If you've read my previous tutorials(or write-ups), you would know that I have started dabbling in the world of hacking, with my most recent write-ups focusing primarily on Android Pentesting. I've shown you how to install Genymotion & Virtualbox, JADX-GUI & ADB, and Android Studio on Parrot OS - but today we will go beyond just installing tools. Today we start hacking, kind of.
First things first, I need to make sure that we are on the same page. What is Android Pentesting? Simply put, it is a simulated cyber attack against a mobile application where we try to expose and find any vulnerabilities or security issues that are present in the application. In the following days to come, we will be Pentesting the DIVA APK, which I explain and demonstrate how to install and set up on an emulated device in this tutorial.
Before we start make sure that you have the following:
- Android Studio Installed.
- Genymotion and Virtualbox installed, with an emulated device setup and running.
- ADB is installed with DIVA APK installed onto the device.
- JADX-GUI is installed and open.
Okay, let's get hacking! When we open the DIVA application on our device, we can see that it consists of a menu or navigation that lists many sections for us to Pentest.
In this section, we will be testing the Insecure Logging and Hardcoding Issues (Part 1 & 2) sections of this application.
Insecure Logging
When we open the Insecure Logging section we are met with the following objective: find out what is being logged where/how and the vulnerable code. So, we are expected to find what is being logged, how it is logged, and the vulnerable code.
Let's try and answer these objectives one by one. From first impressions, just by looking at the activity layout (which is the page opened on our screen), we can see that it asks us for our credit card numbers. Thus, our credit card number is probably the data that is being logged (what). Let's test this by entering a number!
With our number entered, we get an error popup. Let's see if we can see how it is being logged, ie. where did our data go? The first culprit that we can look at is LogCat in Android Studio. Open up Android Studio and navigate over to the LogCat Output. We can see that it logs everything, which is bad because say we have a user that downloads a malicious APK that secretly monitors their log when they use the app - the attacker can then use this monitored log to read sensitive data, and exploit them in this way.
When we scroll down, we see that our credit card number has been logged. BAD LOGCAT! Now we know how it is being logged, via the LogCat Output in Android Studio underneath a log labeled diva-log.
Finally, we need to find the vulnerable code. Easy peasy, just load up your DIVA APK into JADX-GUI and open up the LogActivity activity.
When we look at the code, we can identify the section where it does the actual logging, thus confirming that it is logging our credit card number. Maybe logging sensitive information is not the best way to capture this information?
So, in summary, we were able to find the following:
- What: Credit Card Number
- Where: LogCat > diva-log
- How: Log.e()
Hardcoding Issues Part One
When a programmer hardcodes a value, it means that they type it into the application, making it a static value. For example:
var password = "iamnotsecure";
This is not only bad from a programming perspective since the developer will have to manually change this value every time they want to update it, but from a security perspective, it allows attackers to easily exploit or hijack firmware, devices, systems, and software.
When we open the Hardcoding Issues Part One section we are met with the following objective: find out what is hardcoded and where. So, we are expected to find what is being hardcoded and where. From the get-go, we can immediately identify what will be hardcoded: the vendor key.
On to the where. Let's head into JADX-GUI and open up the HardcodeActivity activity to see if we can find anything in the source code.
Immediately we can see that the vendor key is hardcoded, thus we can copy the "vendorsecretkey" value and pop it into our app.
Voila, we have gained access to the system! 🥳
So, in summary, we were able to find the following:
- What: Vendor Secret Key > vendorsecretkey
- Where: HardcodeActivity
Hardcoding Issues Part Two
When we open the Hardcoding Issues Part Two section we are met with the following objective: find out what is hardcoded and where. So, we are expected to find what is being hardcoded and where. Just like previously, we can immediately identify what is probably hardcoded just by looking at the activity layout: the vendor key.
Now on to the where. Let's head into our Hardcode2Activity in JADX-GUI and open it up. We can immediately identify the DivaJni class that is being referenced, as the rest of the code depends on this class to be able to validate the access key.
Without wasting further time, let's open the DivaJni class. When I first opened it, without properly assessing the code, I saw the string soName = "divajni", and initially I thought this was the hardcoded value. To my dismay, it was not. Silly me, maybe next time I should read the source code fully! 😂
We can see upon further inspection that the static function loads the native library of soName, which is a library named divajni. Since we can assume that it calls upon a Shared Library, we can go looking for a file named "divajni.so". The .so extension identifies a Shared Object library that may be dynamically loaded during Android runtime.
Mmh, so we are looking for a library containing "divajni.so" in our lib folder within our APK file. Go to where you installed your DIVA APK and extract the file (to do this easily, just replace .apk with .zip and extract like normal). Once extracted, open it up and go lib > any one of the folders > libdivajni.so.
IMPORTANT NOTE: You can also access this library file via the terminal without having to extract the file and navigate to it like this:
You can copy this library file to your Desktop or anywhere with easy access. Open up your terminal using CTRL + ALT + T and cd into Destkop. Make sure your libdivajni.so file is there by entering the ls command.
To be able to view the text inside a binary or data file such as our library file, we need to use the strings command. Enter it as such: strings libdivajni.so. We can see a list of words popping up, mainly packages and extended libraries. If you look at it, most of them have a similar format: .x, _x, __x, x.so, etc. There is one string that stood out to me, because why would it have a semi-colon? Why? None of the other strings have semi-colons!
Let's try entering it as our vendor key. Please note that this process is trial-and-error. Sometimes we might not be so lucky as to identify a clear outlier in a string list as in this scenario. If we enter it into our app, we get a popup saying we have gained access, and success!
So, in summary, we were able to find the following:
- What: Vendor Secret Key
- Where: libdivajni.so > olsdfgad;lh
Conclusion
Congrats, we have finished the first two sections of the DIVA APK! I hope this was easy enough to follow/understand. I'll see you next time with Section 3: Insecure Data Storage.😊
If you have recommendations on any cool tools, techniques, or tutorials that I too can follow feel free to leave them below and I'll check it out!
(Pull this on my GitHub for future reference)