wikipedia.org/wiki/VMDK.

Now, open up Virtual Box and create a new virtual machine instance and boot the VMDK file to start running “Android Tamer”. It greets us with a brand new window which needs a username and password to login. 

The default username:password is tamer:android.

Description of Available Tools:

“Android Tamer” has several popular tools preinstalled with the following as its main sections.
ROM Modding
Reverse Engineering
Pen Testing
Malware Analysis
Forensics
Development
Vulnerable Lab
Tools
Rooting
Let’s now explore each section and see the existing tool set and how they can be useful.

Reverse Engineering:

This section contains the most popular Android Reverse Engineering tools which include dex2jar, JD-GUI, APKTOOL etc.
APK Analyser is another important tool available in Reverse Engineering Section. APK Analyser is a powerful framework which allows us to disassemble byte codes, analyze application architecture, performing byte code injections in Android Apps and the list goes on. This is one of the best tools available to analyze android apps and comes preinstalled with Android Tamer.

Malware Analysis:

This is one of the finest sections which includes some great automated tools for Android Malware Analysis.
DroidBox is one among them. We can simply, go and use droidbox from its command line by navigating to the directory /Arsenal/Droidbox. In general you may find it difficult to set up droidbox in your local machine as it has some dependencies to be installed to run the tool. Android Tamer sets everything ready for you.
AndroGuard is another great set of python tools preinstalled for malware analysis. This is one of the best tools I have seen on internet for Android Malware Analysis.After its release, there are a lot of other tools built based on AndroGuard.You can go ahead and see the documentation available at their official link (https://code.google.com/p/androguard/).

Pen Testing

Pen testing Section is the right place for you, if you are looking for a strong set of tools to audit the security of your Android Apps or Smart Phone.
This contains tools required to audit both “browser based apps” and “native apps”.
Tools for testing browser based apps include, BurpSuite, w3af, Firefox with all the required plugins, OWASP ZAP etc.
It comes preinstalled with Mercury Framework which is one of the best ones available for auditing android apps. It basically looks for vulnerabilities in IPC end points of an application.
Android Tamer also contains Smart Phone Pentest Framework by Bulb Security. Smart Phone Pentest Framework has metasploit kind of functionality to audit the security of your smartphone.

Development

Development section is one my favorite sections which allows you to write your POC apps during your pentest. Let’s assume, you have identified content provider leakage vulnerability in an application and want to write a malicious app as a Proof of Concept to exploit the identified vulnerability. Tools available in development section come handy to fulfill your needs.
It is not recommend for users to use this section for fulltime development as it eats a lot of memory and system goes slow.
Eclipse + ADT: Android Tamer contains Eclipse IDE integrated with ADT bundle which enables us to write Android Apps.
DDMS:Dalvik Debug Monitor Service is an excellent solution to do things such as interacting with the file system, controlling the emulator, pulling and pushing files from/to the device or emulator, debugging applications etc.
Android NDK: Android Native Development Kit enables us to write low level applications in C/C++.

Forensics:

Android Tamer consists of some preinstalled digital forensic tools.
AFLogical Open Source Edition:
AFLogical is another popular logical data extraction tool made for Android Platform. It pulls all available MMS, SMS, Contacts, and Call Logs from an Android device and presents the data to the examiner.
Sleuthkit is another command line tool integrated to perform in depth analysis of file systems. This tool also has a Graphical User Interface version named AutoSpy.

Rooting and ROM Modding:

If during your pentest or forensics / device assessment you come across a device which is non rooted and you need to root in order to get gain more insight then the default installation also comes packages with android version specific rootkits. such as Gingerbreak, ZergRush, psnneuter etc.
At times it might be required to check for or modify existing ROM's or analyze content on existing rom backup in such scenario's dsixda kitchen is provided which works adds rom modding capabilities to the system.
In order to flash these customized packages back into the device we need flashing utilities like fastboot, Flashtools, heimadal etc as flashing tools.
It is also combined with some common tools like QT-ADB which acts as a filemanager kind of utility for devices utilizing the ADB interface.

Final Words:

If you are looking for a framework for your all your android security needs, Android Tamer could be one of the best tools that you can look into.


 

Recent posts

Recent Comments

Bookmark & Share