Skip to content

Mobile

Apps to practice: https://thedarksource.com/vulnerable-android-apps/

Massive list of Awesome Android Security

Request Proxy

To proxy the web requests of an app you can install the burp (or any other MITM proxy) certificate and enforce the proxy via the wlan settings. This will replace the signing certificate of the http request. This will work for any app that is not configured properly or the security settings are disabled.

However, apps can use SSL Certificate Pinning to avoid such proxied communications. If you encounter such an app you need to take further actions to circumvent this security.

First, the burp certificate must be installed as system certificate. This was easily possible up to Android v9. Since newer apps will enforce newer versions to run you need a way to get the certificate into the system.

My own strategy (based on ZwinK):

  • Android Studio

    • install android studio via sudo snap install android-studio
    • run snap run android-studio and install adb
  • Burp

    • start burp suite
    • switch to Proxy -> Options
      • edit the proxy listener to listen on the network interface (192.168.xx.xx)
      • press "export CA certificate" -> "Certificate in DER format" and save it as burp.der
      • run mv burp.der $(openssl x509 -inform DER -subject_hash_old -in burp.der | head -n 1).0 which will rename the certificate to ".0"
  • ZAProxy

    • start zap proxy
    • switch to Tools -> Options: Local Proxies
      • edit the proxy listener to listen on the network interface (192.168.xx.xx)
    • open http://localhost:8080 and download the certificate
    • run mv ZAPCACert.cer $(openssl x509 -outform der -in ZAPCACert.cer | openssl x509 -inform DER -subject_hash_old | head -n 1).0
  • Genymotion

    • install VirtualBox (required) via sudo apt install virtualbox -y
    • install Genymotion Free
    • create an android device
    • start the android device
  • Get the certificate onto the device

    • Terminal A:
      • adb shell
      • su (genymotion devices are rooted by default)
      • mount -o rw,remount /system
      • leave the terminal open!
    • Terminal B:
      • adb push 9a5ba575.0 /system/etc/security/cacerts
      • Should return: > 9a5ba575.0: 1 file pushed, 0 skipped.
      • close Terminal A and B.
    • On android device:
      • Open network settings (wlan)
      • edit current network -> advanced
      • edit proxy server for wlan
      • enter the burp listening ip and port
      • restart the device for good measure.

Android

APK Files

APK Files can be obtained from the Android device itself or by using sources like apkpure.com.

In order to work with APK files yoou can use APKLab for VsCode to automatic decompile, browse source, apply MITM patch and install apk all within VsCode.

To execute an APK file you can either install an android virtual device and then install the apk within the android system, or use anbox (tutorial) which will run the latest android version on the linux system.

Treasures

APK files usually have some information within where they should connect. To get these information you can use either automatic scripts like Find-Hardcoded by arijitdirghanji.

Because app developers think APK content and user data is well protected the endpoints are sometimes pretty bad protected.

Here is a list to give you an idea what you can do with such information: * Private Keys: allows to decrypt and recrypt information * Amazon AWS S3: access to buckets, maybe with weak/missing access control * Firebase: access to firebase database, maybe with full-read access * All Purpose Tokens to custom endpoints * Sandbox/Dev endironment endpoints (usually less monitored, maybe less restrictive) * ...