Open in app

Sign in

Write

Sign in

12. Hard Coding Issues — Part 2

Galilei
Mobile Penetration Testing
Published in
5 min readApr 15, 2019

Hard coding sensitive data means welcoming hackers with a lovely implanted backdoor. To find such a vulnerability, we need to reverse engineer the application deeply. we already discussed the hard coding issues, so in this situation, we try to discuss more besides finding the hard-coded password. Additional steps will be:

  • Introduction to android native libraries
  • Radare2 reverse engineering tool and its GUI called cutter
  • reverse engineering android applications in opcode view

Android Native Library

Google develops the Android Native Development Kit (NDK) beside Android SDK. The purpose of NDK is helping developers to build libraries in C or C++. Some of the benefits of using native libraries are:

  • Using Native Activities
  • Access physical device components like sensors
  • Reusing old C or C++ code in Android application
  • Building extra fast application when you need high computational features

When the native library built, The Java Native Interface (JNI) handles the communication between the native library and java based code.

Radare2

Radare2 is a very powerful reverse engineering tool. It supports almost every architecture. Starting with r2 is a little bit hard but I really recommend learning it.

When you install Radare2, some other applications will be installed too, such as:

  • Rabin2: Gets information from binary file.
  • Rax2: Utility for base conversation
  • Rasm2: Assembly utility
  • Rahash2: Hashing utility

My goal is not teaching you how to use r2 because we will use the GUI version of it. but if you want to be an exploit developer especially for mobile devices this will be very helpful.

Cutter

As we told, Radare2 is a very powerful tool but it is very hard to use in the console. you need to learn commands and that is painful for most people. To solve this problem, a GUI application has built for radare2 called cutter. Some of the features are documented here.

Cutter has release files on GitHub but I recommend downloading and building cutter from source code.

Second Hard Coding Issue

Now we are back to our DIVA application with new tools. Let us make use of them and find the password of the challenge.

First, we need to extract the APK file.

unzip diva-beeta.apk

We will see some files extracted. classes.dex is what we are looking for. Let’s see what Rabin2 can tell us about it:

The information seems correct because this is a Dalvik execution file that android runs it. We need to find class and method names.

  • To find classes and corresponding methods we use -c parameter.
  • For output in json format, we use -j
rabin2 -c -j classes.dex > methods.json

Because the output is large, we write it into a file for further analyzes.

now let’s open the file in Visual Studio Code and press CTRL + SHIFT + I to beautifully format the string.

After searching and studding the JSON file, You’ll find the following class:

Now, We found out target class. Open the classes.dex file in cutter and search for Hardcode2 (Same as the following picture):

The code is in Dalvik VM opcodes. It is very simple to analyze:

  • Loading some object and string
  • Getting string value from EditBox
  • Calling jakhar/aseem/diva/DivaJni.access with EditBox string value
  • If the method returns specific value access will be granted, else not.

The result of jakhae/aseem/diva/DivaJni.access method controls the flow of the application. So we need to reverse engineer the method.

We go back to the output of Rabin2 in JSON file. The DivaJni has two native methods. One of them called access.

These two methods are not visible in cutter, but in the DivaJni class we’ll find something interesting:

Class calls the System.LoadLibrary() method. If you look at documentation, The function loads native library files using JNI.

Attention: This all could be done by JADX same as earlier tasks but you cannot reverse engineer the native library with JADX. This is why we focused on radare2 in this challenge.

Hardcode2Activity
Native Method: access

In the extracted files, there is a lib directory. You can find many sub-directories in it. Each directory keeps the native files for a specific processor architecture. We use radare2, so we can reverse engineer all files. Open x86_x64 folder and you’ll find libdivajni.so file. Open the file in cutter for reverse engineering.

access function in the libdivajni.so is very simple.

  • Load a string(olsdfgad;lh ).
  • Compare input argument and already loaded string.
  • if they match, al=1 else al=0

Finally we could find the password, Let’s see does it work!?

How To Secure

  • Never Use Hard coded password.
  • Use encryption and Key Store.

Final words

We prepared a Step by Step list of Android penetration testing guide based on our own experience here. check for new posts from time to time.

Feel free to add comments to help us improve our posts. by the way, security belongs to everyone.

Android
Security
Radare2
Penetration Testing
Reverse Engineering

--

--

Galilei
Mobile Penetration Testing

Written by Galilei

326 Followers
Editor for

Mobile Penetration Tester, Galilei in Cyber Security

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams