Android Mobile Pentest 101

© tsug0d, September 2018

Lecture 3 – Static Analysis
Goal: Known how to use MobSF and what static analysis is
Auto Check
- To make the work easier, for static phase, we first using MobSF to automated generate an overview of
the app
- MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework
capable of performing static analysis, dynamic analysis, malware analysis and web API testing
Required
• Python 3.6+ - Python 3.6 Download
• Oracle JDK 1.7 or above - Java JDK Download
• Mac OS Users must install Command-line tools - How to Install Commandline Tools in Mac
• iOS IPA Analysis works only on Mac and Linux.
• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. For Windows
App Static Analysis, Read Windows App Static Analysis
Install
• git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
• pip3 install virtualenv
• virtualenv -p python3 venv
• source venv/bin/activate
• pip3 install -r requirements.txt
- Create SQLite database (remember to backup your current db if needed):
python3 manage.py makemigrations
python3 manage.py migrate
- Start MobSF via command:
python3 manage.py runserver
- Access http://localhost:8000/ via the browser
- Drag the apk into it to perform the static analysis check
- Permission check
- Manifest file check
- And more information to help you evaluate your program
Manual Check
- One of the important phase in manual check is Source Code Review
- We are going to use ByteCode Viewer tool
- Download Bytecode-Viewer-x.x.x.jar from https://github.com/Konloch/bytecode-viewer/releases
FEATURES:

* Easy to use yet extremely effective.

* Written to run on Java 7, supports Java 8.
* Compile Decompiled Java classes with Ranino Compiler.
* Quickly decompile classes using JD-Core.
* Easily edit APKs via Smali/Baksmali integration.
* Java Decompiling with five different decompilers (DJ-GUI/Core, Procyon, CFR, Fernflower and Krakatau).
* Bytecode Decompiling with CFIDE.
* Android APK integrated with Dex2Jar.
* Securely launch Java applications and insert hooks via EZ-Injection.
* Scan for malicious code with the Malicious Code Scanner plugin.
* Export as DEX, Jar, Class, Zip or Java Source File.
* Open Android APKs, Android DEX, Java Class Files and Java Jars.
* Extensively configurable, over 100+ settings!
* Works seamlessly with all Operating Systems.
* Integrate BCV into Windows by installing it, it'll associate all .class, .dex and .apk to open with BCV.
* View Jar & APK Resources with ease by APKTool.jar integration.
* 100% free and open sourced under GPL v3 CopyLeft
- Drag the apk into it, and we can do the source code review on it
- Use Malicious Code Scanner plugin for quick check malicious code
- Found malicious code in com/android/insecurebankv2/DoLogin$RequestTask.class
- If username enter as “devadmin”, the login will success whatsoever password
- In Static Phase, we have to check if the app had anti-root, anti-vm, certpinning installed (talk later)
- Check if the key, password, etc… is hardcorded in code, folder.
- Check if sensitive data is saved in database (unencrypt password, credit card…)
- …etc

We will walk-through some check

Unencrypted Credentials In Databases
- Using the app, login, save some data in account ( dinesh/Dinesh@123$ or jack/Jack@123$ )
- From the computer, ssh into the virtual device via command: adb shell
- Go to /data/data/<app_name>/databases/
- Read all databases in this folder using SQLite tool

No Sensitive Data saved in database => Safe

Sensitive Data Storage in Plain-Text
- Use the app
- Go to /data/data/<app_name>
- Check if the content of file in this folder is sensitive, some points:
deviceId, uid, userId, imei, deviceSerialNumber, devicePrint, XDSN, phone, mdn, IMSI, uuid
- Command:
grep -r ‘string-to-find’ $(find)

No sensitive data saved in plaintext => Safe

Insecure Cookie Storage
- Cookie data is saved unsafe and didn’t expired, the attacker can use it to hijack the session
- Check in the folder if any cookie data exists, copy it and paste to the request to see if we are
authenticated
- In this case, no file found => Safe
Unencrypted Backup File
- If app allows to backup data, check this backup to see if it contain sensitive data

Backup set to true

Unencrypted Backup File
- Login into app as a normal user ( dinesh/Dinesh@123$ )
- Type following command to create backup
adb backup -apk -shared com.android.insecurebankv2

Click to backup

- Backup created
Unencrypted Backup File
- Convert it to readable file
cat backup.ab | (dd bs=24 count=0 skip=1; cat) | zlib-flate -uncompress > backup_compressed.tar
Unencrypted Backup File
- Now go to check all backup

The files were found to store the credentials ( in base64 ), login history and the transaction logs.
Sensitive Information Leaked Through Logs
- Data is leaked via system log
- Type the following command to watch log:
adb logcat
- Try Login:
Weak Custom Cryptography Methodology
- Data is encrypt in weak cryptography methodology
- In com/android/insecurebankv2/CryptoClass.class we found the encrypt/decrypt process
Weak Custom Cryptography Methodology
- We got the key: ‘This is the super secret key 123’
- We got the encrypt plaintext
Weak Custom Cryptography Methodology
- So we code a script to decrypt this (python3):

That is the password of user dinesh we collected above

Activity Hijacking
- In AndroidManifest.xml, if the activity exported set to true, user can hijack the flow and run this activity

- As you see, the activity com.android.insecurebankv2.PostLogin is export as true

- Now go to device shell via command:
adb shell
Activity Hijacking
- Call activity manager (am)
Within an adb shell, you can issue commands with the activity manager (am) tool to perform various
system actions, such as start an activity, force-stop a process, broadcast an intent, modify the device
screen properties, and more
- So to hijack the activity PostLogin (which is the dashboard), we type the following command
am start -n com.android.insecurebankv2/.PostLogin

App auto go to PostLogin section

And more….

- Here the full checklist to follow:

http://www.mediafire.com/file/fsx9gdpddgcpz2g/Android+Applicatio
n+Security+CheckList+v2.0+Release+Candidate.xlsx