Kupima Usalama wa Programu za Android Pentesting

Reading time: 37 minutes

Misingi ya Programu za Android

It's highly recommended to start reading this page to know about the most important parts related to Android security and the most dangerous components in an Android application:

Android Applications Basics

ADB (Android Debug Bridge)

This is the main tool you need to connect to an android device (emulated or physical).
ADB allows to control devices either over USB or Network from a computer. This utility enables the copying of files in both directions, installation and uninstallation of apps, execution of shell commands, backing up of data, reading of logs, among other functions.

Take a look to the following list of ADB Commands to learn how to use adb.

Smali

Sometimes it is interesting to modify the application code to access hidden information (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.
In this tutorial you can learn how to decompile and APK, modify Smali code and recompile the APK with the new functionality. This could be very useful as an alternative for several tests during the dynamic analysis that are going to presented. Then, keep always in mid this possibility.

Other interesting tricks

• Spoofing your location in Play Store
• Shizuku Privileged API (ADB-based non-root privileged access)
• Exploiting Insecure In-App Update Mechanisms
• Abusing Accessibility Services (Android RAT)
• Download APKs: https://apps.evozi.com/apk-downloader/, https://apkpure.com/es/, https://www.apkmirror.com/, https://apkcombo.com/es-es/apk-downloader/, https://github.com/kiber-io/apkd
• Extract APK from device:

adb shell pm list packages
com.android.insecurebankv2

adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

• Unganisha splits zote na base apks kwa kutumia APKEditor:

mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar ../APKEditor.jar m -i splits/ -o merged.apk

# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Masomo ya Kesi & Vulnerabilities

Air Keyboard Remote Input Injection

Android Rooting Frameworks Manager Auth Bypass Syscall Hook

Static Analysis

Kwanza kabisa, kwa kuchambua APK unapaswa take a look to the to the Java code using a decompiler.
Please, read here to find information about different available decompilers.

Kutafuta Taarifa Zinazovutia

Kwa kuangalia tu strings za APK unaweza kutafuta passwords, URLs (https://github.com/ndelphit/apkurlgrep), api keys, encryption, bluetooth uuids, tokens na chochote kinachovutia... angalia hata kwa code execution backdoors au authentication backdoors (hardcoded admin credentials to the app).

Firebase

Lipa umakini maalum kwa firebase URLs na angalia kama zimesanidiwa vibaya. More information about whats is FIrebase and how to exploit it here.

Basic understanding of the application - Manifest.xml, strings.xml

Uchunguzi wa faili za programu Manifest.xml na strings.xml unaweza kufichua potential security vulnerabilities. Faili hizi zinaweza kupatikana ukitumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip na kisha kuzifungua.

Vulnerabilities zilizobainika kutoka Manifest.xml ni pamoja na:

• Debuggable Applications: Applications zilizowekwa kama debuggable (debuggable="true") katika faili ya Manifest.xml zina hatari kwa kuwa zinaruhusu connections ambazo zinaweza kusababisha exploitation. Kwa ufahamu zaidi juu ya jinsi ya ku-exploit debuggable applications, rejea tutorial kuhusu kupata na ku-exploit debuggable applications kwenye kifaa.
• Backup Settings: Kigezo android:allowBackup="false" kinapaswa kuwekwa wazi kwa applications zinazoendesha taarifa nyeti ili kuzuia unauthorized data backups kupitia adb, hasa wakati usb debugging iko enabled.
• Network Security: Custom network security configurations (android:networkSecurityConfig="@xml/network_security_config") katika res/xml/ zinaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa domains maalum.
• Exported Activities and Services: Kutambua exported activities na services katika manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya ku-exploit components hizi.
• Content Providers and FileProviders: Content providers zilizo wazi zinaweza kuruhusu access au modification ya data bila idhini. Sanidiwa nzuri ya FileProviders inapaswa pia kuchunguzwa.
• Broadcast Receivers and URL Schemes: Components hizi zinaweza kutumika kwa exploitation, ukizingatia jinsi URL schemes zinavyosimamiwa kwa matatizo ya input.
• SDK Versions: Atributi minSdkVersion, targetSDKVersion, na maxSdkVersion zinaonyesha toleo la Android linaloungwa mkono, zikibainisha umuhimu wa kuto-support matoleo ya zamani na yalio na vulnerabilities kwa sababu za usalama.

Kutoka kwenye faili ya strings.xml, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, ikisisitiza umuhimu wa kupitia kwa uangalifu rasilimali hizi.

Tapjacking

Tapjacking ni shambulio ambapo malicious application inaanzishwa na positions itself on top of a victim application. Mara inapoifunika kwa mtazamo app ya mhusika, user interface yake imeundwa kwa njia ya kumdanganya mtumiaji aingilie nayo, wakati inapotumia ile interaction kumtumia app ya mhusika.
Kwa ufanisi, inamficha mtumiaji kuona kwamba kweli anafanya vitendo kwenye app ya mhusika.

Pata taarifa zaidi katika:

Tapjacking

Task Hijacking

An activity yenye launchMode imewekwa kwa singleTask without any taskAffinity iliyotajwa inaweza kuwa nyeti kwa task Hijacking. Hii ina maana kwamba, application inaweza kusakinishwa na ikiwa itaanzishwa kabla ya application halisi inaweza hijack the task of the real application (hivyo mtumiaji atakuwa akiingiliana na malicious application thinking he is using the real one).

Taarifa zaidi katika:

Android Task Hijacking

Insecure data storage

Internal Storage

Katika Android, files stored katika internal storage zimeundwa kupatikana tu na app iliyozitengeneza. Kipimo hiki cha usalama kinatekelezwa na operating system ya Android na kawaida kinafaa kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers baadhi ya wakati hutumia modes kama MODE_WORLD_READABLE na MODE_WORLD_WRITABLE kuruhusu files kushirikiwa kati ya applications tofauti. Modes hizi hazizuizi access kwa files hizi na applications nyingine, zikiwemo zile zinazoweza kuwa malicious.

1. Static Analysis:

• Ensure kwamba matumizi ya MODE_WORLD_READABLE na MODE_WORLD_WRITABLE yamechunguzwa kwa umakini. Modes hizi zinaweza ku-expose files kwa access isiyotarajiwa au isiyoidhinishwa.

2. Dynamic Analysis:

• Verify permissions zilizowekwa kwenye files zilizotengenezwa na app. Hasa, check kama kuna files zilizowekwa kuwa readable au writable worldwide. Hii inaweza kuwa hatari kubwa kwa usalama, kwani itaruhusu any application iliyosakinishwa kwenye kifaa, bila kujali asili au nia yake, ku-read au ku-modify files hizi.

External Storage

Unaposhughulikia files kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:

1. Accessibility:

• Files kwenye external storage ni globally readable na writable. Hii ina maana application au mtumiaji yeyote anaweza kuweza kupata files hizi.

2. Security Concerns:

• Kutokana na urahisi wa access, inapendekezwa kutohifadhi taarifa nyeti kwenye external storage.
• External storage inaweza kuondolewa au kupatikana na application yoyote, ikifanya kuwa isiyo salama.

3. Handling Data from External Storage:

• Daima fanya input validation kwenye data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwenye chanzo kisichoaminika.
• Kuhifadhi executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi.
• Ikiwa application yako lazima irejelee executable files kutoka external storage, hakikisha files hizi zimesigned na cryptographically verified kabla ya kuzopakiwa kwa dynamic loading. Hatua hii ni muhimu kwa kudumisha integrity ya usalama wa application yako.

External storage inaweza kupatikana katika /storage/emulated/0 , /sdcard , /mnt/sdcard

Sensitive data stored in clear-text

• Shared preferences: Android inamruhusu kila application kuhifadhi kwa urahisi xml files katika path /data/data/<packagename>/shared_prefs/ na wakati mwingine inawezekana kupata taarifa nyeti katika clear-text katika folder hiyo.
• Databases: Android inamruhusu kila application kuhifadhi kwa urahisi sqlite databases katika path /data/data/<packagename>/databases/ na wakati mwingine inawezekana kupata taarifa nyeti katika clear-text katika folder hiyo.

Broken TLS

Accept All Certificates

Kwa sababu fulani wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifananai na mistari ya code kama ifuatayo:

SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Njia nzuri ya kujaribu hili ni kujaribu capture trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kutengeneza kwa Burp cheti kwa hostname tofauti na kukitumia.

Broken Cryptography

Mchakato duni wa Usimamizi wa Vifunguo

Baadhi ya developers huhifadhi data nyeti kwenye local storage na kui-encrypt kwa key iliyowekwa/takikana kwenye code. Hili halipaswi kufanywa kwa kuwa reversing inaweza kumruhusu attackers kutoa taarifa za siri.

Use of Insecure and/or Deprecated Algorithms

Developers hawapaswi kutumia deprecated algorithms kufanya uthibitisho (checks), store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa hashes zinatumiwa kuhifadhi passwords kwa mfano, zinasuasua dhidi ya brute-force na zinapaswa kutumika pamoja na salt.

Ukaguzi mwingine

• Inashauriwa obfuscate the APK ili kufanya kazi ya reverse engineer kuwa ngumu kwa attackers.
• Ikiwa app ni nyeti (kama apps za benki), inapaswa kufanya ukaguzi wake ili kuona kama mobile ime-rooted na kuchukua hatua ipasavyo.
• Ikiwa app ni nyeti (kama apps za benki), inapaswa kuchunguza kama emulator inatumika.
• Ikiwa app ni nyeti (kama apps za benki), inapaswa check it's own integrity before executing ili kuona kama imebadilishwa.
• Tumia APKiD kuangalia compiler/packer/obfuscator gani ilitumika kujenga APK

React Native Application

Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi javascript code ya React applications:

React Native Application

Xamarin Applications

Soma ukurasa ufuatao ili ujifunze jinsi ya kufikia kwa urahisi C# code ya xamarin applications:

Xamarin Apps

Superpacked Applications

Kulingana na hii blog post superpacked ni Meta algorithm inayocompress content ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayofungua aina hizi za apps... na njia ya haraka zaidi inayohusisha kuendesha application na kukusanya faili zilizofunguliwa kutoka filesystem.

Automated Static Code Analysis

Tool mariana-trench inaweza kupata vulnerabilities kwa scanning code ya application. Tool hii ina mfululizo wa known sources (ambazo zinaonyesha sehemu ambapo input inadhibitiwa na user), sinks (zinazoonyesha sehemu hatari ambapo input ya mharifu inaweza kusababisha uharibifu) na rules. Rules hizi zinaelezea combination ya sources-sinks inayosema kuna vulnerability.

Kwa maarifa haya, mariana-trench will review the code and find possible vulnerabilities on it.

Secrets leaked

Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia tool kama https://github.com/dwisiswant0/apkleaks

Bypass Biometric Authentication

Bypass Biometric Authentication (Android)

Vifunction vingine vinavyovutia

• Code execution: Runtime.exec(), ProcessBuilder(), native code:system()
• Send SMSs: sendTextMessage, sendMultipartTestMessage
• Native functions declared as native: public native, System.loadLibrary, System.load
• Read this to learn how to reverse native functions

Mbinu nyingine

content:// protocol

Dynamic Analysis

Kwanza kabisa, unahitaji mazingira ambapo unaweza kuinstall application na mazingira yote (Burp CA cert, Drozer and Frida hasa). Kwa hivyo, kifaa kilicho-rooted (emulated au la) kinapendekezwa sana.

Online Dynamic analysis

Unaweza kuunda akaunti ya free account kwenye: https://appetize.io/. Jukwaa hili linakuwezesha upload na execute APKs, hivyo ni muhimu kuona jinsi apk inavyo behave.

Unaweza hata kuona logs za application yako kwenye wavuti na kuungana kupitia adb.

Shukrani kwa muunganisho wa ADB unaweza kutumia Drozer na Frida ndani ya emulators.

Local Dynamic Analysis

Using an emulator

• Android Studio (Unaweza kuunda x86 na arm devices, na kulingana na this latest x86 versions support ARM libraries bila kuhitaji emulator ya arm ya polepole).
• Jifunze kuisanidi kwenye ukurasa huu:

AVD - Android Virtual Device

• Genymotion (Toleo la bure: Personal Edition, unahitaji kuunda account. Inashauriwa kupakua toleo WITH VirtualBox ili kuepuka makosa yanayoweza kutokea.)
• Nox (Free, lakini haijiunga na Frida au Drozer).

Ili install google services (kama AppStore) katika Genymotion unahitaji kubofya kitufe kilichowekwa kwa rangi nyekundu kwenye picha ifuatayo:

Pia, zingatia kwamba katika configuration of the Android VM in Genymotion unaweza kuchagua Bridge Network mode (hii itakuwa muhimu ukijiunga na Android VM kutoka VM tofauti yenye tools).

Use a physical device

Unahitaji kuwasha chaguo za debugging na itakuwa nzuri ikiwa unaweza kui-root:

1. Settings.
2. (FromAndroid 8.0) Chagua System.
3. Chagua About phone.
4. Bonyeza Build number mara 7.
5. Rudi nyuma na utapata Developer options.

Mara tu utakapo-install application, jambo la kwanza unalopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kuzoea kuitumia.
Ninapendekeza kufanya uchambuzi huu wa mwanzo wa dynamic ukitumia MobSF dynamic analysis + pidcat, hivyo tunaweza kujifunza jinsi application inavyofanya kazi wakati MobSF inachukua data nyingi za kuvutia ambazo unaweza kukagua baadaye.

Magisk/Zygisk quick notes (recommended on Pixel devices)

• Patch boot.img with the Magisk app and flash via fastboot to get systemless root
• Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required
• Keep original boot.img to recover from OTA updates; re-patch after each OTA
• For screen mirroring, use scrcpy on the host

Unintended Data Leakage

Logging

Developers wanapaswa kuwa mwangalifu kuhusu kufichua debugging information hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Tools pidcat na adb logcat zinapendekezwa kwa kusimamia application logs ili kubaini na kulinda taarifa nyeti. Pidcat inapendelewa kwa urahisi wake wa matumizi na kusomeka kwake.

Copy/Paste Buffer Caching

Mfumo wa clipboard-based wa Android unawezesha utendakazi wa copy-paste ndani ya apps, lakini una hatari kwa kuwa applications nyingine zinaweza access clipboard, na hivyo kuweza ku-expose data nyeti. Ni muhimu kuzima kazi za copy/paste kwa sehemu za app zenye data nyeti, kama taarifa za kadi za malipo, ili kuzuia data ku-leak.

Crash Logs

Kama application ina crash na inahifadhi logs, logs hizi zinaweza kumsaidia attacker, hasa pale app haiwezi kureverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crash, na ikiwa logs lazima zitumwe mtandaoni, hakikisha zinatumwa kupitia channel ya SSL kwa usalama.

Kama pentester, jaribu kuangalia_logs hizi.

Analytics Data Sent To 3rd Parties

Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo zinaweza kwa bahati mbaya ku-leak data nyeti kutokana na utekelezaji mbovu na developers. Ili kubaini uwezekano wa data ku-leak, inashauriwa ku-intercept trafiki ya application na kuangalia kama kuna taarifa nyeti zinazotumwa kwa huduma za third-party.

SQLite DBs

Mengi ya applications zitaitumia internal SQLite databases kuhifadhi taarifa. Wakati wa pentest angalia databases zilizoundwa, majina ya tables na columns na data zote zilizohifadhiwa kwa kuwa unaweza kupata taarifa nyeti (ambazo zitakuwa vulnerability).
Databases zinapaswa kuwa ziko katika /data/data/the.package.name/databases kama /data/data/com.mwr.example.sieve/databases

Kama database inahifadhi taarifa za siri na ime-encrypted lakini unaweza find password ndani ya application, bado ni vulnerability.

Orodhesha tables kwa kutumia .tables na orodhesha columns za table kwa kufanya .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

From Drozer Docs: Drozer inakuwezesha kuchukua nafasi ya Android app na kuingiliana na apps nyingine. Inaweza kufanya chochote ambacho installed application inaweza kufanya, kama kutumia mfumo wa Android’s Inter-Process Communication (IPC) na kuingiliana na operating system ya msingi. .
Drozer ni tool muhimu kwa exploit exported activities, exported services and Content Providers kama utakavyojifunza katika sehemu zifuatazo.

Exploiting exported Activities

Read this if you want to refresh what is an Android Activity.
Pia kumbuka kuwa code ya activity inaanza katika method ya onCreate.

Authorisation bypass

Wakati Activity ime-exported unaweza kuituma screen yake kutoka app ya nje. Hivyo, kama activity yenye sensitive information ime-exported unaweza bypass mechanisms za authentication ili kuipata.

Learn how to exploit exported activities with Drozer.

Unaweza pia kuanzisha exported activity kutoka adb:

• PackageName is com.example.demo
• Exported ActivityName is com.example.test.MainActivity

adb shell am start -n com.example.demo/com.example.test.MainActivity

NOTE: MobSF itatambua kama hatari matumizi ya singleTask/singleInstance kama android:launchMode katika activity, lakini kutokana na hii, inaonekana hili ni hatari tu kwenye toleo za zamani (API versions < 21).

Uvuaji wa taarifa nyeti

Activities zinaweza pia kurudisha matokeo. Ikiwa utafanikiwa kupata activity iliyotolewa (exported) na isiyolindwa ikiyaita method ya setResult na kurudisha taarifa nyeti, kuna uvuaji wa taarifa nyeti.

Tapjacking

Ikiwa tapjacking haizuiliwi, unaweza kutumia vibaya activity iliyotolewa ili kumfanya mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu nini Tapjacking — fuata kiungo.

Exploiting Content Providers - Kupata na kushughulikia taarifa nyeti

Soma hii ikiwa unataka kukumbusha ni nini Content Provider.
Content providers kawaida hutumika kwa kushiriki data. Ikiwa app ina content providers zinazopatikana unaweza kuwa na uwezo wa kutoa taarifa nyeti kutoka kwazo. Pia ni vema kujaribu uwezekano wa SQL injections na Path Traversals kwani zinaweza kuwa zilizo hatarini.

Jifunze jinsi ya kufaida Content Providers kwa kutumia Drozer.

Exploiting Services

Soma hii ikiwa unataka kukumbusha ni nini Service.
Kumbuka kwamba matendo ya Service huanza katika method onStartCommand.

Service kwa msingi ni kitu ambacho kinapokea data, kuisindika na kurudisha (au sio) jibu. Kwa hivyo, ikiwa application ina kutoa services, unapaswa kagua code ili kuelewa inafanya nini na ijaribu kivitendo (dynamically) ili kutoa taarifa za siri, bypassing hatua za uthibitisho...
Jifunze jinsi ya kufaida Services kwa kutumia Drozer.

Exploiting Broadcast Receivers

Soma hii ikiwa unataka kukumbusha ni nini Broadcast Receiver.
Kumbuka kwamba matendo ya Broadcast Receiver huanza katika method onReceive.

Broadcast receiver itakuwa ikisubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa katika hatari.
Jifunze jinsi ya kufaida Broadcast Receivers kwa kutumia Drozer.

Exploiting Schemes / Deep links

Unaweza kutafuta deep links kwa mkono, ukitumia zana kama MobSF au scripts kama hii.
Unaweza fungua scheme iliyotangazwa kwa kutumia adb au kivinjari:

adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Kumbuka kwamba unaweza omit the package name na simu itaita moja kwa moja app itakayofungua kiungo hicho.

<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Msimbo unaotekelezwa

Ili kupata msimbo utakao tekelezwa katika App, nenda kwenye activity inayoitwa na deeplink na tafuta function onNewIntent.

Taarifa nyeti

Kila wakati unapokutana na deep link hakikisha haipokei data nyeti (kama passwords) kupitia URL parameters, kwa sababu programu nyingine yoyote inaweza kujifanya deep link na kuiba data hiyo!

Parameters in path

Lazima pia ukague ikiwa deep link yoyote inatumia parameter ndani ya path ya URL kama: https://api.example.com/v1/users/{username} , katika kesi hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: example://app/users?username=../../unwanted-endpoint%3fparam=value .
Note that if you find the correct endpoints inside the application you may be able to cause a Open Redirect (if part of the path is used as domain name), account takeover (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More info about this here.

Mifano zaidi

Ripoti ya bug bounty yenye kuvutia: interesting bug bounty report kuhusu links (/.well-known/assetlinks.json).

Uchunguzi wa Transport Layer na Kushindwa kwa Uthibitishaji

• Certificates are not always inspected properly na applications za Android. Mara nyingi hizi applications hupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia muunganisho wa HTTP.
• Negotiations during the SSL/TLS handshake are sometimes weak, zikitumia insecure cipher suites. Utaifu huu hufanya muunganisho uwe nyeti kwa man-in-the-middle (MITM) attacks, ukiruhusu mshambuliaji ku-decrypt data.
• Leakage of private information ni hatari wakati applications zinathibitisha watumiaji kwa kutumia channel salama lakini kisha kuwasiliana kwa channels zisizo salama kwa miamala mingine. Mbinu hii hailindi data nyeti, kama session cookies au maelezo ya mtumiaji, dhidi ya interception na wahalifu.

Certificate Verification

Tutalenga kwenye certificate verification. Uadilifu wa certificate ya server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu usanidi wa TLS usio salama na kusafirisha data nyeti kupitia channels zisizo-simbwa kunaweza kusababisha hatari kubwa. Kwa hatua za kina juu ya kuthibitisha certificates za server na kushughulikia udhaifu, this resource inatoa mwongozo kamili.

SSL Pinning

SSL Pinning ni hatua ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinazoshughulikia taarifa nyeti.

Traffic Inspection

Ili kuchunguza trafiki ya HTTP, ni muhimu kusakinisha certificate ya proxy tool (mfano, Burp). Bila kusakinisha certificate hii, trafiki iliyosimbwa huenda isiweze kuonekana kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, click here.

Applications zinazolenga API Level 24 and above zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy's CA certificate. Hatua hii ni muhimu kwa kuchunguza trafiki iliyosimbwa. Kwa maelekezo juu ya kubadilisha Network Security Config, refer to this tutorial.

If Flutter is being used you need to to follow the instructions in this page. This is becasue, just adding the certificate into the store won't work as Flutter has its own list of valid CAs.

Static detection of SSL/TLS pinning

Kabla ya kujaribu runtime bypasses, ramani kwa haraka sehemu ambako pinning inatekelezwa katika APK. Ugunduzi wa static utakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.

Tool: SSLPinDetect

• Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
• Reports exact file path, line number, and a code snippet for each match.
• Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.

Sakinisha

• Mahitaji ya awali: Python >= 3.8, Java on PATH, apktool

git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt

Matumizi

# Basic
python sslpindetect.py -f app.apk -a apktool.jar

# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v

Mifano ya kanuni za pattern (JSON) Tumia au ongeza signatures ili kutambua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na scan kwa kiwango kikubwa.

{
"OkHttp Certificate Pinning": [
"Lcom/squareup/okhttp/CertificatePinner;",
"Lokhttp3/CertificatePinner;",
"setCertificatePinner"
],
"TrustManager Override": [
"Ljavax/net/ssl/X509TrustManager;",
"checkServerTrusted"
]
}

Vidokezo na ushauri

• Kukagua kwa haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza overhead/false positives.
• Mkusanyiko wa pattern: https://github.com/aancw/smali-sslpin-patterns
• Malengo ya kawaida ya utambuzi ya kuchunguza baadae:
• OkHttp: matumizi ya CertificatePinner, setCertificatePinner, okhttp3/okhttp package references
• TrustManagers maalum: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
• Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
• Declarative pins katika res/xml network security config na manifest references
• Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au config reviews kabla ya dynamic testing.

Kupitisha SSL Pinning

Wakati SSL Pinning imewekwa, kuipita kunakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:

• Kiotomatiki badilisha the apk ili kupitisha SSLPinning kwa kutumia apk-mitm. Faida kubwa ya chaguo hili ni kwamba hautahitaji root kupitisha SSL Pinning, lakini utalazimika kufuta application na kuisakinisha upya, na hii haitafanya kazi kila mara.
• Unaweza kutumia Frida (discussed below) kupitisha ulinzi huu. Hapa kuna mwongozo wa kutumia Burp+Frida+Genymotion: https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/
• Unaweza pia kujaribu kuipita kiotomatiki SSL Pinning kutumia objection: objection --gadget com.package.app explore --startup-command "android sslpinning disable"
• Unaweza pia kujaribu kuipita kiotomatiki SSL Pinning kwa kutumia MobSF dynamic analysis (explained below)
• Ikiwa bado unaona kuna trafiki ambayo hauiangalii unaweza kujaribu kupeleka trafiki kwa burp kwa kutumia iptables. Soma blogu hii: https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62

Kutafuta udhaifu wa wavuti wa kawaida

Ni muhimu pia kutafuta udhaifu wa wavuti wa kawaida ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu haya yapita upeo wa muhtasari huu lakini yameelezewa kwa undani mahali pengine.

Frida

Frida ni dynamic instrumentation toolkit kwa developers, reverse-engineers, na security researchers.
Unaweza kupata running application na ku-hook methods wakati wa runtime kubadilisha tabia, badilisha values, extract values, run different code...
Ikiwa unataka pentest Android applications lazima ujue jinsi ya kutumia Frida.

• Jifunze jinsi ya kutumia Frida: Frida tutorial
• Baadhi ya "GUI" kwa vitendo na Frida: https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security
• Ojection ni nzuri ku-automate matumizi ya Frida: https://github.com/sensepost/objection , https://github.com/dpnishant/appmon
• Unaweza kupata baadhi ya Awesome Frida scripts hapa: https://codeshare.frida.re/
• Jaribu kupitisha anti-debugging / anti-frida mechanisms kwa kupakia Frida kama inavyoelezwa katika https://erfur.github.io/blog/dev/code-injection-without-ptrace (tool linjector)

Anti-instrumentation & SSL pinning bypass workflow

Android Anti Instrumentation And Ssl Pinning Bypass

Dump Memory - Fridump

Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi, kama vile passwords au mnemonics.

Kutumia Fridump3 unaweza dump memory ya app kwa:

# With PID
python3 fridump3.py -u <PID>

# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"

Hii itadump memory katika folda ./dump, na ndani yake unaweza kufanya grep kwa kitu kama:

strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"

Data nyeti katika Keystore

Katika Android Keystore ni mahali bora zaidi pa kuhifadhi data nyeti, hata hivyo, kwa vibali vya kutosha bado ni inawezekana kuipata. Kwa kuwa apps huenda zikahifadhi hapa sensitive data in clear text, pentests zinapaswa kuangalia hili kama root user au mtu mwenye ufikiaji wa kimwili wa kifaa anaweza kuiba data hii.

Hata kama app imehifadhi data katika keystore, data hiyo inapaswa kuwa imefungwa kwa usimbaji.

Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js

frida -U -f com.example.app -l frida-scripts/tracer-cipher.js

Fingerprint/Biometrics Bypass

Kwa kutumia Frida script ifuatayo inaweza kuwa inawezekana bypass fingerprint authentication ambayo Android applications zinaweza kutumia ili kulinda maeneo maalum nyeti:

frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>

Picha za Mandharinyuma

Unapoweka application katika mandharinyuma, Android huhifadhi snapshot ya application ili inaporejeshwa mbele (foreground) inaanza kupakia picha kabla ya application ili ionekane kama application ilipakiwa haraka zaidi.

Hata hivyo, ikiwa snapshot hii ina taarifa nyeti, mtu mwenye ufikiaji wa snapshot anaweza kuiba taarifa hiyo (tazama kwamba unahitaji root ili kuifikia).

Snapshots kawaida huhifadhiwa katika: /data/system_ce/0/snapshots

Android inatoa njia ya kuzuia kunyakua screenshot kwa kuweka parameta ya layout FLAG_SECURE. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanatendewa kama salama, kizuia kuonekana kwenye screenshots au kuonyeshwa kwenye displays zisizo salama.

getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);

Android Application Analyzer

Zana hii inaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: https://github.com/NotSoSecure/android_application_analyzer

Intent Injection

Waundaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipitisha kwa methods kama startActivity(...) au sendBroadcast(...), jambo ambalo linaweza kuwa hatari.

Hatari iko katika kuwaruhusu watapeli kuanzisha non-exported app components au kupata content providers nyeti kwa kupeleka Intent hizi kwa njia isiyo sahihi. Mfano muhimu ni component ya WebView kubadilisha URLs kuwa vitu vya Intent kwa kutumia Intent.parseUri(...) kisha kuzitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.

Vidokezo Muhimu

• Intent Injection ni sawa na suala la wavuti la Open Redirect.
• Exploits zinahusisha kupitisha Intent objects kama extras, ambazo zinaweza kuelekezwa ili kutekeleza operesheni zisizo salama.
• Inaweza kufichua non-exported components na content providers kwa watapeli.
• Ubadilishaji wa URL kwenda Intent wa WebView unaweza kuwezesha vitendo visivyokusudiwa.

Android Client Side Injections and others

Pengine unajua kuhusu aina hii ya vulnerabilities kutoka Web. Lazima uwe mwangalifu hasa na vulnerabilities hizi katika Android application:

• SQL Injection: Unaposhughulika na dynamic queries au Content-Providers hakikisha unatumia parameterized queries.
• JavaScript Injection (XSS): Thibitisha kwamba msaada wa JavaScript na Plugin umezimwa kwa WebViews yoyote (imezimwa kwa default). More info here.
• Local File Inclusion: WebViews zinapaswa kuwa na ufikiaji wa file system umezimwa (umewezeshwa kwa default) - (webview.getSettings().setAllowFileAccess(false);). More info here.
• Eternal cookies: Katika visa kadhaa, wakati Android application inamaliza session, cookie hairevokiwi au inaweza hata kuokolewa kwenye disk
• Secure Flag in cookies

Automatic Analysis

MobSF

Uchambuzi wa static

Tathmini ya vulnerabilities ya application kwa kutumia frontend nzuri ya web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Kumbuka kwamba MobSF inaweza kuchambua Android(apk), IOS(ipa) and Windows(apx) programu (Programu za Windows lazima zichunguzwe kutoka kwenye MobSF iliyosakinishwa kwenye mwenyeji wa Windows).
Pia, ikiwa utaunda faili ya ZIP yenye msimbo wa chanzo wa app ya Android au IOS (nenda kwenye folda ya mizizi ya program, chagua kila kitu na tengeneza faili ya ZIP), MobSF itaweza kuichambua pia.

MobSF pia inakuwezesha kufanya diff/Compare ya uchambuzi na kuingiza VirusTotal (utahitaji kuweka API key yako katika MobSF/settings.py na kuiwezesha: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). Unaweza pia kuweka VT_UPLOAD kuwa False, kisha hash itapakiwa badala ya faili.

Iliyosaidiwa Dynamic analysis na MobSF

MobSF pia inaweza kuwa msaada mkubwa kwa dynamic analysis kwenye Android, lakini katika kesi hiyo utahitaji kusakinisha MobSF na genymotion kwenye host yako (VM au Docker haitafanya kazi). Note: You need to start first a VM in genymotion and then MobSF.
The MobSF dynamic analyser can:

• Dump application data (URLs, logs, clipboard, screenshots made by you, screenshots made by "Exported Activity Tester", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kiotomatiki isipokuwa kwa screenshots — unahitaji kubofya unapotaka screenshot au kubofya "Exported Activity Tester" ili kupata screenshots za exported activities zote.
• Capture HTTPS traffic
• Tumia Frida kupata runtime information

Kuanzia toleo la Android > 5, itaanza Frida kiotomatiki na itaweka mipangilio ya global proxy kunasa trafiki. Itakanasa trafiki kutoka kwa application inayojaribiwa pekee.

Frida

Kwa default, pia itatumia baadhi ya Frida Scripts ili bypass SSL pinning, root detection na debugger detection na ili monitor interesting APIs.
MobSF pia inaweza invoke exported activities, kukamata screenshots zao na kuzihifadhi kwa ajili ya ripoti.

Ili start mtihani wa dynamic bonyeza kitufe cha kijani: "Start Instrumentation". Bonyeza "Frida Live Logs" kuona logs zinazozalishwa na Frida scripts na "Live API Monitor" kuona miito yote kwa methods zilizopigwa hook, arguments zilizopita na values zilizorejeshwa (hii itaonekana baada ya kubonyeza "Start Instrumentation").
MobSF pia inakuwezesha kupakia Frida scripts zako mwenyewe (kutuma matokeo ya Frida scripts zako kwa MobSF tumia function send()). Pia ina several pre-written scripts unaweza kupakia (unaweza kuongeza zaidi katika MobSF/DynamicAnalyzer/tools/frida_scripts/others/), chagua tu, bonyeza "Load" na kisha "Start Instrumentation" (utaweza kuona logs za scripts hizo ndani ya "Frida Live Logs").

Zaidi ya hayo, una baadhi ya functionalities za ziada za Frida:

• Enumerate Loaded Classes: Itachapisha classes zote zilizopakiwa
• Capture Strings: Itachapisha strings zote zinazokamatwa wakati wa kutumia application (ina “noise” nyingi)
• Capture String Comparisons: Inaweza kuwa muhimu sana. Ita show the 2 strings being compared na kama matokeo yalikuwa True au False.
• Enumerate Class Methods: Weka jina la class (kama "java.io.File") na itachapisha methods zote za class.
• Search Class Pattern: Tafuta classes kwa pattern
• Trace Class Methods: Trace class nzima (ona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF inatTrace several interesting Android Api methods.

Mara baada ya kuchagua module ya ziada unayotaka kutumia unahitaji kubonyeza "Start Intrumentation" na utaona matokeo yote katika "Frida Live Logs".

Shell

MobSF pia inakuja na shell yenye baadhi ya amri za adb, MobSF commands, na amri za kawaida za shell chini ya ukurasa wa dynamic analysis. Baadhi ya amri zinazovutia:

help
shell ls
activities
exported_activities
services
receivers

Zana za HTTP

When http traffic is capture you can see an ugly view of the captured traffic on "HTTP(S) Traffic" bottom or a nicer view in "Start HTTPTools" green bottom. From the second option, you can send the captured requests to proxies like Burp or Owasp ZAP.
To do so, power on Burp --> turn off Intercept --> in MobSB HTTPTools select the request --> press "Send to Fuzzer" --> select the proxy address (http://127.0.0.1:8080\).

Once you finish the dynamic analysis with MobSF you can press on "Start Web API Fuzzer" to fuzz http requests an look for vulnerabilities.

adb shell settings put global http_proxy :0

Assisted Dynamic Analysis with Inspeckage

You can get the tool from Inspeckage.
This tool with use some Hooks to let you know what is happening in the application while you perform a dynamic analysis.

Yaazhini

Hii ni zana nzuri ya kufanya static analysis kwa GUI

Qark

Zana hii imeundwa kutafuta kadhaa za security related Android application vulnerabilities, ama katika source code au packaged APKs. Zana pia ina uwezo wa kuunda "Proof-of-Concept" deployable APK na ADB commands, ili ku-exploit baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya root test device.

pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

ReverseAPK

• Inaonyesha faili zote zilizotolewa kwa rejea rahisi
• Inafanya decompile faili za APK kwenda muundo wa Java na Smali kwa otomatiki
• Inachambua AndroidManifest.xml kwa udhaifu wa kawaida na tabia
• Uchambuzi wa msimbo wa chanzo (static) kwa udhaifu wa kawaida na tabia
• Taarifa za kifaa
• na zaidi

reverse-apk relative/path/to/APP.apk

SUPER Android Analyzer

SUPER ni command-line application inayoweza kutumika kwenye Windows, MacOS X na Linux, inayochambua faili za .apk ili kutafuta vulnerabilities. Hii inafanywa kwa kuzipanua APKs na kutekeleza mfululizo wa sheria ili kugundua vulnerabilities hizo.

Sheria zote zimetengwa katika faili ya rules.json, na kila kampuni au mtapimaji anaweza kuunda sheria zake kuchambua wanazohitaji.

Pakua latest binaries kutoka kwenye download page

super-analyzer {apk_file}

StaCoAn

StaCoAn ni zana ya crossplatform inayowasaidia developers, bugbounty hunters na ethical hackers kufanya static code analysis kwenye mobile applications.

Dhana ni kwamba unavuta na kuacha faili ya mobile application yako (.apk au .ipa) kwenye application ya StaCoAn na itaunda ripoti ya kuona na inayobebeka kwako. Unaweza kubinafsisha settings na wordlists ili kupata uzoefu uliobinafsishwa.

Pakua latest release:

./stacoan

AndroBugs

AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kupata udhaifu wa usalama unaowezekana katika programu za Android.
Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia zinazoweza kuwa za hatari zinazotengenezwa na programu ya Android.

Ugunduzi hufanywa kwa kutumia static analysis ya Dalvik bytecode ya programu, inayowakilishwa kama Smali, kwa kutumia maktaba ya androguard.

Zana hii inatafuta common behavior of "bad" applications kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA Framework

MARA ni Mobile Application Reverse engineering and Analysis Framework. Ni chombo kinachokusanya zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika testing mobile applications dhidi ya OWASP mobile security threats. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa mobile application developers na security professionals.

Inaweza:

• Extract Java and Smali code using different tools
• Analyze APKs using: smalisca, ClassyShark, androbugs, androwarn, APKiD
• Extract private information from the APK using regexps.
• Analyze the Manifest.
• Analyze found domains using: pyssltest, testssl and whatweb
• Deobfuscate APK via apk-deguard.com

Koodous

Useful to detect malware: https://koodous.com/

Obfuscating/Deobfuscating code

Kumbuka kwamba, kutegemea huduma na usanidi unaotumia kuobfuscate code, Secrets huenda zikabaki obfuscated au la.

ProGuard

From Wikipedia: ProGuard is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.

ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.

DexGuard

Find a step-by-step guide to deobfuscate the apk in https://blog.lexfo.fr/dexguard.html

(Kutoka katika mwongozo huo) Mara ya mwisho tulipoangalia, Dexguard mode of operation ilikuwa:

• load a resource as an InputStream;
• feed the result to a class inheriting from FilterInputStream to decrypt it;
• do some useless obfuscation to waste a few minutes of time from a reverser;
• feed the decrypted result to a ZipInputStream to get a DEX file;
• finally load the resulting DEX as a Resource using the loadDex method.

DeGuard

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

You can upload an obfuscated APK to their platform.

[Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app

This is a LLM tool to find any potential security vulnerabilities in android apps and deobfuscate android app code. Uses Google's Gemini public API.

Simplify

It is a generic android deobfuscator. Simplify virtually executes an app to understand its behavior and then tries to optimize the code so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.

APKiD

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android.

Manual

Read this tutorial to learn some tricks on how to reverse custom obfuscation

Labs

Androl4b

AndroL4b ni Android security virtual machine based on ubuntu-mate, inajumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa different security geeks na researchers kwa reverse engineering na malware analysis.

References

• https://owasp.org/www-project-mobile-app-security/
• https://appsecwiki.com/#/ Ni orodha nzuri ya rasilimali
• https://maddiestone.github.io/AndroidAppRE/ Android quick course
• https://manifestsecurity.com/android-application-security/
• https://github.com/Ralireza/Android-Security-Teryaagh
• https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec
• SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis
• SSLPinDetect GitHub
• smali-sslpin-patterns
• Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa

Yet to try

• https://www.vegabird.com/yaazhini/
• https://github.com/abhi-r3v0/Adhrit