Mobile

Static Analysis

jdgui http://java-decompiler.github.io/
apktool https://ibotpeaches.github.io/Apktool/
dex2jar https://github.com/pxb1988/dex2jar
jadx https://github.com/skylot/jadx

Dynamic Analysis

Set a proxy Install the certificate and you are ready to go

System level certificate installation

Export your Burp Certificate Proxy > Options > CA Certificate > Export in DER format
Convert it to PEM openssl x509 -inform der -in cacert.der -out burp.pem
Rename it with its checksum mv burp.pem $(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)".0"
Mount a writeable system adb shell "mount -o rw,remount /system"
Upload the certificate adb push <generated.0> /system/etc/security/cacerts/ adb push 9a5ba575.0 /system/etc/security/cacerts/
Reboot the vm adb reboot

Setting up proxy using ADB

Setting up a proxy

adb shell settings put global http_proxy <proxy ip>:<proxy port>

Flushing the proxy setting

adb shell settings delete global http_proxy

Currently focused activity

vbox86p:/ # dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'
  mCurrentFocus=Window{dbfa51e u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity}
  mFocusedApp=AppWindowToken{f6705a0 token=Token{2e6bea3 ActivityRecord{4b7dd2 u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity t10}}}

vbox86p:/ # dumpsys window displays | grep -E "mCurrentFocus"
  mCurrentFocus=Window{36941bb u0 com.block.juggle/org.cocos2dx.javascript.AppActivity}

Focusing / Starting another activity

am start -n com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity

List activities of an APK

127|vbox86p:/ # dumpsys package | grep -Eo "^[[:space:]]+[0-9a-f]+[[:space:]]+com.mailchimp.mailchimp/[^[:space:]]+" | grep -oE "[^[:space:]]+$" | sort -u
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.RescheduleReceiver
com.mailchimp.mailchimp/com.google.firebase.iid.FirebaseInstanceIdReceiver
com.mailchimp.mailchimp/com.google.firebase.messaging.FirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseInstanceIDService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.splash.SplashActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetProvider
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetProvider
com.mailchimp.mailchimp/io.branch.referral.InstallListener

morph3 ➜ /tmp/ λ aapt list -a $wd/../Downloads/mailchimp-marketing-crm-to-grow-your-business_5.47.0\(21380\).apk | sed -n '/ activity /{:loop n;s/^.*android:name.*="\([^"]\{1,\}\)".*/\1/;T loop;p;t}' | sort -u
com.google.android.gms.auth.api.signin.internal.SignInHubActivity
com.google.android.gms.common.api.GoogleApiActivity
com.google.android.libraries.places.widget.AutocompleteActivity
com.jakewharton.processphoenix.ProcessPhoenix
com.mailchimp.android.mcm.LocalApiKeyActivity
com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.android.mcm.ui.NewTaskSingleFragmentActivity
com.mailchimp.android.mcm.ui.SingleFragmentActivity
com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity
com.mailchimp.android.mcm.ui.auth.splash.AsyncSplashActivity
com.mailchimp.android.mcm.ui.auth.splash.IntroActivity
com.mailchimp.android.mcm.ui.home.detail.ad.AdEditingActivity
com.mailchimp.android.mcm.ui.neapolitan.MobileNeapolitanActivity
com.mailchimp.android.mcm.ui.signup.SignUpActivity
com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.android.mcm.widgets.AccountVerificationForwardingActivity
com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.yalantis.ucrop.UCropActivity

Mobile Vulnerabilities & What to check

OWASP Top 10

M1 Improper Platform Usage
- Misconfigurations in AndroidManifest.xml
M2 Insecure Data Storage
- If an app storages a data on the external storage insecurely. SQL Databases, XML files, Log files, Cookie storages, Binary Data etc.
M3 Insecure Communication
- Clear text communication, communication without SSL
M4 Insecure Authentication
- Insecure 2FA implementations, 2FA bypass.
- If you can access to an API without authorization.
- OTP bypass, Client side bypasses. For example you can manipulate the response of the server and bypass the 2FA or OTP.
M5 Insufficient Cryptography
- Incorrent encryption, using encoding.
M6 Insecure Authorization
- IDORs
M7 Client Code Quality
- Client side sql injection, buffer overflows, XSS.
M8 Code Tampering
- For example, cracking a free aplication to a premium one.
M9 Reverse Engineering
- Sensitive informations, strings etc.
M10 Extraneous Functionality
- For example, developer forgots an external functionality on the app.
- Leftover backdoor, debug parameter etc.

PreviousCloud NextMalware Development

Last updated 5 months ago