Programu za Android Pentesting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Misingi ya Programu za Android

Inashauriwa sana kuanza kusoma ukurasa huu ili kujua kuhusu sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android:

Android Applications Basics

ADB (Android Debug Bridge)

Huu ndio chombo kuu unachohitaji kuunganishwa na kifaa cha Android (emulated au kifisiki).
ADB inakuwezesha kudhibiti vifaa kupitia USB au Network kutoka kwenye kompyuta. Zana hii inaruhusu kunakili faili kwa mwelekeo yote, kufunga na kuondoa apps, kuendesha amri za shell, kufanya backup ya data, kusoma logi, miongoni mwa kazi nyingine.

Tazama orodha ifuatayo ya ADB Commands ili kujifunza jinsi ya kutumia adb.

Smali

Wakati mwingine inavutia kuhariri msimbo wa programu ili kupata taarifa zilizofichwa (labda nywila zilizofichwa (obfuscated) au flagi). Hivyo, inaweza kuvutia kufanya decompile ya apk, kuhariri msimbo na kuirecompile tena.
Katika tutorial hii unaweza kujifunza jinsi ya ku-decompile APK, kuhariri msimbo wa Smali na ku-recompile APK na utendakazi mpya. Hii inaweza kuwa muhimu kama mbadala kwa vipimo mbalimbali wakati wa uchambuzi wa dynamic utakaoonyeshwa. Kwa hivyo, kumbuka kila wakati uwezekano huu.

Mbinu zingine za kuvutia

adb shell pm list packages
com.android.insecurebankv2

adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
  • Unganisha splits zote na base apks kwa kutumia APKEditor:
mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar ../APKEditor.jar m -i splits/ -o merged.apk

# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Android Enterprise & Work Profile Attacks

Android Enterprise Work Profile Bypass

Case Studies & Vulnerabilities

Air Keyboard Remote Input Injection

Android Rooting Frameworks Manager Auth Bypass Syscall Hook

Abusing Android Media Pipelines Image Parsers

Arm64 Static Linear Map Kaslr Bypass

Static Analysis

Kwanza kabisa, kwa kuchambua APK unapaswa kutazama code ya Java ukitumia decompiler.
Please, read here to find information about different available decompilers.

Kutafuta Taarifa Zinazovutia

Kwa kukagua tu strings za APK unaweza kutafuta passwords, URLs (https://github.com/ndelphit/apkurlgrep), api keys, encryption, bluetooth uuids, tokens na chochote cha kuvutia… angalia hata kwa code execution backdoors au authentication backdoors (hardcoded admin credentials to the app).

Firebase

Lipa umakini maalum kwa firebase URLs na uhakiki kama imewekwa vibaya. More information about whats is FIrebase and how to exploit it here.

Basic understanding of the application - Manifest.xml, strings.xml

Uchunguzi wa faili za programu Manifest.xml na strings.xml unaweza kufichua udhaifu wa usalama. Faili hizi zinaweza kupatikana kwa kutumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip kisha kuizipisha.

Vulnerabilities zinazoweza kubainishwa kutoka kwa Manifest.xml ni pamoja na:

  • Debuggable Applications: Programu zilizo wekwa kama debuggable (debuggable="true") katika faili la Manifest.xml zina hatari kwa kuwa zinaweza kuruhusu muunganisho unaoweza kusababisha exploitation. Kwa uelewa zaidi juu ya jinsi ya kutekeleza exploitable debuggable applications, rejea mafunzo juu ya kutafuta na kutumia debuggable applications kwenye kifaa.
  • Backup Settings: android:allowBackup="false" inapaswa kuwekwa wazi kwa ajili ya programu zinazoshughulikia taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging iko imewezeshwa.
  • Network Security: Custom network security configurations (android:networkSecurityConfig="@xml/network_security_config") katika res/xml/ zinaweza kuweka maelezo ya usalama kama certificate pins na mipangilio ya trafiki HTTP. Mfano ni kuruhusu HTTP trafiki kwa specific domains.
  • Exported Activities and Services: Kutambua activities na services zilizowekwa kuwa exported kwenye manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya kutumia components hizi.
  • Content Providers and FileProviders: content providers zilizo wazi zinaweza kuruhusu upatikanaji au mabadiliko yasiyotakiwa ya data. Usanidi wa FileProviders pia unapaswa kuchunguzwa kwa makini.
  • Broadcast Receivers and URL Schemes: Components hizi zinaweza kutumika kwa exploitation, hasa ukizingatia jinsi URL schemes zinavyoshughulikiwa kwa matatizo ya input.
  • SDK Versions: minSdkVersion, targetSDKVersion, na maxSdkVersion zinaonyesha toleo za Android zinazotumika, zikionyesha umuhimu wa kutokuhudumia matoleo ya zamani, yenye udhaifu kwa masuala ya usalama.

Kutoka kwa faili ya strings.xml, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer zinaweza kubainika, ikisisitiza umuhimu wa ukaguzi wa makini wa rasilimali hizi.

Tapjacking

Tapjacking ni shambulio ambapo malicious application inaanzishwa na kujiweka juu ya application ya mwathiri. Mara inapofunika app ya mwathiri, interface yake imeundwa kwa njia ya kumdanganya mtumiaji kuchukua hatua, wakati inapitisha mwingiliano huo kwa app ya mwathiri.
Kwa vitendo, ni kama kunyima mtumiaji uwezo wa kujua kwamba kwa kweli anafanya vitendo kwenye app ya mwathiri.

Find more information in:

Tapjacking

Task Hijacking

Activity yenye launchMode iliyowekwa kama singleTask bila taskAffinity yoyote iliyowekwa ni nyeti kwa task Hijacking. Hii inamaanisha, kwamba aplikasi inaweza kusakinishwa na ikiwa itaanzishwa kabla ya programu halisi inaweza hijack task ya programu halisi (hivyo mtumiaji atakapokuwa akifanya mwingiliano ataona anatumia programu halisi wakati ametumika na malicious application).

More info in:

Android Task Hijacking

Insecure data storage

Internal Storage

Kwenye Android, faili zilizohifadhiwa kwenye internal storage zimetengenezwa ili kufikiwa pekee na app iliyouunda. Hatua hii ya usalama inatekelezwa na mfumo wa uendeshaji wa Android na kwa ujumla inatosha kwa mahitaji ya usalama ya programu nyingi. Hata hivyo, developers wakati mwingine hutumia modes kama MODE_WORLD_READABLE na MODE_WORLD_WRITABLE kuruhusu faili kushirikiwa kati ya applications tofauti. Modes hizi hazizuizi upatikanaji wa faili hizi na applications nyingine, ikiwemo zile zenye nia mbaya.

  1. Static Analysis:
  • Hakikisha kwamba matumizi ya MODE_WORLD_READABLE na MODE_WORLD_WRITABLE yanachunguzwa kwa makini. Modes hizi zinaweza kufichua faili kwa upatikanaji usiohitajika au usioidhinishwa.
  1. Dynamic Analysis:
  • Thibitisha ruhusa zilizowekwa kwa faili zilizotengenezwa na app. Hasa, angalia ikiwa faili yoyote imewekwa ili kusomwa au kuandikwa kwa jamii nzima. Hii inaweza kuwa hatari kwa usalama, kwani itaruhusu programu yoyote iliyosakinishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kubadilisha faili hizi.

External Storage

Wakati unashughulikia faili kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:

  1. Accessibility:
  • Faili kwenye external storage ni globally readable and writable. Hii inamaanisha programu yoyote au mtumiaji anaweza kufikia faili hizi.
  1. Security Concerns:
  • Kwa kuwa upatikanaji ni rahisi, inashauriwa kutohifadhi taarifa nyeti kwenye external storage.
  • External storage inaweza kuondolewa au kupatikana na programu yoyote, ikifanya isiwe salama.
  1. Handling Data from External Storage:
  • Daima fanya input validation kwenye data inayotolewa kutoka external storage. Hii ni muhimu kwa sababu data inatoka kwenye chanzo ambacho hakiwezi kuaminika.
  • Huwezi kuhifadhi executables au class files kwenye external storage kwa ajili ya dynamic loading; hii haipendekezwi.
  • Ikiwa app yako lazima irudishe faili za executable kutoka external storage, hakikisha faili hizi zimesainiwa na kuthibitishwa kwa cryptographic kabla ya kuziyapakia kwa dynamic. Hatua hii ni muhimu kwa kudumisha uwiano wa usalama wa programu yako.

External storage inaweza kufikiwa katika /storage/emulated/0 , /sdcard , /mnt/sdcard

Tip

Kuanzia na Android 4.4 (API 17), SD card ina muundo wa directory ambao unanukuza upatikanaji kutoka kwa app hadi directory iliyotengwa kwa app hiyo tu. Hii inazuia malicious application kupata upatikanaji wa kusoma au kuandika kwa faili za app nyingine.

Sensitive data stored in clear-text

  • Shared preferences: Android inaruhusu kila application kuhifadhi kwa urahisi faili za xml katika njia /data/data/<packagename>/shared_prefs/ na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
  • Databases: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika njia /data/data/<packagename>/databases/ na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.

Broken TLS

Accept All Certificates

Kwa sababu fulani mara nyingine developers wanakubali certificates zote hata kama kwa mfano hostname haifanani na mistari ya code kama ifuatayo:

SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Njia nzuri ya kujaribu hili ni kujaribu kukamata trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kutengeneza na Burp cheti kwa hostname tofauti na kukitumia.

Broken Cryptography

Poor Key Management Processes

Baadhi ya developers huhifadhi data nyeti kwenye local storage na kuificha kwa kutumia key iliyowekwa ndani ya code au inayotarajiwa. Hili halifai kufanywa kwa kuwa reversing inaweza kuruhusu attackers kutoa taarifa za siri.

Use of Insecure and/or Deprecated Algorithms

Developers hawafai kutumia deprecated algorithms kufanya authorisation checks, kuhifadhi au kutuma data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1… Ikiwa hashes zinatumiwa kuhifadhi password kwa mfano, zinapaswa kuwa brute-force resistant na kutumia salt.

Other checks

  • Inashauriwa ku-obfuscate APK ili kumnyima attacker kazi ya reverse engineer.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kufanya mara zake checks kuona kama mobile ime-rooted na kuchukua hatua zinazofaa.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kukagua kama emulator inatumiwa.
  • Ikiwa app ni nyeti (kama bank apps), inapaswa kuangalia integrity yake kabla ya kuitekeleza ili kuona kama imebadilishwa.
  • Tumia APKiD ili kukagua compiler/packer/obfuscator iliyotumika kujenga APK

React Native Application

Soma kurasa ifuatayo ili ujifunze jinsi ya kupata kwa urahisi javascript code za React applications:

React Native Application

Xamarin Applications

Soma kurasa ifuatayo ili ujifunze jinsi ya kupata kwa urahisi C# code za xamarin applications:

Xamarin Apps

Superpacked Applications

Kulingana na hii blog post superpacked ni algorithm ya Meta inayokunja( compress ) maudhui ya application kuwa file moja. Blog inaelezea uwezekano wa kuunda app inayodecompress aina hizi za apps… na njia ya haraka inayohusisha kutekeleza application na kukusanya files zilizodecompress kutoka filesystem.

Automated Static Code Analysis

Tool ya mariana-trench inaweza kupatikana kwa kugundua vulnerabilities kwa kuscan code ya application. Tool hii ina mfululizo wa known sources (zinazorudia kwa tool eneo ambako input inadhibitiwa na mtumiaji), sinks (zinazoonyesha kwa tool eneo hatari ambapo input ya mtumiaji mbaya inaweza kusababisha uharibifu) na rules. Rules hizi zinaonyesha mchanganyiko wa sources-sinks unaoonyesha vulnerability.

Kwa maarifa haya, mariana-trench itapitia code na kupata vulnerabilities zinazowezekana ndani yake.

Secrets leaked

Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains…) ndani yake ambayo unaweza kugundua. Unaweza kutumia tool kama https://github.com/dwisiswant0/apkleaks

Bypass Biometric Authentication

Bypass Biometric Authentication (Android)

Other interesting functions

  • Code execution: Runtime.exec(), ProcessBuilder(), native code:system()
  • Send SMSs: sendTextMessage, sendMultipartTestMessage
  • Native functions declared as native: public native, System.loadLibrary, System.load
  • Soma hii kujifunza how to reverse native functions
  • In-memory native code execution via JNI (downloaded shellcode → mmap/mprotect → call):

In Memory Jni Shellcode Execution

Other tricks

content:// protocol

Dynamic Analysis

Kwanza kabisa, unahitaji environment ambapo unaweza kuinstall application na mazingira yote (Burp CA cert, Drozer na Frida hasa). Kwa hiyo, kifaa kilicho root (emulated ama sio) kinapendekezwa sana.

Online Dynamic analysis

Unaweza kuunda akaunti ya bure kwa: https://appetize.io/. Platform hii inakuwezesha ku-upload na kutekeleza APKs, hivyo ni muhimu kuona jinsi apk inavyo pona.

Hata unaweza kuona logs za application yako kwenye web na kuungana kupitia adb.

Shukrani kwa ADB connection unaweza kutumia Drozer na Frida ndani ya emulators.

Local Dynamic Analysis

Using an emulator

  • Android Studio (Unaweza kuunda x86 na arm devices, na kwa mujibu wa hii latest x86 versions support ARM libraries bila ya kuhitaji emulator ya arm ambayo ni polepole).
  • Jifunze kuiseti kwenye ukurasa huu:

AVD - Android Virtual Device

  • Genymotion (Free version: Personal Edition, unahitaji kuunda akaunti. Inashauriwa ku-download version WITH VirtualBox ili kuepuka makosa ya potential.)
  • Nox (Free, lakini haisupport Frida au Drozer).

Tip

Unapotengeneza emulator mpya kwenye platform yoyote kumbuka kuwa skrini kubwa inafanya emulator kuwa polepole. Hivyo chagua skrini ndogo ikiwa inawezekana.

Ili kuinstall google services (kama AppStore) kwenye Genymotion unahitaji kubofya kitufe kilichotajwa kwa rangi nyekundu kwenye picha ifuatayo:

Pia, kumbuka kuwa katika configuration ya Android VM kwenye Genymotion unaweza kuchagua Bridge Network mode (hii itakuwa muhimu ikiwa utaunganisha kwenye Android VM kutoka VM tofauti yenye tools).

Use a physical device

Unahitaji kuamsha debugging options na itakuwa poa ikiwa unaweza kui root:

  1. Settings.
  2. (FromAndroid 8.0) Chagua System.
  3. Chagua About phone.
  4. Bonyeza Build number mara 7.
  5. Rudi nyuma na utapata Developer options.

Mara utakapo install application, kitu cha kwanza unachopaswa kufanya ni kuijaribu na kuchunguza inafanya nini, jinsi inavyofanya kazi na kufahamika nayo.
Ninapendekeza kufanya initial dynamic analysis hii kutumia MobSF dynamic analysis + pidcat, ili tuweze kujifunza jinsi application inavyofanya kazi wakati MobSF inayokamata data nyingi zinazovutia ambazo unaweza kupitia baadaye.

Magisk/Zygisk quick notes (inapendekezwa kwenye Pixel devices)

  • Patch boot.img na app ya Magisk na flash kupitia fastboot kupata systemless root
  • Wezesha Zygisk + DenyList kwa ajili ya kuficha root; fikiria LSPosed/Shamiko inapohitajika kuficha kwa nguvu zaidi
  • Hifadhi boot.img asili ili kurejesha baada ya OTA updates; re-patch baada ya kila OTA
  • Kwa screen mirroring, tumia scrcpy kwenye host

Unintended Data Leakage

Logging

Developers wanapaswa kuwa waangalifu kutoweka wazi debugging information kwa umma, kwani inaweza kusababisha data nyeti ku-leak. Tools pidcat na adb logcat zinapendekezwa kwa kufuatilia application logs ili kubaini na kulinda taarifa nyeti. Pidcat inapendekezwa kwa urahisi wake wa matumizi na readability.

Warning

Kumbuka kwamba tangu toleo jipya zaidi ya Android 4.0, applications zinaweza kufikia tu logs zao wenyewe. Hivyo applications haziwezi kufikia logs za apps nyingine.
Hata hivyo, bado inashauriwa kuto-log taarifa nyeti.

Copy/Paste Buffer Caching

Mfumo wa clipboard-based wa Android unawezesha kazi ya copy-paste ndani ya apps, lakini unaleta hatari kwa sababu applications nyingine zinaweza kupata clipboard, mnaweza ku-expose data nyeti. Ni muhimu kuzima copy/paste kwa sehemu nyeti za application, kama taarifa za kadi za mkopo, ili kuzuia data kutoka ku-leak.

Crash Logs

Ikiwa application ina-crash na ina-hifadhi logs, logs hizi zinaweza kumsaidia attacker, hasa wakati application haiwezi ku-reverse-engineered. Ili kupunguza hatari hii, epuka ku-log wakati wa crash, na ikiwa logs lazima zitumwe kupitia network, hakikisha zinasafirishwa kupitia channel ya SSL kwa usalama.

Kama pentester, jaribu kuangalia logs hizi.

Analytics Data Sent To 3rd Parties

Applications mara nyingi zinaunganisha services kama Google Adsense, ambazo zinaweza kwa bahati mbaya ku-leak data nyeti kutokana na utekelezaji usio sahihi na developers. Ili kubaini potential data leaks, ni vyema ku-intercept traffic ya application na kukagua kama taarifa nyeti zinatumwa kwa third-party services.

SQLite DBs

Mara nyingi applications zitakuwa zinatumia internal SQLite databases kuhifadhi taarifa. Wakati wa pentest angalia databases zilizotengenezwa, majina ya tables na columns na data yote iliyohifadhiwa kwa sababu unaweza kupata taarifa nyeti (ambayo itakuwa vulnerability).
Databases zinapaswa kuwa katika /data/data/the.package.name/databases kama /data/data/com.mwr.example.sieve/databases

Ikiwa database inahifadhi taarifa za siri na ime-encrypted lakini unaweza kupata password ndani ya application bado ni vulnerability.

Orodhesha tables kwa kutumia .tables na orodhesha columns za tables kwa kutumia .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

Kutoka kwa Drozer Docs: Drozer inakuwezesha kuhisi kama Android app na kuingiliana na apps nyingine. Inaweza kufanya kila kitu ambacho installed application inaweza kufanya, kama kutumia Android’s Inter-Process Communication (IPC) mechanism na kuingiliana na operating system iliyopo chini. .
Drozer ni tool muhimu ku-exploit exported activities, exported services and Content Providers kama utakavyojifunza katika sehemu zilizo hapa chini.

Exploiting exported Activities

Read this if you want to refresh what is an Android Activity.
Kumbuka pia kwamba code ya activity inaanza katika method ya onCreate.

Authorisation bypass

Wakati Activity ime-exported unaweza kuiamsha screen yake kutoka kwa app ya nje. Kwa hiyo, ikiwa activity yenye taarifa nyeti ime-exported unaweza bypass mifumo ya authentication ili kuifikia.

Learn how to exploit exported activities with Drozer.

Unaweza pia kuanzisha exported activity kutoka adb:

  • PackageName is com.example.demo
  • Exported ActivityName is com.example.test.MainActivity
adb shell am start -n com.example.demo/com.example.test.MainActivity

KUMBUKU: MobSF itatambua kama hatari matumizi ya singleTask/singleInstance kama android:launchMode katika activity, lakini kutokana na this, inaonekana hii ni hatari tu kwenye toleo za zamani (API versions < 21).

Tip

Kumbuka kwamba authorisation bypass sio kila mara ni vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinavyoonekana.

Sensitive information leakage

Activities can also return results. Ikiwa utafanikiwa kupata activity iliyotangazwa (exported) na isiyolindwa inayoita method ya setResult na kurudisha taarifa nyeti, kunatokea uvuaji wa taarifa nyeti.

Tapjacking

Ikiwa tapjacking haijaizuia, unaweza kutumia activity iliyotangazwa kumfanya mtumiaji afanye vitendo visivyotarajiwa. Kwa maelezo zaidi kuhusu what is Tapjacking follow the link.

Exploiting Content Providers - Accessing and manipulating sensitive information

Read this if you want to refresh what is a Content Provider.
Content providers kwa msingi hutumika kushiriki data. Ikiwa app ina content providers zinazopatikana unaweza kuwa na uwezo wa kutoa data nyeti kutoka kwao. Pia ni muhimu kujaribu uwezekano wa SQL injections na Path Traversals kwani zinaweza kuwa zilizo vunja.

Learn how to exploit Content Providers with Drozer.

Exploiting Services

Read this if you want to refresh what is a Service.
Kumbuka kwamba vitendo vya Service huanza katika method onStartCommand.

Service kwa msingi ni kitu kinachoweza kupokea data, kuisindika na kurudisha (au la) jibu. Hivyo, ikiwa application inatangaza services, unapaswa kuangalia code kuelewa inafanya nini na kuipima kivitendo ili kutoa taarifa za siri, bypass authentication measures…
Learn how to exploit Services with Drozer.

Exploiting Broadcast Receivers

Read this if you want to refresh what is a Broadcast Receiver.
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika method onReceive.

Broadcast receiver itakuwa ikisubiri aina ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa hatarini.
Learn how to exploit Broadcast Receivers with Drozer.

Exploiting Schemes / Deep links

Unaweza kutafuta deep links kwa mkono, ukitumia zana kama MobSF au script kama this one.
Unaweza fungua declared scheme kwa kutumia adb au browser:

adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Kumbuka kwamba unaweza kuacha package name na simu itaitisha moja kwa moja app ambayo inapaswa kufungua link hiyo.

<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Code executed

Ili kupata code that will be executed in the App, nenda kwenye activity inayoitwa na deeplink na utafute function onNewIntent.

Sensitive info

Kila unapokuta deep link hakikisha haipokei data nyeti (kama nywila) kupitia URL parameters, kwa sababu programu nyingine yoyote inaweza kujifanya deep link na kuiba data hiyo!

Parameters in path

Lazima pia ukague kama deep link yoyote inatumia parameter ndani ya path ya URL kama: https://api.example.com/v1/users/{username} , katika kesi hiyo unaweza kulazimisha path traversal ukitumia kitu kama: example://app/users?username=../../unwanted-endpoint%3fparam=value .
Kumbuka kwamba ukigundua endpoints sahihi ndani ya application unaweza kusababisha Open Redirect (ikiwa sehemu ya path inatumika kama domain name), account takeover (ikiwa unaweza kubadili maelezo ya users bila CSRF token na vuln endpoint ilitumia method sahihi) na udhaifu mwingine wowote. More info about this here.

An interesting bug bounty report about links (/.well-known/assetlinks.json).

Transport Layer Inspection and Verification Failures

  • Certificates are not always inspected properly na Android applications. Mara nyingi hizi applications hazizingatii warnings na kukubali self-signed certificates au, katika matukio mengine, kurejea kutumia HTTP connections.
  • Negotiations during the SSL/TLS handshake are sometimes weak, zikitumia insecure cipher suites. Udhaifu huu hufanya connection iwe dhaifu kwa man-in-the-middle (MITM) attacks, kuruhusu attackers ku-decrypt data.
  • Leakage of private information ni hatari wakati applications zina-authenticate kwa kutumia secure channels halafu zika-communicate kwa channels zisizo-secure kwa miamala mingine. Mbinu hii haifanyi ulinzi wa data nyeti, kama session cookies au taarifa za user, dhidi ya interception na entities zenye malice.

Certificate Verification

Tutazingatia certificate verification. Integrity ya server’s certificate lazima iathibitishe ili kuongeza usalama. Hii ni muhimu kwa sababu insecure TLS configurations na utuma wa data nyeti kwa channels zisizosiri inaweza kuleta hatari kubwa. Kwa hatua za kina juu ya kuthibitisha server certificates na kushughulikia udhaifu, this resource inatoa mwongozo kamili.

SSL Pinning

SSL Pinning ni hatua ya usalama ambapo application inathibitisha server’s certificate dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Mbinu hii ni muhimu kwa kuzuia MITM attacks. Kutekeleza SSL Pinning kunashauriwa sana kwa applications zinazosimamia taarifa nyeti.

Traffic Inspection

Ili kuchunguza HTTP traffic, ni muhimu kusakinisha certificate ya proxy tool (mfano, Burp). Bila kusakinisha cheti hiki, traffic iliyosimbwa inaweza isiweze kuonekana kupitia proxy. Kwa mwongozo wa kusakinisha custom CA certificate, click here.

Applications zinazolenga API Level 24 and above zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy’s CA certificate. Hatua hii ni muhimu kwa kuchunguza traffic iliyosimbwa. Kwa maelekezo juu ya kufanya mabadiliko kwenye Network Security Config, refer to this tutorial.

Ikiwa Flutter inatumika unahitaji kufuata maelekezo kwenye this page. Hii ni kwa sababu, kuongeza tu certificate kwenye store haitafanya kazi kwani Flutter ina orodha yake ya CAs halali.

Static detection of SSL/TLS pinning

Kabla ya kujaribu runtime bypasses, angalia haraka sehemu ambapo pinning inatekelezwa ndani ya APK. Ugundaji wa statiki hukusaidia kupanga hooks/patches na kuzingatia code paths sahihi.

Tool: SSLPinDetect

  • Open-source static-analysis utility ambayo ina-decompile APK hadi Smali (kupitia apktool) na ku-scan kwa curated regex patterns za SSL/TLS pinning implementations.
  • Inaripoti exact file path, line number, na code snippet kwa kila match.
  • Inashughulikia frameworks za kawaida na custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, na Network Security Config XML pins.

Install

  • Prereqs: Python >= 3.8, Java on PATH, apktool
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt

Matumizi

# Basic
python sslpindetect.py -f app.apk -a apktool.jar

# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v

Mfano wa sheria za muundo (JSON) Tumia au panua signatures ili kugundua mitindo ya pinning ya proprietary/custom. Unaweza kupakia JSON yako mwenyewe na kuchunguza kwa kiwango kikubwa.

{
"OkHttp Certificate Pinning": [
"Lcom/squareup/okhttp/CertificatePinner;",
"Lokhttp3/CertificatePinner;",
"setCertificatePinner"
],
"TrustManager Override": [
"Ljavax/net/ssl/X509TrustManager;",
"checkServerTrusted"
]
}

Notes and tips

  • Kuskana kwa haraka kwenye apps kubwa kupitia multi-threading na memory-mapped I/O; regex zilizochapishwa awali hupunguza overhead/false positives.
  • Pattern collection: https://github.com/aancw/smali-sslpin-patterns
  • Malengo ya kawaida ya utambuzi kwa kutathmini kifuatacho:
  • OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
  • Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
  • Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
  • Declarative pins in res/xml network security config and manifest references
  • Tumia maeneo yaliyopatikana kupanga Frida hooks, static patches, au ukaguzi wa config kabla ya majaribio ya dynamic.

Kuvuka SSL Pinning

When SSL Pinning is implemented, kuvuka it becomes necessary to inspect HTTPS traffic. Njia mbalimbali zinapatikana kwa madhumuni haya:

Kutafuta udhaifu wa kawaida wa wavuti

Ni muhimu pia kutafuta udhaifu wa kawaida wa wavuti ndani ya application. Maelezo ya kina juu ya kutambua na kupunguza udhaifu huu hayajumuishwi katika muhtasari huu lakini yameelezewa kwa undani mahali pengine.

Frida

Frida ni dynamic instrumentation toolkit kwa developers, reverse-engineers, na watafiti wa usalama.
Unaweza kufikia application inayotekelezwa na kushika (hook) methods wakati wa run time ili kubadilisha tabia, kubadilisha thamani, kutoa thamani, kuendesha code tofauti…
Ikiwa unataka kufanya pentest Android applications lazima ujifunze jinsi ya kutumia Frida.

Anti-instrumentation & SSL pinning bypass workflow

Android Anti Instrumentation And Ssl Pinning Bypass

Dump Memory - Fridump

Angalia kama application inaweka taarifa nyeti ndani ya memory ambazo haisipaswi kuweka, kama nywila au mnemonics.

Kutumia Fridump3 unaweza dump memory ya app kwa:

# With PID
python3 fridump3.py -u <PID>

# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"

Hii itatoa dump ya memory kwenye folda ./dump, na huko unaweza kutumia grep kwa kitu kama:

strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"

Data nyeti katika Keystore

Katika Android, Keystore ni mahali pazuri zaidi pa kuhifadhi data nyeti, hata hivyo, kwa privileges za kutosha bado ni inawezekana kuifikia. Kwa kuwa applications mara nyingi huweka hapa data nyeti kwa maandishi wazi, pentests zinapaswa kuikagua kama root user au mtu mwenye physical access kwa kifaa anaweza kuiba data hii.

Hata kama app iliweka data kwenye keystore, data inapaswa kuwa imekodiwa.

Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js

frida -U -f com.example.app -l frida-scripts/tracer-cipher.js

Fingerprint/Biometrics Bypass

Kutumia script ya Frida ifuatayo kunaweza kuwa inawezekana bypass fingerprint authentication ambayo Android applications zinaweza kuwa zinafanya ili protect certain sensitive areas:

frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>

Picha za Mandharinyuma

Wakati unaweka programu kwa mandharinyuma, Android huhifadhi snapshot ya programu ili inaporejeshwa mbele itanasa picha hiyo kabla ya app, hivyo inaonekana kama programu ilipakiwa kwa haraka.

Hata hivyo, ikiwa snapshot hii ina taarifa nyeti, mtu mwenye ufikiaji wa snapshot anaweza kuiba taarifa hizo (kumbuka unahitaji root ili kuifikia).

Snapshots kawaida huhifadhiwa hapa: /data/system_ce/0/snapshots

Android inatoa njia ya kuzuia kupigwa picha za skrini kwa kuweka parameter ya layout FLAG_SECURE. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na hivyo kuzuia yaonekane kwenye picha za skrini au kuonekana kwenye maonyesho yasiyo salama.

getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);

Android Application Analyzer

Zana hii inaweza kusaidia kusimamia zana tofauti wakati wa dynamic analysis: https://github.com/NotSoSecure/android_application_analyzer

Intent Injection

Waundaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers ambazo hushughulikia Intents hizi na kuzipitisha kwa methods kama startActivity(...) au sendBroadcast(...), jambo ambalo linaweza kuwa hatari.

Hatari iko katika kumruhusu mshambuliaji kuamsha non-exported app components au kupata sensitive content providers kwa kupotosha Intents hizi. Mfano wa muhimu ni component ya WebView kubadilisha URLs kuwa vitu vya Intent kupitia Intent.parseUri(...) kisha kuvitekeleza, jambo ambalo linaweza kusababisha malicious Intent injections.

Essential Takeaways

  • Intent Injection ni sawa na web’s Open Redirect issue.
  • Exploits huhusisha kupitisha vitu vya Intent kama extras, ambavyo vinaweza kuelekezwa tena ili kutekeleza operesheni zisizo salama.
  • Inaweza kufichua non-exported components na content providers kwa washambuliaji.
  • Ubadilishaji wa URL kuwa Intent katika WebView unaweza kurahisisha vitendo visivyokusudiwa.

Android Client Side Injections and others

Labda unajua kuhusu aina hii ya udhaifu kutoka kwenye wavuti. Lazima uwe makini sana na udhaifu huu katika programu ya Android:

  • SQL Injection: Unaposhughulika na dynamic queries au Content-Providers hakikisha unatumia parameterized queries.
  • JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). More info here.
  • Local File Inclusion: WebViews should have access to the file system disabled (enabled by default) - (webview.getSettings().setAllowFileAccess(false);). More info here.
  • Eternal cookies: Katika visa kadhaa, wakati programu ya Android inamaliza session cookie haifutwi au inaweza hata kuokolewa kwenye diski
  • Secure Flag in cookies

Automatic Analysis

MobSF

Uchambuzi wa statiki

Tathmini ya udhaifu ya programu kwa kutumia frontend nzuri ya wavuti. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Notice that MobSF can analyse Android(apk), IOS(ipa) and Windows(apx) applications (Windows applications must be analyzed from a MobSF installed in a Windows host).
Also, if you create a ZIP file with the source code if an Android or an IOS app (go to the root folder of the application, select everything and create a ZIPfile), it will be able to analyse it also.

MobSF pia inakuwezesha kufanya diff/Compare ya uchambuzi na kuingiza VirusTotal (utahitaji kuweka API key yako katika MobSF/settings.py na kuiwezesha: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). Unaweza pia kuweka VT_UPLOAD kuwa False, kisha the hash itakuwa upload badala ya faili.

Uchambuzi wa Dynamic Ulioongozwa na MobSF

MobSF pia inaweza kuwa msaada mkubwa kwa ajili ya dynamic analysis kwenye Android, lakini katika kesi hiyo utahitaji kusakinisha MobSF na genymotion kwenye mwenyeji wako (VM au Docker haitafanya kazi). Kumbuka: Unahitaji kuanzisha kwanza VM katika genymotion na kisha MobSF.\
The MobSF dynamic analyser can:

  • Dump application data (URLs, logs, clipboard, screenshots made by you, screenshots made by “Exported Activity Tester”, emails, SQLite databases, XML files, and other created files). All of this is done automatically except for the screenshots, you need to press when you want a screenshot or you need to press “Exported Activity Tester” to obtain screenshots of all the exported activities.
  • Kukamata HTTPS traffic
  • Tumia Frida kupata runtime information

From android versions > 5, it will automatically start Frida and will set global proxy settings to capture traffic. It will only capture traffic from the tested application.

Frida

By default, it will also use some Frida Scripts to bypass SSL pinning, root detection and debugger detection and to monitor interesting APIs.
MobSF can also invoke exported activities, grab screenshots of them and save them for the report.

To start the dynamic testing press the green bottom: “Start Instrumentation”. Press the “Frida Live Logs” to see the logs generated by the Frida scripts and “Live API Monitor” to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing “Start Instrumentation”).
MobSF also allows you to load your own Frida scripts (to send the results of your Frida scripts to MobSF use the function send()). It also has several pre-written scripts you can load (you can add more in MobSF/DynamicAnalyzer/tools/frida_scripts/others/), just select them, press “Load” and press “Start Instrumentation” (you will be able to see the logs of that scripts inside “Frida Live Logs”).

Moreover, you have some Auxiliary Frida functionalities:

  • Enumerate Loaded Classes: Itataja madarasa yote yaliyopakuliwa
  • Capture Strings: Itaandika stringi zote zinazokamatwa wakati wa kutumia application (ina kelele nyingi)
  • Capture String Comparisons: Inaweza kuwa ya msaada mkubwa. Itaonyesha stringi mbili zinazolinganishwa na kama matokeo yalikuwa True au False.
  • Enumerate Class Methods: Weka jina la darasa (kama “java.io.File”) na itataja methods zote za darasa.
  • Search Class Pattern: Tafuta madarasa kwa kutumia pattern
  • Trace Class Methods: Trace darasa zima (ona inputs na outputs za methods zote za darasa). Kumbuka kwamba kwa chaguo-msingi MobSF hu-trace methods kadhaa za Android API zinazovutia.

Once you have selected the auxiliary module you want to use you need to press “Start Intrumentation” and you will see all the outputs in “Frida Live Logs”.

Shell

MobSF pia inakuja na shell yenye baadhi ya amri za adb, MobSF commands, na amri za kawaida za shell katika sehemu ya chini ya ukurasa wa uchambuzi wa dynamic. Baadhi ya amri zenye kuvutia:

help
shell ls
activities
exported_activities
services
receivers

HTTP tools

Wakati trafiki ya http inakamatwa unaweza kuona muonekano mbaya wa trafiki iliyokamatwa kwenye kitufe cha chini “HTTP(S) Traffic” au muonekano mzuri kwenye kitufe cha kijani “Start HTTPTools”. Kutoka kwa chaguo la pili, unaweza send the captured requests kwa proxies kama Burp au Owasp ZAP.
Ili kufanya hivyo, power on Burp –> turn off Intercept –> in MobSB HTTPTools select the request –> bonyeza “Send to Fuzzer” –> select the proxy address (http://127.0.0.1:8080\).

Mara tu unapomaliza dynamic analysis na MobSF unaweza kubonyeza “Start Web API Fuzzer” ili fuzz http requests na kutafuta udhaifu.

Tip

Baada ya kufanya dynamic analysis na MobSF mipangilio ya proxy inaweza kuwa imepangwa vibaya na huwezi kuirekebisha kutoka GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:

adb shell settings put global http_proxy :0

Assisted Dynamic Analysis with Inspeckage

Unaweza kupata zana kutoka Inspeckage.
Zana hii itatumia baadhi ya Hooks kukufahamisha what is happening in the application wakati unafanya dynamic analysis.

