This is a writeup of my solutions to the intentionally vulnerable Android app. wsIf you want to solve the challenge yourself, you can download the APK from here. In most cases I recommend trying the challenge yourself first before reading the solution. If you are new to testing Android Applications or Vulnerability Assessing in general, you may gain more out of it by reading and then attempting. Do what works for you.
Follow my Blog Post for instructions on setting up this lab or follow the instructions here. First we are going to cover the tools utilized and how to set them up, then I am going to cover the vulnerabilites found in this App.
# setup
...
cd .\Projects\Android-InsecureBankv2\AndroLabServer>
python .\app.py
cd .\Projects\Mobile-Security-Framework-MobSF>
.\setup.bat
# open http://localhost:8000/ in a web browser
# Click Upload & Analyze and select apk, or drag n drop the InsecureBankV2.apk file
adb connect "your-host-only-ip-address"
adb install ./InsecureBankv2.apk
# Open App
# Input settings for server 10.0.2.2 or 192.168.147.1 etc..
# port 8888
# Try to login on app, should see
{"message": "Wrong Password", "user": "jack"}
One way to discover this is looking at the Static/Manifest Analysis section and seeing the The AndroidManifest.xml in MobSF shows the different activities. Specifically we want to check for activites which are exported, like PostLogin, DoTransfer, ViewStatement, and MyBroadCastReceiver. Check to see if they are authorizing properly by calling it explicitly. This is done using adb:
$ adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
Output:
> Starting: Intent { cmp=com.android.insecurebankv2/.PostLogin }
When you send that command, the command gets issued to load the 'PostLogin' activity on the device. If it had proper authorization it would handle that correctly you would not be able to see that screen until you have logged in. In this case you will see 'Rooted Device!!' because we bypassed it, only to see that it does a root check. More to come on that.
Another way this could be discovered is in MobSF look at the ManifestAnalysis and you will see it at Issue Number 3:
Issue #3: Activity (com.android.insecurebankv2.PostLogin) is not Protected.
[android:exported=true]
Description: An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
Exploit #2 - Hidden Create User Button
If you use MobSF to look at the "LoginActivity" Decompiled Java Code, you will see a button being hidden when the is_admin is set to "no". If its true, then setVisibility(8) method is used to set the button invisibility
The code looks like this:
com/android/insecurebankv2/LoginActivity.java
What we want is for that is_admin check to return true, so that the button is displayed and we can effectively be admins. One way to do this is locate where that string is being set and altering it upon initialization. We can use apktool
apktool d InsecureBankv2.apk
cd ./InsecureBankV2/Since we know is_admin is a String Resource the value will be under "/res/values/" directory and in the strings.xml file. Open it and change the is_admin value from no to yes and save the changes.
after
We will the use apktool to rebuild the strings.xml file. The App won't let you install the rebuild the APK without your emulator / phone signing it first. We achieve this by creating a keystore, which we will be needing shortly
apktool b -f -d InsecureBankv2/
keytool -genkey -v -keystore ctf.keystore -alias ctfKeystore -keyalg RSA -keysize 2048 -validity 10000
# I can now sign the APK using a tool called jarsigner. When prompted for a password, I p
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ctf.keystore InsecureBankv2/dist/InsecureBankv2.apk ctfKeystore
# Next, I verify that the APK has been signed using jarsigner.
jarsigner -verify -verbose -certs InsecureBankv2.apk
# Finally, the apk is aligned for optimal loading using a tool called zipalign.
zipalign -v 4 InsecureBankv2.apk InsecureBankv2-aligned.apk
# Uninstall the previous version using Genymotion before installing
adb install InsecureBankv2-aligned.apk
If you forget to uninstall the apk, you will get an error when you try to install it. The simplest way is to hop on your emulated device and tap and hold on the app until you see the delete option.
Resources:
- https://developer.android.com/reference/android/view/View#setVisibility(int)
- https://developer.android.com/reference/android/R.string
- https://developer.android.com/guide/topics/resources/string-resource
Credit: