Walkthrough : InsecureBankv2

This vulnerable Android application is named “InsecureBankv2” and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application.

EXECUTIVE SUMMARY

This VAPT was performed during my winter vacation. The detailed report and our findings are described below.

OBJECTIVE

The objective of this test was to determine security vulnerabilities in the mobile-app configuration. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the mobile-app.

SCOPE

The scope is to perform Static & Dynamic Analysis.

Disclaimer

All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.

Few points

Using genymotion custom phone which supports android 4.4.

IP address of phone is 192.168.197.102.

adb tool Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device.

apktool A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step.

dex2jar The core feature of Dex2Jar is to convert the classes. dex file of an APK to classes. jar or vice versa. So, it is possible to view the source code of an Android application using any Java decompiler, and it is completely readable.

JD-GUI decompiler can be used to decompile the jar file content to the original source.

Summary Scan Report of Android-InsecureBankv2

Static Analysis

Static analysis is a test of the internal structure of the application, rather than functional testing.

For Static analysis I used Mob-SF tool. This automates the process of decompiling the APK, reading the manifest file, identifying issues in the source code and in the Manifest file, extracting the certificate of the application etc. and saves me from having to do this manually.

Mob-SF is used to perform static analysis for both android & iOS applications

Here is the result of Mob-SF

Here I have found few information

1) Application Signature is vulnerable

2) Some Application Permissions are vulnerable

3) Manifest Analysis

4) Possible Hardcoded Secrets

5) Activities

Some Other Vulnerabilities

The application provides the user with a login when app is launched & there is a option of Autofill Credentials.

Login Bypass

Using the information gathered by MobSF, I decided to start by looking at the AndroidManifest.xml file.

And I founded this information which will allow me to bypass the login page

So I used adb to bypass this login page

Command : adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin

After executing this command I get this interface

Now lets Analyze manually Using apktool

For decompiling I used : apktool d InsecureBankv2.apk

It created one folder which contains following Files & folders

So I found AndroidManifest Document here lets analyze it manually

Findings

  1. Write External Sotrage there is no need to provide this on application the attacker can insert malicious data in storage its vulnerable.

2) Use Credentials it’s a sensitive data which should be protected in this app attacker can use credentials which may lead to attack.

3) Read external storage it’s a sensitive data which is exposed to attacker. And its contact profile phone stat call log all are sensitive data exposed.

4) Access Network State & access Coarse Location with the help of this attacker can get network state of app user & physical location of app user.

5) Debuggable & Backup = True It should not be true because Debuggable provides the capability of running commands on behalf of the application by any other application or through an ADB shell. It means, the application files can be accessed and activities can be triggered by ADB shell commands or through any application on the device.

Backup Should be false because it provides the capability to backup the application and all its data into a single file by using ADB shell command.

6) Exported Activities are true It should also set to be false because the login functionality of the application could be by passed due to exported activities by using ABD and Drozer.

Now lets convert apk file into file for this we used des2jar tool

Command :

We had successfully created the jar file now lets open it with the help of jd-gui

  1. Insecure Communication : Application is weak communication method bcoz its using http method which is not secure because it does not use TLS/SSL to encrypted the request.

2) Insecure login Here, it is creating the URL string which will be http://:devlogin. The devlogin end point is a backdoor for developers to login in to the application, but there is no proper authentication in place and the developer forgot to remove it from the production application which leads to end point disclosure to everyone using this application.

3) Insecure Authentication : If username is devadmin so there is no need to enter a password a random password will work as u can see in below ss.

4) Insufficient Cryptograph

5) Weak Change Password implementation

6) Root Detection : Application shows the root path it will rooted easily

7) Sensitive Data Exposure : Database name, table name, version all exposed

Dynamic Analysis

For Dynamic Analysis I am using Drozer

Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing.

After getting drozer console first I listed by using : ls

After ls we get to know everything is working properly so I started to see some basic info about the app so I run the following command

run app.package.info –a insecurebankv2

Now after getting app info now lets identify the attack surface with a single command

run app.package.attacksurface com.android.insecurebankv2

Now lets extract the AndroidManifest.xml file

run app.package.attacksurface com.android.insecurebankv2

Now lets find out what are the activities in the app

run app.activity.info -a com.android.insecurebankv2

In the above we can see list of activities in the app.

So lets try some of them after analyzing AndroidManifest.xml

Try to launch these activities using drozer by using this command

run app.activity.start — component com.android.insecurebankv2 com.android.insecurebankv2.LoginActivity — action android.intent.action.MAIN — category android.intent.category.LAUNCHER

after using this command I get this interface

Now lets do transfer activity without logging

Command : run app.activity.start — component com.android.insecurebankv2 com.android.insecurebankv2.PostLogin

We are successfully logged in after executing this command

We have bypassed the authentication

We can change the password by simply executing this command

run app.activity.start — component com.android.insecurebankv2 com.android.insecurebankv2.ChangePassword

In drozer list command I have found this

Lets try this

Now will gather some more info

1)About the content providers

run app.provider.info -a com.android.insecurebankv2

2) Interacting with Services

run app.service.info -a com.android.insecurebankv2

App do not have any exported service

CONCLUSIONS

Security testing should be a priority when developing a mobile app — equally important to features, design, and delivering it on time. This holds true for every app, whether it is a grocery list, online shopping or a banking app. Most vulnerabilities can be avoided or limited if security practices are observed, while loopholes can be found and closed through strategic, comprehensive automated and manual mobile testing.

This is the end. Thank you for reading this write-up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store