Programu za Android Pentesting

Reading time: 38 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Misingi ya Programu za Android

Inapendekezwa sana kuanza kusoma ukurasa huu ili kujua kuhusu sehemu muhimu zaidi zinazohusiana na usalama wa Android na sehemu hatari zaidi katika programu ya Android:

Android Applications Basics

ADB (Android Debug Bridge)

Hii ndiyo zana kuu unayohitaji kuunganishwa na kifaa cha Android (kilichoiga au cha kimwili).
ADB inaruhusu kudhibiti vifaa kwa kutumia USB au mtandao kutoka kwa kompyuta. Huduma hii inafanya iwezekane kunakili faili pande zote mbili, kufunga na kuondoa apps, kuendesha amri za shell, kusaidia kuhifadhi nakala za data, kusoma logi, miongoni mwa kazi nyingine.

Tazama orodha ifuatayo ya ADB Commands ili kujifunza jinsi ya kutumia adb.

Smali

Wakati mwingine inavutia kubadilisha msimbo wa programu ili kupata taarifa zilizofichwa (labda nywila zilizoobfuscated vizuri au flags). Kisha, inaweza kuwa ya kuvutia ku-decompile APK, kubadilisha msimbo na ku-recompile yake.
Katika tutorial hii unaweza kujifunza jinsi ya ku-decompile APK, kubadilisha msimbo wa Smali na ku-recompile APK kwa uwezo mpya. Hii inaweza kuwa muhimu sana kama mbadala kwa vipimo vingi wakati wa dynamic analysis vitakavyowasilishwa. Kwa hivyo, kumbuka kila wakati uwezekano huu.

Mbinu nyingine za kuvutia

bash
adb shell pm list packages
com.android.insecurebankv2

adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
  • Unganisha splits zote na base apks kwa kutumia APKEditor:
bash
mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar ../APKEditor.jar m -i splits/ -o merged.apk

# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Mfano za Kesi & Udhaifu

Air Keyboard Remote Input Injection

Android Rooting Frameworks Manager Auth Bypass Syscall Hook

Uchambuzi wa Static

Kwanza kabisa, kwa kuchambua APK unapaswa kutazama msimbo wa Java kwa kutumia decompiler.
Tafadhali, soma hapa kupata taarifa kuhusu decompilers mbalimbali zinazopatikana.

Kutafuta Habari Zenye Kuvutia

Kwa kuangalia tu strings za APK unaweza kutafuta nywila, URLs (https://github.com/ndelphit/apkurlgrep), api keys, usimbaji, bluetooth uuids, tokens na chochote kinachovutia... hata tafuta code execution backdoors au authentication backdoors (credentials za admin zilizowekwa ndani ya app).

Firebase

Lipa tahadhari maalum kwa Firebase URLs na angalia kama imewekwa vibaya. Taarifa zaidi kuhusu ni nini Firebase na jinsi ya kuiexploit hapa.

Ufahamu wa msingi wa programu - Manifest.xml, strings.xml

Ukaguzi wa faili za programu Manifest.xml na strings.xml unaweza kufunua udhaifu wa usalama. Faili hizi zinaweza kufikiwa kwa kutumia decompilers au kwa kubadilisha nyongeza ya faili ya APK kuwa .zip kisha kuizifungua.

Udhaifu uliotambuliwa kutoka kwa Manifest.xml ni pamoja na:

  • Maombi yanayoweza kudebugiwa: Maombi yaliyowekwa kama debuggable (debuggable="true") katika Manifest.xml yanaweka hatari kwa sababu yanaruhusu muunganisho ambao unaweza kusababisha exploit. Kwa kuelewa zaidi juu ya jinsi ya kuiexploit debuggable applications, rejea somo kuhusu kutafuta na kutumia debuggable applications kwenye kifaa.
  • Mipangilio ya Backup: Sifa android:allowBackup="false" inapaswa kuwekwa wazi kwa maombi yanayoshughulikia taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
  • Usalama wa Mtandao: Mipangilio ya kawaida ya usalama wa mtandao (android:networkSecurityConfig="@xml/network_security_config") katika res/xml/ inaweza kutaja maelezo ya usalama kama certificate pins na mipangilio ya trafiki ya HTTP. Mfano ni kuruhusu trafiki ya HTTP kwa domini maalum.
  • Exported Activities na Services: Kutambua activities na services zilizo exported katika manifest kunaweza kuonyesha vipengele vinavyoweza kutumika vibaya. Uchambuzi zaidi wakati wa mtihani wa dynamique unaweza kufichua jinsi ya kuiexploit vipengele hivi.
  • Content Providers na FileProviders: Content providers zilizo wazi zinaweza kuruhusu upatikanaji au urekebishaji wa data bila idhini. Usanidi wa FileProviders pia unapaswa kuchunguzwa kwa umakini.
  • Broadcast Receivers na URL Schemes: Vipengele hivi vinaweza kutumika kwa matumizi ya udanganyifu, kwa kutilia mkazo jinsi URL schemes zinavyosimamiwa kwa udhaifu wa input.
  • SDK Versions: Sifa za minSdkVersion, targetSDKVersion, na maxSdkVersion zinaonyesha toleo la Android linaloungwa mkono, zikionyesha umuhimu wa kuto support version za zamani ambazo zinaweza kuwa zenye udhaifu kwa masuala ya usalama.

Kutoka kwa faili ya strings.xml, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya watengenezaji zinaweza kugunduliwa, ikisisitiza umuhimu wa mapitio ya kina ya rasilimali hizi.

Tapjacking

Tapjacking ni shambulio ambapo application hasidi inaanzishwa na kujipanga juu ya application ya mwathiriwa. Mara inapoificha app ya mwathiriwa, kiolesura chake kimeundwa kwa njia ambayo kinamdanganya mtumiaji kufanya mwingiliano nayo, wakati inapitisha mwingiliano huo kwa app ya mwathiriwa.
Kwa ufanisi, inamficha mtumiaji kwamba kwa kweli anafanya vitendo kwenye app ya mwathiriwa.

Pata habari zaidi katika:

Tapjacking

Task Hijacking

Activity yenye launchMode imewekwa kuwa singleTask bila taskAffinity imefafanuliwa imeathirika kwa task Hijacking. Hii inamaanisha, kwamba application inaweza kusanikishwa na ikiwa itaendeshwa kabla ya application halisi inaweza kuhijack task ya application halisi (hivyo mtumiaji atakuwa anaingiliana na application hasidi akidhani anatumia ile halisi).

Taarifa zaidi katika:

Android Task Hijacking

Uhifadhi wa data usio salama

Internal Storage

Katika Android, faili zilizohifadhiwa katika uhifadhi wa ndani zimetengenezwa kuwa kufikika pekee na app iliyozitengeneza. Kipimo hiki cha usalama kinatekelezwa na mfumo wa uendeshaji wa Android na kwa kawaida kinatosheleza mahitaji ya usalama ya wengi wa maombi. Hata hivyo, watengenezaji wakati mwingine hutumia modes kama MODE_WORLD_READABLE na MODE_WORLD_WRITABLE kuruhusu faili kushirikishwa kati ya maombi tofauti. Mode hizi hazizuii upatikanaji wa faili hizi na maombi mengine, ikijumuisha yale ambayo yanaweza kuwa na nia mbaya.

  1. Uchambuzi wa Static:
  • Hakikisha kwamba matumizi ya MODE_WORLD_READABLE na MODE_WORLD_WRITABLE yanachunguzwa kwa makini. Mode hizi zinaweza kufichua faili kwa upatikanaji usiotarajiwa au usioidhinishwa.
  1. Uchambuzi wa Dynamic:
  • Thibitisha ruhusa zilizowekwa kwenye faili zilizotengenezwa na app. Hasa, angalia kama faili yoyote imewekwa kuwa readable au writable kwa wote. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaweka uwezo kwa app yoyote iliyosakinishwa kwenye kifaa, bila kujali asili yake au nia, kusoma au kubadilisha faili hizi.

External Storage

Wakati wa kushughulikia faili kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:

  1. Upatikanaji:
  • Faili kwenye external storage ni zinazosomeka na kuandikwa na wote. Hii inamaanisha app yoyote au mtumiaji anaweza kufikia faili hizi.
  1. Mambo ya Usalama:
  • Kwa kuzingatia urahisi wa upatikanaji, inashauriwa kuto hifadhi taarifa nyeti kwenye external storage.
  • External storage inaweza kuondolewa au kufikiwa na app yoyote, ikifanya isiwe salama.
  1. Kuendesha Data kutoka External Storage:
  • Daima fanya uthibitishaji wa input juu ya data inayorekebishwa kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwa chanzo kisichotegemewa.
  • Hifadhi ya executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi.
  • Ikiwa app yako lazima ipokee faili za executable kutoka external storage, hakikisha faili hizi zimesainiwa na kuthibitishwa kificho kabla ya kupakiwa kwa njia ya dynamic. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa app yako.

External storage inaweza kufikiwa katika /storage/emulated/0 , /sdcard , /mnt/sdcard

tip

Kuanzia na Android 4.4 (API 17), SD card ina muundo wa directories unaopunguza upatikanaji wa app hadi directory ambayo ni maalum kwa app hiyo. Hii inazuia application hasidi kupata upatikanaji wa kusoma au kuandika kwa faili za app nyingine.

Taarifa nyeti zilizohifadhiwa kwa maandishi wazi

  • Shared preferences: Android inaruhusu kila application kuhifadhi kwa urahisi faili za xml katika njia /data/data/<packagename>/shared_prefs/ na wakati mwingine inawezekana kupata taarifa nyeti kwa maandishi wazi katika folder hiyo.
  • Databases: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika njia /data/data/<packagename>/databases/ na wakati mwingine inawezekana kupata taarifa nyeti kwa maandishi wazi katika folder hiyo.

Broken TLS

Accept All Certificates

Kwa sababu fulani wakati mwingine watengenezaji wanakubali certificates zote hata kama kwa mfano hostname haifanani na mistari ya msimbo kama ifuatavyo:

java
SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Njia nzuri ya kujaribu hili ni kujaribu kunasa trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kuunda na Burp cheti kwa hostname tofauti na kukitumia.

Kriptografia Iliyovunjika

Mchakato duni wa usimamizi wa funguo

Baadhi ya watengenezaji huhifadhi data nyeti kwenye local storage na kuiencrypt kwa kutumia funguo zilizowekwa moja kwa moja / predictable katika code. Hii haipaswi kufanywa kwani reversing inaweza kumruhusu mshambuliaji kutoa taarifa za siri.

Matumizi ya Algorithimu Hatari na/au Zilizopitwa na Wakati

Watengenezaji hawapaswi kutumia deprecated algorithms kufanya authorisation checks, store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1... Ikiwa hashes zinatumiwa kuhifadhi passwords kwa mfano, inapaswa kutumiwa hashes ambazo zina upinzani dhidi ya brute-force pamoja na salt.

Mambo mengine ya kuangalia

  • Inapendekezwa obfuscate the APK ili kufanya kazi ya reverse engineer kuwa ngumu kwa mashambuliaji.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya check zake mwenyewe kuona kama mobile ime-rooted na kuchukua hatua ipasavyo.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kuhakiki kama emulator inatumika.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa check it's own integrity before executing ili kuona kama ilibadilishwa.
  • Tumia APKiD kuona compiler/packer/obfuscator gani ilitumika kujenga APK

React Native Application

Read the following page to learn how to easily access javascript code of React applications:

React Native Application

Xamarin Applications

Read the following page to learn how to easily access C# code of a xamarin applications:

Xamarin Apps

Superpacked Applications

Kulingana na hii blog post superpacked ni Meta algorithm inayobana (compress) yaliyomo ya application ndani ya faili moja. Blog inaelezea uwezekano wa kuunda app inayoweza decompress aina hizi za apps... na njia ya haraka zaidi inayohusisha execute the application and gather the decompressed files from the filesystem.

Automated Static Code Analysis

The tool mariana-trench ina uwezo wa kupatikana vulnerabilities kwa scanning ya code ya application. Zana hii ina safu ya known sources (zinazorambia zana maeneo ambapo input inadhibitiwa na user), sinks (zinazorambia zana maeneo hatari ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na rules. Rules hizi zinaonyesha mchanganyiko wa sources-sinks unaoashiria udiwani wa usalama.

Kwa uelewa huu, mariana-trench itapitia code na kupata vulnerabilities zinazowezekana ndani yake.

Secrets leaked

Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains...) ndani yake ambazo unaweza kugundua. Unaweza kutumia zana kama https://github.com/dwisiswant0/apkleaks

Bypass Biometric Authentication

Bypass Biometric Authentication (Android)

Other interesting functions

  • Code execution: Runtime.exec(), ProcessBuilder(), native code:system()
  • Send SMSs: sendTextMessage, sendMultipartTestMessage
  • Native functions declared as native: public native, System.loadLibrary, System.load
  • Read this to learn how to reverse native functions
  • In-memory native code execution via JNI (downloaded shellcode → mmap/mprotect → call):

In Memory Jni Shellcode Execution

Other tricks

content:// protocol

Uchambuzi wa Dinamiki

Kwanza kabisa, unahitaji mazingira ambapo unaweza kusanidi application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hivyo, kifaa kilicho rooted (emulated au sio) kinapendekezwa sana.

Online Dynamic analysis

Unaweza kuunda free account kwenye: https://appetize.io/. Jukwaa hili linakuwezesha upload na execute APKs, hivyo ni muhimu kuona jinsi apk inavyotendeka.

Unaweza hata kuona logs za application yako kwenye wavuti na kuungana kupitia adb.

Shukrani kwa muunganisho wa ADB unaweza kutumia Drozer na Frida ndani ya emulators.

Local Dynamic Analysis

Using an emulator

  • Android Studio (Unaweza kuunda x86 na arm devices, na kulingana na hiilatest x86 versions support ARM libraries bila kuhitaji emulator ya arm ambayo ni polepole).
  • Jifunze jinsi ya kuisanidi kwenye ukurasa huu:

AVD - Android Virtual Device

  • Genymotion (Free version: Personal Edition, utahitaji kuunda account. _Inapendekezwa download toleo WITH VirtualBox ili kuepuka makosa yanayoweza kutokea.)
  • Nox (Free, lakini haitegemei Frida au Drozer).

tip

Unapotengeneza emulator mpya kwenye jukwaa lolote kumbuka kuwa skrini kubwa inafanya emulator kuwa polepole. Hivyo chagua skrini ndogo inapowezekana.

Ili install google services (kama AppStore) kwenye Genymotion unahitaji kubofya kitufe kilicho alama nyekundu kwenye picha ifuatayo:

Pia, kumbuka kwamba katika configuration ya Android VM katika Genymotion unaweza kuchagua Bridge Network mode (hii itakuwa muhimu ikiwa utakuwa unahitaji kuungana na Android VM kutoka VM tofauti yenye zana).

Use a physical device

Unahitaji kuwasha options za debugging na itakuwa vizuri ikiwa unaweza kuiroot:

  1. Settings.
  2. (FromAndroid 8.0) Select System.
  3. Select About phone.
  4. Press Build number 7 times.
  5. Rudi nyuma na utapata Developer options.

Mara tu unapoweka application, jambo la kwanza unalopaswa kufanya ni kuifanyia majaribio na kuchunguza inafanya nini, inafanya kazi vipi na kufahamika nayo.
Ninapendekeza fanya uchambuzi huu wa awali wa dinamik kwa kutumia MobSF dynamic analysis + pidcat, hivyo tutakuwa na uwezo wa kujifunza jinsi application inavyofanya kazi wakati MobSF inachukua data nyingi zazovutia ambazo unaweza kupitia baadaye.

Magisk/Zygisk quick notes (recommended on Pixel devices)

  • Patch boot.img with the Magisk app and flash via fastboot to get systemless root
  • Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required
  • Keep original boot.img to recover from OTA updates; re-patch after each OTA
  • For screen mirroring, use scrcpy on the host

Unintended Data Leakage

Logging

Watengenezaji wanapaswa kuwa waangalifu kuhusu kuonyesha debugging information hadharani, kwa kuwa inaweza kusababisha data nyeti ku-leak. Zana za pidcat na adb logcat zinapendekezwa kwa kusimamia logs za application ili kubaini na kulinda taarifa nyeti. Pidcat inapendekezwa kwa urahisi wake wa matumizi na ufasaha wa kuonekana.

warning

Kumbuka kwamba tangu toleo za baadaye za Android juu ya 4.0, applications zinaweza kupiga logs za programu zao tu. Hivyo applications haziwezi kupata logs za apps nyingine.
Hata hivyo, bado inashauriwa kuto-log taarifa nyeti.

Copy/Paste Buffer Caching

Mfumo wa Android unaotegemea clipboard unawezesha utendaji wa copy-paste katika apps, lakini una hatari kwani applications nyingine zinaweza kupata clipboard, na hivyo kuonyesha data nyeti. Ni muhimu kuzima copy/paste kwa sehemu nyeti za application, kama maelezo ya kadi za mkopo, ili kuzuia leak ya data.

Crash Logs

Ikiwa application inaanguka (crashes) na inahifadhi logs, logs hizi zinaweza kumsaidia mshambuliaji, hasa pale application haiwezi ku-reverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crashes, na kama logs lazima zitumwe mtandaoni, hakikisha zinatumwa kupitia channel ya SSL kwa usalama.

Kama pentester, jaribu kuangalia logs hizi.

Analytics Data Sent To 3rd Parties

Applications mara nyingi hujumuisha huduma kama Google Adsense, ambazo kwa kutokukamilika kwa utekelezaji wa watengenezaji zinaweza kwa bahati mbaya leak sensitive data. Ili kubaini leak za data zinazowezekana, inashauriwa kuingilia (intercept) trafiki ya application na kuangalia kama kuna taarifa nyeti zinatumiwa kwenda kwa huduma za wa tatu.

SQLite DBs

Mara nyingi applications hutatumia internal SQLite databases kuhifadhi taarifa. Wakati wa pentest angalia databases zilizoundwa, majina ya tables na columns na data zote zilizohifadhiwa kwani unaweza kupata taarifa nyeti (ambayo itakuwa udhaifu).
Databases zinapaswa kuwa katika /data/data/the.package.name/databases kama /data/data/com.mwr.example.sieve/databases

Ikiwa database inahifadhi taarifa za siri na ime-encrypted lakini unaweza kupata password ndani ya application bado ni udhaifu.

Orodhesha tables kwa kutumia .tables na orodhesha columns za tables kwa kufanya .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

From Drozer Docs: Drozer inakuwezesha kuchukua nafasi ya Android app na kuingiliana na apps nyingine. Inaweza kufanya chochote ambacho installed application inaweza kufanya, kama kutumia mfumo wa Android’s Inter-Process Communication (IPC) na kuingiliana na operating system iliyopo. .
Drozer ni zana muhimu ya kuchukua faida ya exported activities, exported services na Content Providers kama utakavyojifunza katika sehemu zilizofuata.

Exploiting exported Activities

Read this if you want to refresh what is an Android Activity.
Pia kumbuka kwamba code ya activity inaanza katika method ya onCreate.

Authorisation bypass

Wakati Activity ime-exported unaweza kuitisha screen yake kutoka app ya nje. Kwa hivyo, ikiwa activity yenye taarifa nyeti ime-exported unaweza bypass mekanismo za authentication ili kufikia.

Learn how to exploit exported activities with Drozer.

Unaweza pia kuanza exported activity kutoka adb:

  • PackageName is com.example.demo
  • Exported ActivityName is com.example.test.MainActivity
bash
adb shell am start -n com.example.demo/com.example.test.MainActivity

NOTE: MobSF will detect as malicious the use of singleTask/singleInstance as android:launchMode in an activity, but due to this, apparently this is only dangerous on old versions (API versions < 21).

tip

Kumbuka kwamba authorisation bypass siyo kila mara ni vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonyeshwa.

Sensitive information leakage

Activities pia zinaweza kurudisha matokeo. Ikiwa utaweza kupata activity iliyokuwa exported na isiyolindwa ikitumia method ya setResult na kurudisha sensitive information, kuna sensitive information leakage.

Tapjacking

Ikiwa Tapjacking haizuizwi, unaweza kutumia exported activity kusababisha mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu what is Tapjacking follow the link.

Exploiting Content Providers - Accessing and manipulating sensitive information

Read this if you want to refresh what is a Content Provider.
Content providers kwa msingi hutumiwa kushiriki data. Ikiwa app ina content providers zinapatikana unaweza kuwa na uwezo wa kutoa data nyeti kutoka kwao. Pia ni vyema kujaribu uwezekano wa SQL injections na Path Traversals, kwa sababu vinaweza kuwa dhaifu.

Learn how to exploit Content Providers with Drozer.

Exploiting Services

Read this if you want to refresh what is a Service.
Kumbuka kwamba vitendo vya Service huanza kwenye method onStartCommand.

Service kwa msingi ni kitu kinachoweza kupokea data, kuchakata na kurudisha (au la) majibu. Hivyo, ikiwa application ina services zilizochapishwa (exporting) unapaswa kagua code ili kuelewa inafanya nini na iteste kwa njia ya dynamic kwa lengo la kupata taarifa za siri, bypassing authentication measures...
Learn how to exploit Services with Drozer.

Exploiting Broadcast Receivers

Read this if you want to refresh what is a Broadcast Receiver.
Kumbuka kwamba vitendo vya Broadcast Receiver huanza kwenye method onReceive.

Broadcast receiver itakuwa inasubiri aina fulani ya ujumbe. Kutegemea jinsi receiver inavyoshughulikia ujumbe huo inaweza kuwa dhaifu.
Learn how to exploit Broadcast Receivers with Drozer.

Exploiting Schemes / Deep links

Unaweza kutafuta deep links kwa mkono, ukitumia tools kama MobSF au scripts kama this one.
Unaweza fungua scheme iliyotangazwa kwa kutumia adb au browser:

bash
adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Kumbuka kwamba unaweza omit the package name na kifaa cha rununu kitaita moja kwa moja app itakayofungua link hiyo.

html
<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Msimbo unaotekelezwa

Ili kupata msimbo utakao endeshwa katika App, nenda kwa activity inayoitwa na deeplink na tafuta function onNewIntent.

Taarifa nyeti

Kila unapokutana na deep link hakikisha kwamba haina kupokea data nyeti (kama passwords) kupitia URL parameters, kwa sababu programu nyingine yoyote inaweza kuiga deep link na kuiba data hiyo!

Parameters in path

Unapaswa pia kuangalia kama deep link yoyote inatumia parameter ndani ya path ya URL kama: https://api.example.com/v1/users/{username} , katika kesi hiyo unaweza kulazimisha path traversal kwa kufikia kitu kama: example://app/users?username=../../unwanted-endpoint%3fparam=value .
Kumbuka kwamba ikiwa utapata endpoints sahihi ndani ya application unaweza kusababisha Open Redirect (ikiwa sehemu ya path inatumika kama domain name), account takeover (ikiwa unaweza kubadilisha maelezo ya watumiaji bila CSRF token na endpoint iliyo vuln ilitumia method sahihi) na aina nyingine yoyote ya vuln. Taarifa zaidi kuhusu hili hapa.

More examples

Ripoti ya bug bounty ya kuvutia: hapa kuhusu links (/.well-known/assetlinks.json).

Ukaguzi wa Transport Layer na Makosa ya Uthibitishaji

  • Vyeti hazichunguzwi kila mara ipasavyo na applications za Android. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika matukio mengine, kurudi kutumia HTTP connections.
  • Mazungumzo wakati wa SSL/TLS handshake wakati mwingine huwa dhaifu, zikitumia insecure cipher suites. Udhurumvu huu unafanya connection kuwa nyeti kwa man-in-the-middle (MITM) attacks, kuruhusu attackers kufungua data.
  • Leakage of private information ni hatari wakati applications zinathibitisha kwa kutumia secure channels lakini kisha kuwasiliana kupitia non-secure channels kwa miamala mingine. Njia hii inashindwa kulinda data nyeti, kama session cookies au maelezo ya mtumiaji, dhidi ya interception na entities zenye nia mbaya.

Uthibitishaji wa Cheti

Tutazingatia certificate verification. Lazima integrity ya cheti cha server ithibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu konfigurishaji zisizo salama za TLS na uwasilishaji wa data nyeti kupitia channels zisizosimbwa zinaweza kuleta hatari kubwa. Kwa hatua za kina za kuthibitisha vyeti vya server na kushughulikia udhaifu, rasilimali hii inatoa mwongozo kamili.

SSL Pinning

SSL Pinning ni hatua ya usalama ambapo application inathibitisha cheti ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kwa kuzuia MITM attacks. Kutekeleza SSL Pinning kunapendekezwa kwa nguvu kwa applications zinashughulikia taarifa nyeti.

Traffic Inspection

Ili kuchunguza HTTP traffic, ni lazima uishe cheti cha proxy tool (mfano, Burp). Bila kuisakinisha cheti hiki, trafiki iliyosimbwa inaweza isionekane kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, bonyeza hapa.

Applications zinazolenga API Level 24 and above zinahitaji marekebisho ya Network Security Config ili kukubali CA certificate ya proxy. Hatua hii ni muhimu kwa kuchunguza trafiki iliyosimbwa. Kwa maelekezo ya kubadilisha Network Security Config, rejea tutorial hii.

Ikiwa Flutter inatumiwa unahitaji kufuata maelekezo katika ukurasa huu. Hii ni kwa sababu, kuongeza tu cheti kwenye store haitafanya kazi kwani Flutter ina orodha yake ya valid CAs.

Ugunduzi wa statiki wa SSL/TLS pinning

Kabla ya kujaribu runtime bypasses, chora haraka ni wapi pinning inatekelezwa ndani ya APK. Ugunduzi wa statiki hukusaidia kupanga hooks/patches na kuzingatia code paths sahihi.

Tool: SSLPinDetect

  • Open-source utiliti ya uchambuzi wa statiki inayodecompile APK hadi Smali (via apktool) na kutafuta pattern za regex zilizotengwa za utekelezaji wa SSL/TLS pinning.
  • Inaripoti path sahihi ya faili, nambari ya mstari, na kipande cha code kwa kila match.
  • Inashughulikia frameworks za kawaida na custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.

Install

  • Mahitaji ya awali: Python >= 3.8, Java on PATH, apktool
bash
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt

Matumizi

bash
# Basic
python sslpindetect.py -f app.apk -a apktool.jar

# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v

Mfano wa kanuni za pattern (JSON) Tumia au ongeza signatures ili kugundua proprietary/custom pinning styles. Unaweza kupakia JSON yako mwenyewe na scan kwa wingi.

json
{
"OkHttp Certificate Pinning": [
"Lcom/squareup/okhttp/CertificatePinner;",
"Lokhttp3/CertificatePinner;",
"setCertificatePinner"
],
"TrustManager Override": [
"Ljavax/net/ssl/X509TrustManager;",
"checkServerTrusted"
]
}

Notes and tips

  • Kuchanganua haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza overhead/false positives.
  • Pattern collection: https://github.com/aancw/smali-sslpin-patterns
  • Malengo ya kawaida ya utambuzi kwa kuchunguza ifuatayo:
  • OkHttp: matumizi ya CertificatePinner, setCertificatePinner, okhttp3/okhttp package references
  • TrustManagers maalum: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
  • SSL contexts maalum: SSLContext.getInstance + SSLContext.init with custom managers
  • Pins zilizotangazwa katika res/xml network security config na marejeo ya manifest
  • Tumia maeneo yaliyoendana kupanga Frida hooks, static patches, au mapitio ya config kabla ya majaribio ya dynamic.

Kuepuka SSL Pinning

Wakati SSL Pinning imeanzishwa, kuepuka itakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:

Kutafuta Udhaifu wa Wavuti wa Kawaida

Ni muhimu pia kutafuta udhaifu wa kawaida wa wavuti ndani ya programu. Maelezo ya kina juu ya kutambua na kupunguza udhaifu hivi ni kubwa kuliko muhtasari huu lakini yameelezewa kwa undani mahali pengine.

Frida

Frida ni toolkit ya instrumentation ya dynamic kwa waendelezaji, wachambuzi wa reverse-engineering, na watafiti wa usalama.
Unaweza kufikia application inayokwama na ku-hook methods wakati wa runtime ili kubadilisha tabia, kubadilisha thamani, kutoa thamani, kuendesha code tofauti...
Ikiwa unataka kufanya pentest za Android applications unahitaji kujua jinsi ya kutumia Frida.

Anti-instrumentation & SSL pinning bypass workflow

Android Anti Instrumentation And Ssl Pinning Bypass

Dump Memory - Fridump

Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi kama passwords au mnemonics.

Ukijumuisha Fridump3 unaweza kufanya dump ya memory ya app kwa:

bash
# With PID
python3 fridump3.py -u <PID>

# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"

Hii ita-dump kumbukumbu katika folda ./dump, na hapo unaweza kutumia grep kwa kitu kama:

bash
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"

Data nyeti katika Keystore

Katika Android, Keystore ni mahali pazuri kuhifadhi data nyeti, hata hivyo, kwa ruhusa za kutosha bado inawezekana kuifikia. Kwa kuwa applications zinaweza kuhifadhi hapa sensitive data in clear text, pentests zinapaswa kuangalia hilo kwa mtumiaji root au mtu mwenye ufikiaji wa kimwili wa kifaa ambaye anaweza kuiba data hiyo.

Hata kama app ilihifadhi data katika keystore, data hiyo inapaswa kuwa encrypted.

Ili kufikia data ndani ya keystore unaweza kutumia script ya Frida: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js

bash
frida -U -f com.example.app -l frida-scripts/tracer-cipher.js

Fingerprint/Biometrics Bypass

Kwa kutumia Frida script ifuatayo inaweza kuwa inawezekana bypass fingerprint authentication Android applications zinaweza kufanya ili kulinda maeneo fulani nyeti:

bash
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>

Picha za Mandharinyuma

Unapoweka application kwa mandharinyuma, Android huhifadhi snapshot ya application ili inaporejeshwa mbele inaanza kupakia picha kabla ya app, hivyo inaonekana kama app ilipakia haraka.

Hata hivyo, ikiwa snapshot hii ina taarifa nyeti, mtu mwenye ufikiaji wa snapshot anaweza kuiba taarifa hiyo (kumbuka unahitaji root ili kuifikia).

Snapshots kawaida huhifadhiwa karibu: /data/system_ce/0/snapshots

Android inatoa njia ya kuzuia the screenshot capture kwa kuweka parameter ya layout FLAG_SECURE. Kwa kutumia flag hii, maudhui ya window yanachukuliwa kuwa salama, kuyazuia kuonekana kwenye screenshots au kuonekana kwenye non-secure displays.

bash
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);

Android Application Analyzer

Kifaa hiki kinaweza kukusaidia kusimamia zana mbalimbali wakati wa dynamic analysis: https://github.com/NotSoSecure/android_application_analyzer

Intent Injection

Waundaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo zinashughulikia Intent hizi na kuzipitisha kwa methods kama startActivity(...) au sendBroadcast(...), jambo ambalo linaweza kuwa hatari.

Hatari iko katika kuruhusu attackers kuanzisha non-exported app components au kupata access kwa sensitive content providers kwa kupelekewa Intent hizi kwa njia isiyo sahihi. Mfano wa kuzingatia ni component ya WebView kubadilisha URLs kuwa Intent objects kupitia Intent.parseUri(...) kisha kuziendesha, jambo ambalo linaweza kusababisha malicious Intent injections.

Vidokezo Muhimu

  • Intent Injection ni sawa na Open Redirect ya web.
  • Exploits involve passing Intent objects as extras, which can be redirected to execute unsafe operations.
  • Inaweza kufichua non-exported components na content providers kwa attackers.
  • WebView’s URL to Intent conversion inaweza kuwezesha vitendo visivyotarajiwa.

Android Client Side Injections and others

Huenda unajua aina hizi za udhaifu kutoka Web. Lazima uwe makini hasa na udhaifu hizi katika application ya Android:

  • SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
  • JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). More info here.
  • Local File Inclusion: WebViews should have access to the file system disabled (enabled by default) - (webview.getSettings().setAllowFileAccess(false);). More info here.
  • Eternal cookies: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
  • Secure Flag in cookies

Uchambuzi Otomatiki

MobSF

Uchambuzi wa statiki

Tathmini ya udhaifu ya programu kwa kutumia frontend nzuri ya wavuti. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).

bash
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Kumbuka kwamba MobSF inaweza kuchambua Android(apk), IOS(ipa) and Windows(apx) applications (Windows applications must be analyzed from a MobSF installed in a Windows host).
Pia, ikiwa utaunda faili ya ZIP yenye msimbo wa chanzo wa app ya Android au IOS (nenda kwenye root folder ya application, chagua kila kitu na unda ZIPfile), itaweza kuichambua pia.

MobSF pia inakuwezesha kufanya diff/Compare za uchambuzi na kuunganisha VirusTotal (utahitaji kuweka API key yako katika MobSF/settings.py na kuiwezesha: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). Unaweza pia kuweka VT_UPLOAD kuwa False, basi hash itaupload badala ya faili.

Assisted Dynamic analysis with MobSF

MobSF pia inaweza kuwa msaada mkubwa kwa ajili ya dynamic analysis katika Android, lakini katika kesi hiyo utahitaji kusakinisha MobSF na genymotion kwenye host yako (a VM or Docker won't work). Note: You need to start first a VM in genymotion and then MobSF.
The MobSF dynamic analyser inaweza:

  • Dump application data (URLs, logs, clipboard, screenshots made by you, screenshots made by "Exported Activity Tester", emails, SQLite databases, XML files, and other created files). Yote haya hufanywa kiotomatiki isipokuwa screenshots; unahitaji kubonyeza wakati unapotaka screenshot au unahitaji kubonyeza "Exported Activity Tester" kupata screenshots za exported activities zote.
  • Capture HTTPS traffic
  • Use Frida to obtain runtime information

From android versions > 5, it will automatically start Frida and will set global proxy settings to capture traffic. It will only capture traffic from the tested application.

Frida

By default, it will also use some Frida Scripts to bypass SSL pinning, root detection and debugger detection and to monitor interesting APIs.
MobSF can also invoke exported activities, grab screenshots of them and save them for the report.

To start the dynamic testing press the green bottom: "Start Instrumentation". Press the "Frida Live Logs" to see the logs generated by the Frida scripts and "Live API Monitor" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").
MobSF also allows you to load your own Frida scripts (to send the results of your Friday scripts to MobSF use the function send()). It also has several pre-written scripts you can load (you can add more in MobSF/DynamicAnalyzer/tools/frida_scripts/others/), just select them, press "Load" and press "Start Instrumentation" (you will be able to see the logs of that scripts inside "Frida Live Logs").

Moreover, you have some Auxiliary Frida functionalities:

  • Enumerate Loaded Classes: It will print all the loaded classes
  • Capture Strings: It will print all the capture strings while using the application (super noisy)
  • Capture String Comparisons: Could be very useful. It will show the 2 strings being compared and if the result was True or False.
  • Enumerate Class Methods: Put the class name (like "java.io.File") and it will print all the methods of the class.
  • Search Class Pattern: Search classes by pattern
  • Trace Class Methods: Trace a whole class (see inputs and outputs of all methods of th class). Remember that by default MobSF traces several interesting Android Api methods.

Once you have selected the auxiliary module you want to use you need to press "Start Intrumentation" and you will see all the outputs in "Frida Live Logs".

Shell

Mobsf pia inakuja na shell yenye baadhi ya amri za adb, MobSF commands, na amri za kawaida za shell chini ya ukurasa wa dynamic analysis. Baadhi ya amri zenye kuvutia:

bash
help
shell ls
activities
exported_activities
services
receivers

Vifaa vya HTTP

Wakati traffic ya HTTP inapokamatwa unaweza kuona muonekano mbaya wa traffic iliyokamatwa kwenye kitufe cha chini "HTTP(S) Traffic" au muonekano mzuri kwenye kitufe cha kijani "Start HTTPTools". Kutoka chaguo la pili, unaweza kutuma maombi yaliyokamatwa kwa proxies kama Burp au Owasp ZAP.
Ili kufanya hivyo, amsha Burp --> zima Intercept --> katika MobSB HTTPTools chagua request --> bonyeza "Send to Fuzzer" --> chagua anwani ya proxy (http://127.0.0.1:8080\).

Mara utakapomaliza uchambuzi wa dynamic na MobSF unaweza kubonyeza "Start Web API Fuzzer" ili fuzz http requests na kutafuta vulnerabilities.

tip

Baada ya kufanya uchambuzi wa dynamic na MobSF mipangilio ya proxy inaweza kuwa imechanganikwa na hutaweza kuirekebisha kutoka GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:

adb shell settings put global http_proxy :0

Assisted Dynamic Analysis with Inspeckage

Unaweza kupata tool hii kutoka kwa Inspeckage.
Chombo hiki kinatumia baadhi ya Hooks kukujulisha kinachotokea kwenye application wakati unafanya dynamic analysis.

Yaazhini

Hii ni tool nzuri ya kufanya static analysis kwa GUI

Qark

Tool hii imeundwa kutafuta aina mbalimbali za security related Android application vulnerabilities, iwe katika source code au packaged APKs. Tool pia ina uwezo wa kuunda "Proof-of-Concept" deployable APK na ADB commands, ili ku-exploit baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking...). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.

bash
pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

ReverseAPK

  • Inaonyesha mafaili yote yaliyotolewa kwa marejeo rahisi
  • Moja kwa moja decompile APK files hadi format ya Java na Smali
  • Huchambua AndroidManifest.xml kwa common vulnerabilities na tabia
  • Static source code analysis kwa common vulnerabilities na tabia
  • Taarifa za kifaa
  • na zaidi
bash
reverse-apk relative/path/to/APP.apk

SUPER Android Analyzer

SUPER ni programu ya command-line inayoweza kutumiwa kwenye Windows, MacOS X na Linux, ambayo inachambua faili za .apk ili kutafuta vulnerabilities. Inafanya hivyo kwa ku-decompress APKs na kutumia mfululizo wa sheria ili kugundua vulnerabilities hizo.

Sheria zote ziko kwenye faili rules.json, na kila kampuni au mjaribu anaweza kuunda sheria zake za kuchambua wanachohitaji.

Pakua binaries za hivi karibuni kutoka kwenye download page

super-analyzer {apk_file}

StaCoAn

StaCoAn ni zana ya crossplatform inayosaidia waendelezaji, bugbounty hunters na ethical hackers kufanya static code analysis kwenye programu za rununu.

Dhana ni kwamba unavuta na kuachilia faili ya programu yako ya rununu (faili ya .apk au .ipa) kwenye programu ya StaCoAn na itazalisha ripoti ya kuona na inayobebeka kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.

Download latest release:

./stacoan

AndroBugs

AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kugundua udhaifu za kiusalama zinazowezekana katika programu za Android.
Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn ni zana ambayo lengo lake kuu ni kugundua na kuonya mtumiaji kuhusu tabia hatarishi zinazoweza kufanywa na programu ya Android.

Utambuzi hufanywa kwa kutumia static analysis ya bytecode ya Dalvik ya programu, inayowakilishwa kama Smali, kwa kutumia maktaba ya androguard.

Zana hii inatafuta tabia za kawaida za programu "mbaya" kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA Framework

MARA is a Mobile Application Reverse engineering and Analysis Framework. Ni zana inayokusanya zana zinazotumika mara kwa mara za mobile application reverse engineering and analysis, kusaidia katika kujaribu programu za simu dhidi ya vitisho vya OWASP mobile security. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa watengenezaji wa programu za simu na wataalamu wa usalama.

Ina uwezo wa:

Koodous

Inafaa kugundua malware: https://koodous.com/

Obfuscating/Deobfuscating code

Kumbuka kwamba, kulingana na huduma na usanidi unaotumika kuficha msimbo, siri zinaweza kuwa zimefichwa au siyo.

ProGuard

Kutoka Wikipedia: ProGuard ni zana ya open source ya command-line inayopunguza, kuboresha na kuficha Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maelekezo yasiyotumika. ProGuard ni programu ya bure na imesambazwa chini ya GNU General Public License, version 2.

ProGuard inasambazwa kama sehemu ya Android SDK na hufanya kazi wakati wa kujenga application katika release mode.

DexGuard

Pata mwongozo hatua kwa hatua wa ku-deobfuscate apk katika https://blog.lexfo.fr/dexguard.html

(Kulingana na mwongozo huo) Wakati wa mwisho tulipopima, mode ya utekelezaji ya Dexguard ilikuwa:

  • load a resource as an InputStream;
  • feed the result to a class inheriting from FilterInputStream to decrypt it;
  • do some useless obfuscation to waste a few minutes of time from a reverser;
  • feed the decrypted result to a ZipInputStream to get a DEX file;
  • finally load the resulting DEX as a Resource using the loadDex method.

DeGuard

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

Unaweza kupakia APK iliyofichwa kwenye jukwaa lao.

[Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app

Hii ni zana ya LLM ya kugundua udhaifu wowote unaowezekana wa usalama katika android apps na ku-deobfuscate android app code. Inatumia Google's Gemini public API.

Simplify

Ni generic android deobfuscator. Simplify virtually executes an app ili kuelewa tabia yake kisha inajaribu kuboresha code ili itendeke sawa lakini iwe rahisi kwa mwanadamu kuelewa. Kila aina ya uboreshaji ni rahisi na jumla, hivyo haijalishi ni aina gani mahsusi ya obfuscation ilitumika.

APKiD

APKiD inakupa taarifa kuhusu jinsi APK ilivyotengenezwa. Inatambua compilers, packers, obfuscators, na vitu vingine vya kushangaza. Ni PEiD kwa Android.

Manual

Soma mafunzo haya kujifunza mbinu za jinsi ya reverse custom obfuscation

Labs

Androl4b

AndroL4b ni virtual machine ya usalama wa Android inayotegemea ubuntu-mate inayojumuisha mkusanyiko wa mifumo ya hivi karibuni, mafunzo na maabara kutoka kwa wapenzi mbalimbali wa usalama na watafiti kwa reverse engineering na malware analysis.

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks