How to Hack & Protect Flutter Apps — Steal Firebase Auth token and attack the API. (Pt. 3/3)
JWT Token, MiTM Attacks and API Protection. Keep them properly protected and don’t put your enterprise at risk.
Part 1 (link) ↓
- Disassemble app.
- Extract its secrets.
Part 2 (link) ↓
- Make a fake clone.
- Check every transmitted JSON.
- Inject code.
Part 3 (this article) ↓
- Steal authentication tokens.
- and attack the API.
First things first. JSON web tokens.
A token is a piece of data that represents a specific identity or authorization. There are different types of tokens, including authentication tokens, which are used to authenticate a user’s identity, and bearer tokens, which grant access to a protected resource.
JWT, or JSON web tokens, are types of tokens used for authenticating and authorizing users. These tokens are encoded and signed, allowing the server to verify their authenticity. However, JWT tokens can be vulnerable to certain attacks, such as weak token signing and token tampering.
Weak tokens are tokens that have been compromised or are otherwise insecure. This can include tokens with weak or easily guessable signing keys, or tokens that have been stolen or otherwise obtained by an attacker. These weak tokens can be used to gain unauthorized access to a system or a protected resource.
The JWT standard allows the non-use of an algorithm (”alg”:”none”) to sign the token. This is of course a very bad practice. A user could change his rights on the fly (from “role”: “user” to “role”: “admin”), without any control by the server. In the same way, if the configuration carried out at the server level accepts different algorithms and the “none” variable, which consists of not having cryptographic functions, it will be possible for an attacker to bypass the integrity verification function to access the data of other users or even of the admin. This can be mitigated by choosing a reliable algorithm (SHA256) and force server to always check algorithm, and therefore reject the “none” variable.
Firebase Authentication
Firebase Authentication is Flutter Apps’ most favorable authentication service. It allows developers to easily integrate user authentication into their applications using a variety of authentication methods, such as email and password, phone number, or social media accounts like Google, Facebook, and Twitter.
When a user signs up for an account using Firebase Authentication, the service generates an authentication token that is associated with the user’s account. This token is then stored on the user’s device and is used to verify their identity whenever they access the application.
When the user attempts to log in to the application, the authentication token is sent to the Firebase Authentication server, where it is verified and then passed back to the application. If the token is valid, the user is granted access to the application.
How to steal Firebase authentication token
Now, if you’ve read the previous section carefully, you already know what we are after:
This token is then stored on the user’s device…
I want to emphasize that storing this token is a completely appropriate solution assuming the device’s sandbox and other security measures are intact.
Step 1: Demo app
This hello-world Flutter app is connected to Firebase Authentication. A few widgets, some copy-pasting from the Firebase tutorial, and it was up and running:
Once I registered my new account, I checked the account exists as well in Authentication Dashboard:
Everything works well, I am signed in:
Step 2: Extraction of JWT
Sorry, I won’t show you any zero-day vulnerability. I assume there is a vulnerable system at play or a malicious 3rd party library (yes, 3rd party dependencies can interfere with app’s data and more), which will steal data from within your application.
Locate the app’s data directory /shared_prefs, which contains a file named com.google.firebase.auth(…) .
The file has the following content:
I moved the content to my computer for easier manipulation. The highlighted text is Firebase Authentication JWT:
TIP: You can use fancy JWT viewer — jwt.io:
And here is the data:
An attacker could misuse this token for an impersonation attack. But to be able to make such an attack, it’s necessary to know the API. Let’s explore the API of the Flutter app.
Attack the API
How to do API attacks in a nutshell
An API attack is a type of cyberattack in which an attacker exploits vulnerabilities in an API in order to gain unauthorized access to sensitive data or systems.
Here are some examples of how a reverse engineer might carry out an API attack:
- Sniffing: The attacker captures network traffic containing API requests and responses in order to extract sensitive information such as passwords or access tokens. This can be done using tools like Wireshark or Burp Suite.
- Injection: The attacker modifies the API request in order to inject malicious code into the system. This can be done using techniques like SQL injection or cross-site scripting (XSS).
- Tampering: The attacker modifies the API request in order to alter the data being transmitted, such as changing the value of a transaction or account balance.
- Replay: The attacker captures a valid API request and then replays it multiple times in order to cause a denial of service (DoS) attack or gain unauthorized access to the system.
These are just a few examples of API attacks that a reverse engineer might carry out.
To attack the API of a mobile app, a reverse engineer would need to first identify the API and its associated vulnerabilities. This can typically be done by using a tool to intercept network traffic from the mobile app and analyzing the requests and responses to and from the API.
Once the API has been identified, the reverse engineer can attempt to exploit any vulnerabilities that are found. For example, if the API is not properly validated or sanitized, the reverse engineer could try injecting malicious code into the request in order to gain unauthorized access to the system or steal sensitive data.
Other tactics that might be used in an API attack on a mobile app include tampering with requests in order to alter data, capturing and replaying requests in order to cause a denial of service (DoS) attack, and sniffing network traffic to extract sensitive information.
Discover API architecture from Flutter app
- strings — You can use
stringscommand available in many Linux distros to gather string resources from any Flutter app:
$ strings my-flutter-app.apk | grep http to gather URLs
- GraphQL architecture — You can find GraphQL queries in the app’s binary
query {
user(id: "123") {
name
email
posts {
title
content
}
}
}- REST architecture — You can use
stringsor Burp Proxy (MITM) again. Common APIs can be found here. The web service may also have it’s OpenAPI (Swagger) documentation available.
/api/v1/account/user/verify
/api/v1/analytics/events
/api/v1/articles.json
/api/v1/asset/asset
/api/v1/asset/assets
/api/v1/authI decided to end this article here as there is a plethora of API hacking tutorials: https://duckduckgo.com/?q=api+hacking+burp+postman
Actionable steps for app owners
- Check of your Firebase is properly configured: https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
- Glance over the Resources section of this article and check out one of the provided cheatsheets (the most relevant to your app)
- IMPORTANT: Majority of network attacks (impersonation, malicious scripts, botnets, JWT stealing, etc.) can be defeated by Talsec’s unique technology AppiCrypt. Check it out!
Thank you for reading the third part of this guide. I hope the information I’ve provided has been useful and informative! Thank you again for joining me on this journey.
written by Tomáš Soukal, Security Consultant at Talsec
https://talsec.app | info@talsec.app | Read also 5 Things John Learned Fighting Hackers of His App — A must-read for PM’s and CISO’s | Mobile API Anti-abuse Protection: AppiCrypt® Is a New SafetyNet and DeviceCheck Attestation Alternative
Enterprise Services Promotion
Talsec RASP is courtesy of Talsec. If you are looking for a solution tailored to your specific needs, contact us at https://talsec.app. We provide enhanced RASP protection with malware detection and detailed configurable threat reactions, immediate alerts, and penetration testing of your product to our commercial customers with a self-hosted cloud platform. To get the most advanced protection compliant with PSD2 RT and eIDAS and support from our experts, contact us via https://talsec.app/contact
Resources
It would be impossible to provide tutorial for every possible mobile app + web service architecture. Hence, I compiled useful list of OWASP and other resources about web application security. Use the list below to find quickly technologies and guides related to your use-case.
Latest ASVS
Pinning
Injection
Transaction authorization
Credential Stuffing Prevention
REST Security Cheat Sheet
Authentication Cheat Sheet
Forgot Password Cheat Sheet
Session Management Cheat Sheet
Weak Token
SSRF
File Upload Security
Input Validation Cheat Sheet
GraphQL Cheat Sheet
Query Parametrization
AWS Security
AWS Misconfigurations
Firebase security checklist
https://firebase.google.com/support/guides/security-checklist
Misconfiguration of Firebase — world readable https://xyz.firebaseio.com/.json
Exploit tool for this vulnerability:
A simple Python Exploit to Write Data to Insecure/vulnerable firebase databases! Commonly found inside Mobile Apps. If the owner of the app have set the security rules as true for both “read” & “write” an attacker can probably dump database and write his own data to firebase db.
