Mobile Pen-Testing

Dynamic analysis on Diva APK

Hi All!! Today we take you to the mobile pen-testing how to perform testing on android applications.

In my recent blog, you will find how to perform static analysis on android applications. To view the blog click here.

To perform the dynamic analysis we required certain pre-requisites.

Let us do step by step…

Genymotion.

1.what is genymotion?

It is the platform, where we can create our virtual device for our android platform. Make sure you download it from the official site as genymotion with virtual box

To download genymotion with virtual box — click here

Once downloaded run the installation file.

Wait to get it finished…

Open the Genymotion app click on CREATE ACCOUNT

It will redirect you to the browser for registration.

Enter all the valid details and valid email id.

It will trigger a mail for activation.

Go to email and click on activation.

once activated.. go to genymotion and click personal use.

our environment is ready to install our virtual device.

Then when your device are ready, install the requirements for the device

ARM translation- This library basically maps ARM to x86 CPU instructions and its source code is closed

Gapps- Simply install the google play store where we can download our needed applications.

How to install ADB?

Before we go to the ADB, what it is? It’s an android debugger, a command-line tool that lets you communicate with a device. The ADB command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.

First download the ADB tool on your system, to download click here.

Then, on the virtual mobile device. To enable developer mode on.

Go to ->settings->About device->tab 7 times on build number to enable developer mode.

Go to developer options->tick the USB debugging.

Go to the platform tool directory where we downloaded. And run cmd.

To check whether the device is connected or not simply type

adb devices

Device connection

In the above figure, you can see our device is successfully connected to our virtual mobile device.

Now we can do all the activity as needed.

once all set we will move to our target to perform pen-testing on diva-apk

Download diva-apk — click here

Now our environment is all set, let's begin with the testing…

1.) Insecure Logging:

· The goal is to find out where the user-entered information is being logged and also the code making this vulnerable.

· The goal is to find out where the user-entered information is being logged and also the code making this vulnerable.

· It is common that Android apps log sensitive information into logcat. So, let’s see if this application is logging the data into logcat.

Enter the following command:

“ abd logcat”

Device log

Now enter the random code in the emulator and observe the log where it shows the entered code in the plaintext as it is incorrect but instead of showing an error, it shows the entered code.

Insecure logging details

As you can view the source code in logActivity the code should be in a manner where it throws errors, not the incorrect code.

Source code for LogActivity

2.)Harcoded Issues:

After converting the file from dex to jar file we can view the source code.

While viewing the code, hardcode activity the value is hardcoded.

Hardcoded value

Now, when we entering some data into the devices there are many possibility it will get save with..

shared preferences

local database

tmp_file

local file on sd card

· 3.)Insecure Data Storage (Part1)( Shared Preferences):

Enter the random credentials to check where it going to get safe…

Insecure Data storage — Part 1

Then view the source code as in the figure below it saving in the shared preferences…

save credentials in shared preferences

Run ADB shell to check the entered credentials.

ADB — it is the android debugger, which communicates from devices to our system.

Then move into /data/data/ directory, it will list out various files installed. We will be looking for the diva.

ADB shell

Then go into the diva app developer and you can see the shared preferences.

Shared_prefs directory

In the shared preferences Directory you will see the XML file.

When viewing the file you will find the entered credentials.

Entered creds saved

· 4.)Insecure Data Storage (Part2)( Local database):

Here it is where the creds get saved into the database. Enter random credentials and click on save.

Insecure data storage — Part 2

While viewing the source code you will find that it getting save into the database…

Source code view for Insecure data storage

In the below figure you will find that there are two different files

· Divanotes.db

· Ids2

Available databases

Run the sqlite3 to check the files on the application and the entered details.

To check tables simply type commands .tables

It will list out tables…

Android_metadata

myuser

Then to check the users…

select * from myuser — it will list out all the users…

Running sqlite3

· 5.)Insecure Data Storage (Part3)( Tmp file):

Enter the random credentials and save it.

While viewing the source code where are the credentials getting save.

Save credentials source code

When you list the file you will find the temp file.

tmp_file

And when we view the uninfo file you will find the entered credentials…

Save credentials

6.)Insecure Data Storage (Part4)( Local file on the SD-CARD):

Cd /mnt/sdcard/

Ls

Ls –l .uinfo.txt

Cat uinfo.txt

you will find the entered creds.

7) Input validation issues (Part 1):

Here the goal is to bypass the login page to get access.

We will perform sql injection.

1' or ‘1’ != ‘2

Details leaked!!

8) Input Validation issues (part 2):

Try to run the URL to view it.

Google.com

Now try to access the credentials stored path.

file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml

Above is the path where we performed earlier.. and you will find out that it's showing the output…

Input validation failed.