Yaazhini

Hii ni zana nzuri ya kufanya static analysis kwa GUI

Qark

Zana hii imeundwa kutafuta mbalimbali za security related Android application vulnerabilities, ama katika source code au packaged APKs. Zana pia ina uwezo wa kuunda a “Proof-of-Concept” deployable APK na ADB commands, ili ku-exploit baadhi ya vulnerabilities zilizopatikana (Exposed activities, intents, tapjacking…). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha mtihani.

pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

ReverseAPK

  • Inaonyesha mafaili yote yaliyotolewa kwa marejeo rahisi
  • Inafanya decompile kiotomatiki faili za APK hadi muundo wa Java na Smali
  • Huchambua AndroidManifest.xml kwa udhaifu wa kawaida na tabia
  • Uchambuzi wa msimbo wa chanzo kwa njia statiki kwa ajili ya udhaifu wa kawaida na tabia
  • Taarifa za kifaa
  • na zaidi
reverse-apk relative/path/to/APP.apk

SUPER Android Analyzer

SUPER ni programu ya mstari wa amri inayoweza kutumika kwenye Windows, MacOS X na Linux, ambayo inachambua faili za .apk kwa ajili ya kutafuta udhaifu. Inafanya hivyo kwa kuzifungua APKs na kutumia mfululizo wa sheria kugundua udhaifu hizo.

Sheria zote zimekusanywa katika faili la rules.json, na kila kampuni au mjaribu anaweza kuunda sheria zake za kuchambua wanazohitaji.

Pakua binaries za hivi karibuni kutoka kwenye download page

super-analyzer {apk_file}

StaCoAn

StaCoAn ni zana inayofanya kazi kwenye majukwaa mbalimbali ambayo husaidia waendelezaji, bugbounty hunters na ethical hackers wanaofanya static code analysis kwenye programu za rununu.

Dhana ni kwamba unaburuta na kuachia faili ya programu yako ya rununu (fayili la .apk au .ipa) kwenye programu ya StaCoAn na itatengeneza ripoti ya kuona na inayobebeka kwako. Unaweza kurekebisha settings na wordlists kupata uzoefu uliobinafsishwa.

Download latest release:

./stacoan

AndroBugs

AndroBugs Framework ni mfumo wa uchambuzi wa mapungufu kwenye Android unaosaidia waendelezaji au hackers kugundua mapungufu ya usalama yanayoweza kuwepo katika programu za Android.
Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia hatari zinazoweza kuundwa na programu ya Android.

Ugunduzi hufanywa kwa kupitia static analysis ya Dalvik bytecode ya programu, iliyoonyeshwa kama Smali, kwa kutumia maktaba ya androguard.

Chombo hiki kinatafuta tabia za kawaida za programu “mbaya” kama: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution…

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA Framework

MARA ni Mobile Application Reverse engineering and Analysis Framework. Ni chombo kinachokusanya zana zinazotumika kwa kawaida za mobile application reverse engineering na analysis, kusaidia katika kupima programu za rununu dhidi ya vitisho vya OWASP mobile security. Lengo lake ni kufanya kazi hii iwe rahisi na rafiki kwa watengenezaji wa programu za rununu na wataalamu wa usalama.

Inaweza kufanya:

Koodous

Inafaa kutambua malware: https://koodous.com/

Obfuscating/Deobfuscating code

Kumbuka kwamba, kulingana na huduma na usanidi unaotumia kuficha code, siri zinaweza kuwa zimefichwa au siyo.

ProGuard

Kutoka Wikipedia: ProGuard ni zana ya open source ya command-line inayopunguza, kuboresha na kuficha Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maagizo yasiyotumika. ProGuard ni programu huru na inasambazwa chini ya GNU General Public License, version 2.

ProGuard inasambazwa kama sehemu ya Android SDK na inakimbia wakati wa kujenga application katika release mode.

DexGuard

Pata mwongozo wa hatua kwa hatua wa kuondoa obfuscation ya apk katika https://blog.lexfo.fr/dexguard.html

(From that guide) Last time we checked, the Dexguard mode of operation was:

  • pakia rasilimali kama InputStream;
  • mpeleke matokeo kwa class inayorithisha kutoka FilterInputStream ili kuidecrypt;
  • fanya obfuscation isiyo na maana ili kumwachia reverser dakika chache za ziada;
  • peke matokeo yaliyodecrypted kwa ZipInputStream ili kupata faili DEX;
  • hatimaye, pakiwa DEX iliyopatikana kama Resource kwa kutumia method loadDex.

DeGuard

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

Unaweza kupakia APK iliyofifishwa (obfuscated) kwenye platform yao.

[Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app

Hii ni zana ya LLM ya kutafuta kasoro za usalama zinazowezekana katika android apps na deobfuscate android app code. Inatumia Google’s Gemini public API.

Simplify

Ni generic android deobfuscator. Simplify virtually executes an app kuelewa tabia yake kisha inajaribu kuboresha code ili itende sawa lakini iwe rahisi kwa binadamu kuelewa. Kila aina ya optimization ni rahisi na generic, hivyo haijalishi aina maalum ya obfuscation iliyotumika.

APKiD

APKiD inakupa taarifa kuhusu how an APK was made. Inatambua mengi ya compilers, packers, obfuscators, na mambo mengine ya ajabu. Ni [PEiD] kwa Android.

Manual

Read this tutorial to learn some tricks on how to reverse custom obfuscation

Labs

Androl4b

AndroL4b ni virtual machine ya usalama ya Android inayotokana na ubuntu-mate, ambayo inajumuisha mkusanyiko wa frameworks za hivi karibuni, tutorials na labs kutoka kwa vigeek na watafiti mbalimbali wa usalama kwa ajili ya reverse engineering na malware analysis.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks