![]() Let's head into our Hardcode2Activity in JADX-GUI and open it up. Just like previously, we can immediately identify what is probably hardcoded just by looking at the activity layout: the vendor key. So, we are expected to find what is being hardcoded and where. When we open the Hardcoding Issues Part Two section we are met with the following objective: find out what is hardcoded and where. What: Vendor Secret Key > vendorsecretkey.Voila, we have gained access to the system! □ Immediately we can see that the vendor key is hardcoded, thus we can copy the " vendorsecretkey" value and pop it into our app. Let's head into JADX-GUI and open up the HardcodeActivity activity to see if we can find anything in the source code. From the get-go, we can immediately identify what will be hardcoded: the vendor key. When we open the Hardcoding Issues Part One section we are met with the following objective: find out what is hardcoded and where. This is not only bad from a programming perspective since the developer will have to manually change this value every time they want to update it, but from a security perspective, it allows attackers to easily exploit or hijack firmware, devices, systems, and software. For example:Įnter fullscreen mode Exit fullscreen mode When a programmer hardcodes a value, it means that they type it into the application, making it a static value. So, in summary, we were able to find the following: Maybe logging sensitive information is not the best way to capture this information? When we look at the code, we can identify the section where it does the actual logging, thus confirming that it is logging our credit card number. Easy peasy, just load up your DIVA APK into JADX-GUI and open up the LogActivity activity. BAD LOGCAT! Now we know how it is being logged, via the LogCat Output in Android Studio underneath a log labeled diva-log.įinally, we need to find the vulnerable code. When we scroll down, we see that our credit card number has been logged. We can see that it logs everything, which is bad because say we have a user that downloads a malicious APK that secretly monitors their log when they use the app - the attacker can then use this monitored log to read sensitive data, and exploit them in this way. ![]() Open up Android Studio and navigate over to the LogCat Output. where did our data go? The first culprit that we can look at is LogCat in Android Studio. Let's see if we can see how it is being logged, ie. With our number entered, we get an error popup. Thus, our credit card number is probably the data that is being logged (what). From first impressions, just by looking at the activity layout (which is the page opened on our screen), we can see that it asks us for our credit card numbers. Let's try and answer these objectives one by one. So, we are expected to find what is being logged, how it is logged, and the vulnerable code. When we open the Insecure Logging section we are met with the following objective: find out what is being logged where/how and the vulnerable code. In this section, we will be testing the Insecure Logging and Hardcoding Issues (Part 1 & 2) sections of this application. Okay, let's get hacking! When we open the DIVA application on our device, we can see that it consists of a menu or navigation that lists many sections for us to Pentest. ADB is installed with DIVA APK installed onto the device.Genymotion and Virtualbox installed, with an emulated device setup and running.In the following days to come, we will be Pentesting the DIVA APK, which I explain and demonstrate how to install and set up on an emulated device in this tutorial.īefore we start make sure that you have the following: What is Android Pentesting? Simply put, it is a simulated cyber attack against a mobile application where we try to expose and find any vulnerabilities or security issues that are present in the application. Today we start hacking, kind of.įirst things first, I need to make sure that we are on the same page. I've shown you how to install Genymotion & Virtualbox, JADX-GUI & ADB, and Android Studio on Parrot OS - but today we will go beyond just installing tools. If you've read my previous tutorials(or write-ups), you would know that I have started dabbling in the world of hacking, with my most recent write-ups focusing primarily on Android Pentesting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |