Programu za Android Pentesting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Misingi ya Programu za Android

Inashauriwa sana kuanza kusoma ukurasa huu ili kujue kuhusu sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android:

Android Applications Basics

ADB (Android Debug Bridge)

Hii ni zana kuu unayohitaji kuungana na kifaa cha Android (kilichoiga au kilicho halisi).
ADB inaruhusu kudhibiti vifaa ama kwa kupitia USB au Network kutoka kwa kompyuta. Kifaa hiki kinawezesha kunakili faili kwa pande zote, kusakinisha na kuondoa apps, kutekeleza amri za shell, kufanya backup ya data, kusoma logs, pamoja na kazi nyingine.

Angalia orodha ifuatayo ya ADB Commands ili kujifunza jinsi ya kutumia adb.

Smali

Wakati mwingine ni ya kuvutia kubadilisha msimbo wa programu ili kupata taarifa zilizofichika (labda nywila zilizoobfuscated vizuri au flags). Hapo, inaweza kuwa ya kuvutia ku-decompile apk, kubadilisha msimbo na ku-recompile tena.
In this tutorial you can learn how to decompile and APK, modify Smali code and recompile the APK with the new functionality. Hii inaweza kuwa muhimu sana kama mbadala kwa vipimo kadhaa wakati wa uchambuzi wa dynamic utakaoonyeshwa. Kwa hivyo, kumbuka kila mara uwezekano huu.

Mbinu nyingine za kuvutia

adb shell pm list packages
com.android.insecurebankv2

adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
  • Unganisha splits zote na base apks kwa APKEditor:
mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar ../APKEditor.jar m -i splits/ -o merged.apk

# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Android Enterprise & Work Profile Shambulio

Android Enterprise Work Profile Bypass

Utafiti wa Kesi na Udhaifu

Air Keyboard Remote Input Injection

Android Rooting Frameworks Manager Auth Bypass Syscall Hook

Abusing Android Media Pipelines Image Parsers

Arm64 Static Linear Map Kaslr Bypass

Uchambuzi wa Statiki

Kwanza kabisa, kwa kuchambua APK unapaswa kuangalia msimbo wa Java kwa kutumia decompiler.
Tafadhali, soma hapa kupata taarifa kuhusu decompilers mbalimbali zilizopo.

Kutafuta Taarifa za Kuvutia

Kwa kuangalia tu strings za APK unaweza kutafuta passwords, URLs (https://github.com/ndelphit/apkurlgrep), api keys, encryption, bluetooth uuids, tokens na chochote kinachovutia… hata angalia kwa ajili ya code execution backdoors au authentication backdoors (hardcoded admin credentials to the app).

Firebase

Lipa kipaumbele maalum kwa firebase URLs na angalia kama imewekwa vibaya. Maelezo zaidi kuhusu Firebase na jinsi ya kui exploit hapa.

Ufahamu wa msingi wa programu - Manifest.xml, strings.xml

Ukaguzi wa faili za programu Manifest.xml na strings.xml unaweza kufichua udhaifu wa usalama unaowezekana. Faili hizi zinaweza kufikiwa kwa kutumia decompilers au kwa kubadilisha extension ya APK kuwa .zip kisha kuzipuisha.

Udhaifu zilizobainika kutoka Manifest.xml ni pamoja na:

  • Debuggable Applications: Programu zilizo set kwa debuggable (debuggable="true") katika faili la Manifest.xml zina hatari kwa kuwa zinaruhusu muunganisho ambao unaweza kusababisha exploitation. Kwa ufahamu zaidi juu ya jinsi ya exploit programu zilizo debuggable, rejea mafunzo juu ya kutafuta na kuchambua programu zilizo debuggable kwenye kifaa.
  • Backup Settings: Sifa android:allowBackup="false" inapaswa kuwekwa wazi kwa programu zinazoendesha taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
  • Network Security: Mipangilio ya custom network security (android:networkSecurityConfig="@xml/network_security_config") katika res/xml/ inaweza kufafanua maelezo ya usalama kama certificate pins na mipangilio ya trafiki ya HTTP. Mfano ni kuruhusu trafiki ya HTTP kwa domains maalum.
  • Exported Activities and Services: Kutambua exported activities na services katika manifest kunaweza kueleza vipengele ambavyo vinaweza kutumiwa vibaya. Uchambuzi zaidi wakati wa testing ya dynamic unaweza kufichua jinsi ya kuyachukua faida vipengele hivi.
  • Content Providers and FileProviders: content providers zilizo wazi zinaweza kuruhusu upatikanaji au uhariri usioidhinishwa wa data. Usanidi wa FileProviders pia unapaswa kuchunguzwa kwa makini.
  • Broadcast Receivers and URL Schemes: Vipengele hivi vinaweza kutumiwa kwa exploitation, kwa kutilia maanani hasa jinsi URL schemes zinavyosimamiwa kwa udhaifu wa input.
  • SDK Versions: sifa za minSdkVersion, targetSDKVersion, na maxSdkVersion zinaonyesha toleo za Android zinazotumika, zikionyesha umuhimu wa kutounga mkono matoleo yaliyopotoka na yenye udhaifu kwa sababu za usalama.

Kutoka kwa faili ya strings.xml, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kugunduliwa, zikiongeza umuhimu wa ukaguzi wa makini wa rasilimali hizi.

Tapjacking

Tapjacking ni shambulio ambapo malicious application inaanzishwa na mwenyewe inaweka kielelezo chake juu ya application ya mwathirika. Mara inapoifunika app ya mwathirika kwa njia inayoonekana, interface yake ya mtumiaji imeundwa kwa namna ya kumdanganya mtumiaji kuingiliana nayo, huku ikipitisha mwingiliano huo kwa application ya mwathirika.
Kwa vitendo, inamficha mtumiaji ili asijue kuwa kwa kweli anafanya vitendo kwenye app ya mwathirika.

Pata taarifa zaidi katika:

Tapjacking

Task Hijacking

Activity yenye launchMode iliyowekwa kwa singleTask bila taskAffinity yoyote imewekwa kwenye hatari ya task Hijacking. Hii inamaanisha, kwamba application inaweza kusanikishwa na ikiwa itaanzishwa kabla ya application halisi inaweza kuchukua task ya application halisi (hivyo mtumiaji atakuwa akielewana na malicious application akidhani anatumia ile halisi).

Taarifa zaidi katika:

Android Task Hijacking

Uhifadhi wa data usio salama

Internal Storage

Katika Android, faili zilizohifadhiwa kwenye internal storage zimetengenezwa kuwa zinapatikana tu kwa app iliyozitengeneza. Hatua hii ya usalama inafuatwa na mfumo wa uendeshaji wa Android na kwa ujumla inatosha kwa mahitaji ya usalama ya programu nyingi. Hata hivyo, maendeleo baadhi hutumia modes kama MODE_WORLD_READABLE na MODE_WORLD_WRITABLE ili kuruhusu faili kushirikishwa kati ya programu tofauti. Hata hivyo, modes hizi hazizuzi upatikanaji wa faili hizi na programu zingine, ikijumuisha zile ambazo zinaweza kuwa malicious.

  1. Static Analysis:
  • Hakikisha matumizi ya MODE_WORLD_READABLE na MODE_WORLD_WRITABLE yanachunguzwa kwa makini. Modes hizi zinaweza kufichua faili kwa upatikanaji usiokusudiwa au usioidhinishwa.
  1. Dynamic Analysis:
  • Thibitisha ruhusa zilizowekwa kwenye faili zilizotengenezwa na app. Haswa, angalia ikiwa faili yoyote imewekwa kuwa readable au writable worldwide. Hii inaweza kuwa hatari kubwa kwa usalama, kwani itaruhusu programu yoyote iliyosanikishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kubadilisha faili hizi.

External Storage

Unapotegemea faili kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:

  1. Upatikanaji:
  • Faili kwenye external storage zinakuwa globally readable and writable. Hii inamaanisha programu au mtumiaji anaweza kupata faili hizi.
  1. Masuala ya Usalama:
  • Kutokana na urahisi wa upatikanaji, inapendekezwa kutohifadhi taarifa nyeti kwenye external storage.
  • External storage inaweza kuondolewa au kufikiwa na programu yoyote, hivyo kuifanya isiokuwa salama.
  1. Kushughulikia Data kutoka External Storage:
  • Kila mara fanya input validation kwenye data inayochukuliwa kutoka external storage. Hii ni muhimu kwa kuwa data ni chanzo ambacho hakiaminiki.
  • Kuchukua executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi.
  • Ikiwa application yako inahitaji kupata faili executable kutoka external storage, hakikisha faili hizi zina signed and cryptographically verified kabla ya kuzopakiwa kwa dynamic. Hatua hii ni muhimu kwa kudumisha ubora wa usalama wa application yako.

External storage inaweza kupatikana katika /storage/emulated/0 , /sdcard , /mnt/sdcard

Tip

Kuanzia Android 4.4 (API 17), SD card ina muundo wa directories ambao unakataza upatikanaji kutoka app kwenda kwenye directory ambayo ni maalum kwa app hiyo. Hii inazuia application malicious kupata upatikanaji wa kusoma au kuandika kwenye faili za app nyingine.

Taarifa nyeti zilizo hifadhiwa kwa plain-text

  • Shared preferences: Android inaruhusu kila application kuhifadhi kwa urahisi faili za xml katika njia /data/data/<packagename>/shared_prefs/ na wakati mwingine inawezekana kupata taarifa nyeti kwa plain-text katika folder hiyo.
  • Databases: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika njia /data/data/<packagename>/databases/ na wakati mwingine inawezekana kupata taarifa nyeti kwa plain-text katika folder hiyo.

Broken TLS

Accept All Certificates

Kwa sababu fulani wakati mwingine developers hukubali certificates zote hata kama kwa mfano hostname haendani na mistari ya msimbo kama ifuatavyo:

SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Njia nzuri ya kujaribu hili ni kujaribu kunasa trafiki ukitumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kuunda kwa Burp cheti kwa hostname tofauti na kukitumia.

Usimbaji uliovunjika

Mchakato duni wa Usimamizi wa Vifunguo

Baadhi ya developers huhifadhi data nyeti katika hifadhi ya ndani na kui-encrypt kwa kutumia key iliyowekwa ndani/kutabirika katika code. Hii haipaswi kufanywa kwani reversing inaweza kuruhusu watapeli kutoa taarifa za siri.

Matumizi ya Algorithms Isiyo Salama na/au Zilizopotoka

Developers hawapaswi kutumia deprecated algorithms kufanya ukaguzi wa authorization, kuhifadhi au kutuma data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1… Ikiwa hashes zinatumiwa kuhifadhi nywila kwa mfano, inapaswa kutumika hashes zenye upinzani dhidi ya brute-force pamoja na salt.

Other checks

  • Inashauriwa ku-obfuscate the APK ili kuongeza ugumu kwa kazi ya reverse engineers.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya ukaguzi wake kuona kama mobile ime-rooted na kuchukua hatua ipasavyo.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kukagua kama emulator inatumiwa.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kukagua uadilifu wake kabla ya kuitekeleza ili kugundua kama imebadilishwa.
  • Tumia APKiD kuchunguza compiler/packer/obfuscator iliyotumika kujenga APK

React Native Application

Soma ukurasa ufuatao ili kujifunza jinsi ya kufikia kwa urahisi javascript code ya React applications:

React Native Application

Xamarin Applications

Soma ukurasa ufuatao ili kujifunza jinsi ya kufikia kwa urahisi C# code ya Xamarin applications:

Xamarin Apps

Superpacked Applications

Kulingana na hii blog post, superpacked ni algorithm ya Meta inayobana yaliyomo ya application ndani ya faili moja. Blogu inazungumzia uwezekano wa kuunda app inayoweza ku-decompress aina hizi za apps… na njia ya haraka ambayo inahusisha kukimbia application na kukusanya faili zilizodecompressed kutoka filesystem.

Automated Static Code Analysis

Zana mariana-trench ina uwezo wa kubaini vulnerabilities kwa kukagua code ya application. Zana hii ina mfululizo wa known sources (zinazoonyesha kwa zana sehemu ambapo input inadhibitiwa na mtumiaji), sinks (zinazoonyesha kwa zana sehemu hatari ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na rules. Kanuni hizi zinaonyesha mchanganyiko wa sources-sinks unaoashiria udhaifu.

Kwa maarifa haya, mariana-trench itapitia code na kugundua udhaifu unaowezekana.

Secrets leaked

Programu inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains…) ndani yake ambazo unaweza kugundua. Unaweza kutumia zana kama https://github.com/dwisiswant0/apkleaks

Bypass Biometric Authentication

Bypass Biometric Authentication (Android)

Other interesting functions

  • Code execution: Runtime.exec(), ProcessBuilder(), native code:system()
  • Send SMSs: sendTextMessage, sendMultipartTestMessage
  • Native functions declared as native: public native, System.loadLibrary, System.load
  • Read this to learn how to reverse native functions
  • In-memory native code execution via JNI (downloaded shellcode → mmap/mprotect → call):

In Memory Jni Shellcode Execution

Other tricks

content:// protocol

Uchambuzi wa Dynamic

First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.

Online Dynamic analysis

Unaweza kuunda akaunti ya bure katika: https://appetize.io/. Jukwaa hili linakuwezesha kupakia na kuendesha APKs, kwa hivyo ni muhimu kuona jinsi apk inavyoendesha.

Unaweza hata kuona logs za application yako mtandaoni na kuungana kupitia adb.

Shukrani kwa muunganisho wa ADB unaweza kutumia Drozer na Frida ndani ya emulators.

Local Dynamic Analysis

Using an emulator

  • Android Studio (Unaweza kuunda x86 na arm devices, na kulingana na hii toleo za hivi karibuni za x86 zinasupport ARM libraries bila kuhitaji emulator ya polepole ya arm).
  • Jifunze jinsi ya kuisanidi kwenye ukurasa huu:

AVD - Android Virtual Device

  • Genymotion (Toleo la bure: Personal Edition, unahitaji kuunda akaunti. _Inashauriwa kupakua toleo WITH VirtualBox ili kuepuka makosa ya uwezekano.)
  • Nox (Bure, lakini haisupport Frida au Drozer).

Tip

Unapounda emulator mpya kwenye jukwaa lolote kumbuka kuwa skrini kubwa zaidi emulator itaendesha polepole. Chagua skrini ndogo kadri inavyowezekana.

Ili kusanidi google services (kama AppStore) katika Genymotion unahitaji kubofya kitufe kilichoonyeshwa kwa rangi nyekundu kwenye picha ifuatayo:

Pia, kumbuka kuwa katika configuration ya Android VM katika Genymotion unaweza kuchagua Bridge Network mode (hii itakuwa muhimu ikiwa utakuwa unakuja kuungana na Android VM kutoka VM tofauti yenye zana).

Use a physical device

Unahitaji kuwasha chaguo za debugging na itakuwa vizuri kama unaweza kuiroot:

  1. Settings.
  2. (FromAndroid 8.0) Select System.
  3. Select About phone.
  4. Press Build number 7 times.
  5. Go back and you will find the Developer options.

Mara tu unapoweka application, kitu cha kwanza unachopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kujielewa nayo. Napendekeza kufanya uchambuzi huu wa dynamic wa awali ukitumia MobSF dynamic analysis + pidcat, ili tuweze kujifunza jinsi application inavyofanya kazi wakati MobSF inakamata data nyingi zinazovutia ambazo unaweza kukagua baadaye.

Magisk/Zygisk quick notes (recommended on Pixel devices)

  • Patch boot.img with the Magisk app and flash via fastboot to get systemless root
  • Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required
  • Keep original boot.img to recover from OTA updates; re-patch after each OTA
  • For screen mirroring, use scrcpy on the host

Unintended Data Leakage

Logging

Developers wanapaswa kuwa waangalifu kuonyesha debugging information hadharani, kwani inaweza kusababisha sensitive data leaks. Zana za pidcat na adb logcat zinapendekezwa kwa kusimamia logs za application ili kutambua na kulinda taarifa nyeti. Pidcat inapendekezwa kwa urahisi wa matumizi na kusomeka kwake.

Warning

Kumbuka kwamba kuanzia toleo za Android zilizopita zaidi ya 4.0, applications zinaweza kupata tu logs zao wenyewe. Hivyo applications haziwezi kupata logs za apps nyingine.
Hata hivyo, bado inashauriwa kuto-log taarifa nyeti.

Copy/Paste Buffer Caching

Mfumo wa Android unaotegemea clipboard unaruhusu utendaji wa copy-paste katika apps, lakini unabeba hatari kwani applications nyingine zinaweza kupata clipboard, na hivyo kuonyesha data nyeti. Ni muhimu kuzima copy/paste kwa sehemu nyeti za application, kama maelezo ya kadi ya mkopo, ili kuzuia data leaks.

Crash Logs

Ikiwa application ina-crash na inahifadhi logs, logs hizi zinaweza kumsaidia watapeli, hasa wakati application haiwezi ku-reverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crash, na ikiwa logs lazima zitumwe kupitia mtandao, hakikisha zinatumwa kupitia chaneli ya SSL kwa usalama.

Kama pentester, jaribu kuangalia logs hizi.

Analytics Data Sent To 3rd Parties

Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo kwa bahati mbaya zinaweza leak sensitive data kutokana na utekelezaji usio sahihi na developers. Ili kubaini potential data leaks, inashauriwa intercept trafiki ya application na kukagua kama kuna taarifa nyeti zinatumwa kwa third-party services.

SQLite DBs

Mara nyingi applications zitatumia internal SQLite databases kuhifadhi taarifa. Wakati wa pentest angalia databases zilizotengenezwa, majina ya tables na columns na data zote zilizohifadhiwa kwa sababu unaweza kupata taarifa nyeti (ambayo itakuwa udhaifu).
Databases zinapaswa kuwa katika /data/data/the.package.name/databases kama /data/data/com.mwr.example.sieve/databases

Ikiwa database inahifadhi taarifa za siri na imeencrypted lakini unaweza kupata password ndani ya application bado ni vulnerability.

Orodhesha tables kwa kutumia .tables na orodhesha columns za table kwa kutumia .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

From Drozer Docs: Drozer inakuwezesha kuchukua nafasi ya Android app na kuingiliana na apps nyingine. Inaweza kufanya chochote ambacho application iliyosakinishwa inaweza kufanya, kama kutumia mfumo wa Android wa Inter-Process Communication (IPC) na kuingiliana na mfumo wa uendeshaji chini. .
Drozer ni zana muhimu ya kushambulia exported activities, exported services na Content Providers kama utakavyojifunza katika sehemu zinazofuata.

Exploiting exported Activities

Read this if you want to refresh what is an Android Activity.
Pia kumbuka kwamba code ya activity inaanza katika onCreate method.

Authorisation bypass

Wakati Activity ime-exported unaweza kuitisha skrini yake kutoka kwa app ya nje. Kwa hivyo, ikiwa activity yenye taarifa nyeti ime-exported unaweza bypass mifumo ya authentication ili kuifikia.

Learn how to exploit exported activities with Drozer.

Unaweza pia kuanzisha activity iliyotolewa kutoka adb:

  • PackageName is com.example.demo
  • Exported ActivityName is com.example.test.MainActivity
adb shell am start -n com.example.demo/com.example.test.MainActivity

KUMBUKA: MobSF itaitambua kama hatari matumizi ya singleTask/singleInstance kama android:launchMode kwenye activity, lakini kutokana na this, inaonekana hii ni hatari tu kwenye matoleo ya zamani (API versions < 21).

Tip

Kumbuka kwamba authorisation bypass si kila mara ni vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonyeshwa.

Sensitive information leakage

Activities pia zinaweza kurudisha matokeo. Ikiwa unaweza kupata activity iliyohamishwa (exported) na isiyolindwa inayoitisha method ya setResult na kurudisha taarifa nyeti, kuna sensitive information leakage.

Tapjacking

Ikiwa tapjacking haizuiziwi, unaweza kutumia activity iliyohamishwa kufanya mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu what is Tapjacking follow the link.

Exploiting Content Providers - Kupata na kushughulikia taarifa nyeti

Read this if you want to refresh what is a Content Provider.
Content providers kwa kawaida hutumika kushiriki data. Ikiwa app ina content providers zinapatikana unaweza kuwa na uwezo wa kunukuu taarifa nyeti kutoka kwazo. Inafaa pia kujaribu uwezekano wa SQL injections na Path Traversals kwani zinaweza kuwa vulnerable.

Learn how to exploit Content Providers with Drozer.

Exploiting Services

Read this if you want to refresh what is a Service.
Kumbuka kwamba vitendo vya Service huanza kwenye method onStartCommand.

Service kwa msingi ni kitu kinachoweza kupokea data, kuprocess na kurudisha (au la) jibu. Kwa hiyo, ikiwa application inatoa (exports) services, unapaswa kagua code kuona inafanya nini na kuijaribu kinyume (dynamically) ili kutoa taarifa za siri, bypassing authentication measures…
Learn how to exploit Services with Drozer.

Exploiting Broadcast Receivers

Read this if you want to refresh what is a Broadcast Receiver.
Kumbuka kwamba vitendo vya Broadcast Receiver huanza kwenye method onReceive.

Broadcast receiver itakuwa inangojea aina ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe inaweza kuwa vulnerable.
Learn how to exploit Broadcast Receivers with Drozer.

Exploiting Schemes / Deep links

Unaweza kutafuta deep links kwa mkono, ukitumia zana kama MobSF au scripts kama this one.
Unaweza fungua scheme iliyotangazwa ukitumia adb au browser:

adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Kumbuka kwamba unaweza omit the package name na simu ya mkononi itaiita moja kwa moja app ambayo inapaswa kufungua link hiyo.

<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Msimbo unaotekelezwa

Ili kupata msimbo utakaoendeshwa katika App, nenda kwenye activity inayoitwa na deeplink na tafuta function onNewIntent.

Taarifa nyeti

Kila unapokutana na deeplink hakikisha it’s not receiving sensitive data (like passwords) via URL parameters, kwa sababu programu yoyote ile inaweza kuiga deeplink na kuiba data hiyo!

Vigezo kwenye path

Unapaswa pia kuangalia ikiwa deeplink yoyote inatumia parameter ndani ya path ya URL kama: https://api.example.com/v1/users/{username} , katika kesi hiyo unaweza force a path traversal accessing something like: example://app/users?username=../../unwanted-endpoint%3fparam=value .
Kumbuka kwamba ukipata endpoints sahihi ndani ya application unaweza kuwa uwezo wa kusababisha Open Redirect (ikiwa sehemu ya path inatumika kama domain name), account takeover (ikiwa unaweza modify users details bila CSRF token na endpoint ya vuln ilitumia method sahihi) na mgao mwingine wa vuln. More info about this here.

An interesting bug bounty report about links (/.well-known/assetlinks.json).

Ukaguzi wa Tabaka la Usafirishaji na Kushindwa kwa Uthibitishaji

  • Vyeti havikaguliwi kila mara ipasavyo na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia HTTP connections.
  • Mazungumzo wakati wa SSL/TLS handshake wakati mwingine ni dhaifu, wakitumia insecure cipher suites. Utafitaji huu unafanya muunganisho kuwa hatarini kwa man-in-the-middle (MITM) attacks, kuruhusu watapeli ku-decrypt data.
  • Leakage of private information ni hatari wakati applications zinathibitisha kwa kutumia secure channels lakini baadaye zinawasiliana kwa non-secure channels kwa shughuli zingine. Njia hii inashindwa kulinda sensitive data, kama session cookies au maelezo ya mtumiaji, dhidi ya interception na entities zenye nia mbaya.

Uthibitishaji wa Cheti

Tutazingatia certificate verification. Uadilifu wa cheti la server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa kuwa misanidi ya TLS isiyo salama na uwasilishaji wa sensitive data juu ya channels zisizo-encoded zinaweza kuleta hatari kubwa. Kwa hatua za kina za kuthibitisha server certificates na kushughulikia vidovu, this resource inatoa mwongozo kamili.

SSL Pinning

SSL Pinning ni kipimo cha usalama ambapo application inathibitisha cheti la server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Mbinu hii ni muhimu kwa kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa sana kwa applications zinazoshughulikia taarifa nyeti.

Ukaguzi wa Trafiki

Ili kuchunguza HTTP traffic, ni muhimu kuweka cheti cha proxy tool (mfano, Burp). Bila kusanidi cheti hiki, traffic iliyosimbwa inaweza isionekane kupitia proxy. Kwa mwongozo wa kusanidi custom CA certificate, click here.

Applications targeting API Level 24 and above zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy’s CA certificate. Hatua hii ni muhimu kwa kuchunguza traffic iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, refer to this tutorial.

Ikiwa Flutter inatumika unahitaji kufuata maelekezo kwenye this page. Hii ni kwa sababu, kuongeza tu cheti kwenye store haitafanya kazi kwa kuwa Flutter ina list yake ya valid CAs.

Utambuzi wa static wa SSL/TLS pinning

Kabla ya kujaribu runtime bypasses, choraza kwa haraka maeneo ambapo pinning inatekelezwa katika APK. Ugunduzi wa static unakusaidia kupanga hooks/patches na kuelekeza kwenye code paths sahihi.

Tool: SSLPinDetect

  • Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
  • Reports exact file path, line number, and a code snippet for each match.
  • Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.

Install

  • Prereqs: Python >= 3.8, Java on PATH, apktool
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt

Matumizi

# Basic
python sslpindetect.py -f app.apk -a apktool.jar

# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v

Mfano wa kanuni za pattern (JSON) Tumia au panua signatures ili kugundua mitindo maalum ya pinning (proprietary/custom). Unaweza kupakia JSON yako na kufanya scan kwa kiwango kikubwa.

{
"OkHttp Certificate Pinning": [
"Lcom/squareup/okhttp/CertificatePinner;",
"Lokhttp3/CertificatePinner;",
"setCertificatePinner"
],
"TrustManager Override": [
"Ljavax/net/ssl/X509TrustManager;",
"checkServerTrusted"
]
}

Vidokezo na ushauri

  • Fast scanning on large apps via multi-threading and memory-mapped I/O; pre-compiled regex reduces overhead/false positives.
  • Mkusanyiko wa patterns: https://github.com/aancw/smali-sslpin-patterns
  • Malengo ya kawaida ya utambuzi ya kuchunguza zilizo fuata:
  • OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
  • Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
  • Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
  • Declarative pins in res/xml network security config and manifest references
  • Tumia maeneo yaliyolingana kupanga Frida hooks, static patches, au ukaguzi wa config kabla ya dynamic testing.

Kupitisha SSL Pinning

Wakati SSL Pinning imetekelezwa, kupitisha kunakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa ajili ya hili:

Kutafuta Udhaifu wa Kawaida wa Web

Ni muhimu pia kutafuta udhaifu wa kawaida wa web ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu huu ni nje ya muhtasari huu lakini yamejadiliwa kwa kina mahali pengine.

Frida

Frida ni toolkit ya dynamic instrumentation kwa developers, reverse-engineers, na security researchers.
Unaweza kufikia application inayokimbia na kuweka hooks kwa methods wakati wa runtime ili kubadili tabia, badilisha values, kutoa values, kuendesha code tofauti…
If you want to pentest Android applications you need to know how to use Frida.

Anti-instrumentation & SSL pinning bypass workflow

Android Anti Instrumentation And Ssl Pinning Bypass

Dump Memory - Fridump

Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kushikilia kama passwords au mnemonics.

Using Fridump3 you can dump the memory of the app with:

# With PID
python3 fridump3.py -u <PID>

# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"

Hii itafanya dump ya kumbukumbu katika folda ./dump, na hapo unaweza grep kwa kitu kama:

strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"

Taarifa nyeti katika Keystore

Katika Android Keystore ni mahali pazuri kuhifadhi taarifa nyeti, hata hivyo, ikiwa na vibali vya kutosha bado ni inawezekana kuipata.

Kwa kuwa applications huwa zinaweka hapa sensitive data in clear text, pentests zinapaswa kuikagua kwa kutumia root user, kwani mtu mwenye physical access kwa kifaa anaweza kuiba data hii.

Hata kama app ilihifadhi data katika Keystore, data inapaswa kuwa iliyosimbwa.

Ili kupata data ndani ya Keystore unaweza kutumia Frida script hii: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js

frida -U -f com.example.app -l frida-scripts/tracer-cipher.js

Fingerprint/Biometrics Bypass

Kwa kutumia Frida script ifuatayo, inaweza kuwa inawezekana bypass fingerprint authentication ambayo Android applications zinaweza kutumia ili kulinda maeneo fulani nyeti:

frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>

Picha za Mandharinyuma

Unapoiweka programu katika mandharinyuma, Android huhifadhi snapshot ya programu ili inaporejeshwa mbele inaanza kupakia picha kabla ya programu, hivyo inaonekana kama programu ilipakiwa haraka zaidi.

Hata hivyo, ikiwa snapshot hii ina taarifa nyeti, mtu mwenye ufikiaji wa snapshot anaweza kuiba taarifa hizo (kumbuka unahitaji root ili kuifikia).

Snapshot hizi kawaida huhifadhiwa mahali kama: /data/system_ce/0/snapshots

Android inatoa njia ya prevent the screenshot capture by setting the FLAG_SECURE parameter ya layout. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na huzuia kuonekana katika screenshots au kuonekana kwenye displays zisizo salama.

getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);

Android Application Analyzer

Zana hii inaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: https://github.com/NotSoSecure/android_application_analyzer

Intent Injection

Waendelezaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intents hizi na kuzipitisha kwa methods kama startActivity(...) au sendBroadcast(...), jambo ambalo linaweza kuwa hatari.

Hatari ipo katika kuruhusu attackers kuamsha non-exported app components au kupata access kwa sensitive content providers kwa kupangisha Intents hizi kwa makosa. Mfano muhimu ni component ya WebView kubadilisha URLs kuwa vitu vya Intent kupitia Intent.parseUri(...) na kisha kuvitenda, jambo ambalo linaweza kupelekea Intent injections zenye madhara.

Essential Takeaways

  • Intent Injection ni sawa na tatizo la web’s Open Redirect.
  • Exploits zinahusisha kupitisha Intent objects kama extras, ambazo zinaweza kuelekezwa ili kutekeleza operesheni zisizo salama.
  • Inaweza kufichua non-exported components na content providers kwa attackers.
  • Mabadiliko ya URL ya WebView kwenda Intent yanaweza kuwezesha vitendo visivyokusudiwa.

Android Client Side Injections and others

Huenda unajua aina hii ya vulnerabilities kutoka Web. Lazima uwe makini hasa na vulnerabilities hizi katika Android application:

  • SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
  • JavaScript Injection (XSS): Thibitisha kuwa support ya JavaScript na Plugin imezimwa kwa WebViews yoyote (disabled by default). More info here.
  • Local File Inclusion: WebViews zinapaswa kuwa na access kwa file system imezimwa (enabled by default) - (webview.getSettings().setAllowFileAccess(false);). More info here.
  • Eternal cookies: Katika kesi kadhaa wakati android application inamaliza session cookie haifutwi au inaweza hata kuhifadhiwa kwenye disk
  • Secure Flag in cookies

Automatic Analysis

MobSF

Static analysis

Vulnerability assessment of the application using a nice web-based frontend. You can also perform dynamic analysis (but you need to prepare the environment).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Notice that MobSF can analyse Android(apk), IOS(ipa) and Windows(apx) applications (Windows applications must be analyzed from a MobSF installed in a Windows host).
Also, if you create a ZIP file with the source code if an Android or an IOS app (go to the root folder of the application, select everything and create a ZIPfile), it will be able to analyse it also.

MobSF pia inakuwezesha kufanya diff/Compare za uchambuzi na kuunganishwa na VirusTotal (utahitaji kuweka API key yako katika MobSF/settings.py na kuiwezesha: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). Unaweza pia kuweka VT_UPLOAD kuwa False, basi hash itakuwa upload badala ya faili.

Assisted Dynamic analysis with MobSF

MobSF pia inaweza kuwa msaada mkubwa kwa dynamic analysis kwenye Android, lakini katika kesi hiyo utahitaji kusanidua MobSF na genymotion kwenye mwenyeji wako (VM au Docker haitafanya kazi). Note: You need to start first a VM in genymotion and then MobSF.
The MobSF dynamic analyser inaweza:

  • Dump application data (URLs, logs, clipboard, screenshots made by you, screenshots made by “Exported Activity Tester”, emails, SQLite databases, XML files, and other created files). Yote haya hufanywa moja kwa moja isipokuwa screenshots, ambapo unahitaji kubonyeza wakati unataka screenshot au kubonyeza “Exported Activity Tester” ili kupata screenshots za activities zote zilizotolewa.
  • Capture HTTPS traffic
  • Use Frida to obtain runtime information

From android versions > 5, it will automatically start Frida and will set global proxy settings to capture traffic. It will only capture traffic from the tested application.

Frida

By default, it will also use some Frida Scripts to bypass SSL pinning, root detection and debugger detection and to monitor interesting APIs.
MobSF pia inaweza invoke exported activities, grab screenshots za hizo activities na save kwa ajili ya report.

To start the dynamic testing press the green bottom: “Start Instrumentation”. Press the “Frida Live Logs” to see the logs generated by the Frida scripts and “Live API Monitor” to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing “Start Instrumentation”).
MobSF pia inakuwezesha kuingiza Frida scripts zako mwenyewe (kutuma matokeo ya Frida scripts zako kwenda MobSF tumia function send()). Pia ina several pre-written scripts unazoweza kupakia (unaweza kuongeza zaidi katika MobSF/DynamicAnalyzer/tools/frida_scripts/others/), chagua tu select them, bonyeza “Load” na bonyeza “Start Instrumentation” (utaweza kuona logs za script hizo ndani ya “Frida Live Logs”).

Moreover, you have some Auxiliary Frida functionalities:

  • Enumerate Loaded Classes: It will print all the loaded classes
  • Capture Strings: It will print all the capture strings while using the application (super noisy)
  • Capture String Comparisons: Could be very useful. It will show the 2 strings being compared and if the result was True or False.
  • Enumerate Class Methods: Put the class name (like “java.io.File”) and it will print all the methods of the class.
  • Search Class Pattern: Search classes by pattern
  • Trace Class Methods: Trace a whole class (see inputs and outputs of all methods of th class). Remember that by default MobSF traces several interesting Android Api methods.

Once you have selected the auxiliary module you want to use you need to press “Start Intrumentation” and you will see all the outputs in “Frida Live Logs”.

Shell

Mobsf pia inakuwekea shell yenye baadhi ya adb commands, MobSF commands, na amri za kawaida za shell chini ya ukurasa wa dynamic analysis. Some interesting commands:

help
shell ls
activities
exported_activities
services
receivers

Zana za HTTP

Unapokamata trafiki ya HTTP unaweza kuona mtazamo mbaya wa trafiki iliyokamatwa kwenye kitufe cha chini “HTTP(S) Traffic” au mtazamo mzuri kwenye kitufe kijani “Start HTTPTools”. Kutoka chaguo la pili, unaweza kutuma maombi yaliyokamatwa kwa proxies kama Burp au Owasp ZAP.
Ili kufanya hivyo, power on Burp –> turn off Intercept –> in MobSB HTTPTools select the request –> bonyeza “Send to Fuzzer” –> select the proxy address (http://127.0.0.1:8080\).

Mara baada ya kumaliza dynamic analysis na MobSF unaweza bonyeza “Start Web API Fuzzer” ili fuzz http requests na kutafuta vulnerabilities.

Tip

Baada ya kufanya dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imewekwa vibaya na huwezi kuirekebisha kutoka GUI. Unaweza kurekebisha proxy settings kwa kufanya:

adb shell settings put global http_proxy :0

Assisted Dynamic Analysis with Inspeckage

Unaweza kupata zana kutoka Inspeckage.
Zana hii itatumia baadhi ya Hooks kukujulisha kinachotokea katika application wakati unafanya dynamic analysis.

Yaazhini

Hii ni zana nzuri ya kufanya static analysis kwa GUI

Qark

Zana hii imeundwa kutafuta aina mbalimbali za security related Android application vulnerabilities, ama katika source code au packaged APKs. Zana pia ina uwezo wa creating a “Proof-of-Concept” deployable APK na ADB commands, ili kutekeleza baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking…). Kama ilivyo na Drozer, hakuna haja ya ku-root the test device.

pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

ReverseAPK

  • Inaonyesha faili zote zilizotolewa kwa marejeo rahisi
  • Hufanya decompile kwa otomatiki faili za APK hadi format ya Java na Smali
  • Huchambua AndroidManifest.xml kwa ajili ya udhaifu na tabia za kawaida
  • Uchambuzi wa msimbo wa chanzo kwa njia ya static kwa ajili ya udhaifu na tabia za kawaida
  • Taarifa za kifaa
  • na zaidi
reverse-apk relative/path/to/APP.apk

SUPER Android Analyzer

SUPER ni programu ya mstari wa amri ambayo inaweza kutumika kwenye Windows, MacOS X na Linux, inayochambua faili za .apk kwa ajili ya kutafuta udhaifu. Inafanya hivyo kwa kufungua APKs na kutekeleza mfululizo wa sheria ili kugundua udhaifu hizo.

Sheria zote ziko katika faili ya rules.json, na kila kampuni au mpimaji anaweza kuunda sheria zao za kuchambua wanazohitaji.

Pakua binaries za hivi karibuni kutoka kwenye download page

super-analyzer {apk_file}

StaCoAn

StaCoAn ni zana inayofanya kazi kwenye majukwaa mbalimbali ambayo inasaidia waendelezaji, bugbounty hunters na ethical hackers wanaofanya static code analysis kwenye programu za rununu.

Wazo ni kwamba una buruta na kuacha faili ya programu yako ya rununu (faili la .apk au .ipa) kwenye programu ya StaCoAn, na itaunda ripoti ya kuona inayoweza kubebwa kwako. Unaweza kurekebisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.

Pakua latest release:

./stacoan

AndroBugs

AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia developers au hackers kupata potential security vulnerabilities katika Android applications.
Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn ni zana ambayo lengo lake kuu ni kugundua na kutoa onyo kwa mtumiaji kuhusu tabia hatari zinazoweza kufanywa na programu ya Android.

Ugunduzi hufanywa kwa kutumia static analysis ya Dalvik bytecode ya programu, inayowakilishwa kama Smali, kwa kutumia maktaba androguard.

Zana hii inatafuta tabia za kawaida za programu “mbaya” kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution…

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA Framework

MARA ni Mobile Application Reverse engineering na Analysis Framework. Ni zana inayochanganya zana zinazotumika mara kwa mara za mobile application reverse engineering na analysis, kusaidia katika kujaribu mobile applications dhidi ya vitisho vya usalama vya OWASP mobile. Lengo lake ni kufanya kazi hii iwe rahisi na kirafiki kwa watengenezaji wa mobile application na wataalamu wa usalama.

Ina uwezo wa:

Koodous

Inayosaidia kugundua malware: https://koodous.com/

Obfuscating/Deobfuscating code

Kumbuka kwamba, kulingana na huduma na usanidi unaotumia kuficha (obfuscate) code, siri zinaweza au zisiwe zimefichwa.

ProGuard

From Wikipedia: ProGuard ni open source command-line tool inayopunguza, kuboresha na kuficha Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maagizo yasiyotumika. ProGuard ni free software na inasambazwa chini ya GNU General Public License, version 2.

ProGuard inasambazwa kama sehemu ya Android SDK na inaendeshwa wakati wa kujenga application katika release mode.

DexGuard

Pata mwongozo hatua kwa hatua wa ku-deobfuscate apk kwenye https://blog.lexfo.fr/dexguard.html

(Kutoka kwenye mwongozo huo) Mara ya mwisho tulipoangalia, modus wa uendeshaji wa Dexguard ulikuwa:

  • load a resource as an InputStream;
  • feed the result to a class inheriting from FilterInputStream to decrypt it;
  • do some useless obfuscation to waste a few minutes of time from a reverser;
  • feed the decrypted result to a ZipInputStream to get a DEX file;
  • finally load the resulting DEX as a Resource using the loadDex method.

DeGuard

DeGuard inageuza mchakato wa obfuscation unaofanywa na zana za Android obfuscation. Hii inawawezesha uchambuzi mwingi wa usalama, pamoja na ukaguzi wa code na kutabiri maktaba.

Unaweza kupakia APK iliyofichwa kwenye jukwaa lao.

[Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app

Hii ni zana ya LLM ya kutafuta potential security vulnerabilities katika android apps na ku-deobfuscate android app code. Inatumia Google’s Gemini public API.

Simplify

Ni generic android deobfuscator. Simplify virtually executes an app kuelewa mwenendo wake kisha inajaribu kuboresha code ili itende sawa lakini iwe rahisi kueleweka kwa binadamu. Kila aina ya optimization ni rahisi na generic, hivyo haina maana aina maalum ya obfuscation iliyotumika.

APKiD

APKiD inakupa taarifa kuhusu how an APK was made. Inatambua mengi ya compilers, packers, obfuscators, na mambo mengine ya ajabu. Ni PEiD kwa Android.

Manual

Read this tutorial to learn some tricks on how to reverse custom obfuscation

Labs

Androl4b

AndroL4b ni Android security virtual machine iliyotegemea ubuntu-mate inayojumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa security geeks na researchers mbalimbali kwa reverse engineering na malware analysis.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks