Walkthrough : InsecureBankv2
About InsecureBankv2
This vulnerable Android application is named “InsecureBankv2” and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application.
EXECUTIVE SUMMARY
This VAPT was performed during my winter vacation. The detailed report and our findings are described below.
OBJECTIVE
The objective of this test was to determine security vulnerabilities in the mobile-app configuration. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the mobile-app.
SCOPE
The scope is to perform Static & Dynamic Analysis.
Disclaimer
All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.
Few points
Using genymotion custom phone which supports android 4.4.
IP address of phone is 192.168.197.102.
adb tool Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device.
apktool A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step.
dex2jar The core feature of Dex2Jar is to convert the classes. dex file of an APK to classes. jar or vice versa. So, it is possible to view the source code of an Android application using any Java decompiler, and it is completely readable.
JD-GUI decompiler can be used to decompile the jar file content to the original source.
Summary Scan Report of Android-InsecureBankv2
Static Analysis
Static analysis is a test of the internal structure of the application, rather than functional testing.
For Static analysis I used Mob-SF tool. This automates the process of decompiling the APK, reading the manifest file, identifying issues in the source code and in the Manifest file, extracting the certificate of the application etc. and saves me from having to do this manually.
Mob-SF is used to perform static analysis for both android & iOS applications
Here is the result of Mob-SF
Here I have found few information
1) Application Signature is vulnerable
2) Some Application Permissions are vulnerable
3) Manifest Analysis
4) Possible Hardcoded Secrets
5) Activities
Some Other Vulnerabilities
The application provides the user with a login when app is launched & there is a option of Autofill Credentials.
Login Bypass
Using the information gathered by MobSF, I decided to start by looking at the AndroidManifest.xml file.
And I founded this information which will allow me to bypass the login page
So I used adb to bypass this login page
Command : adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
After executing this command I get this interface
Now lets Analyze manually Using apktool
For decompiling I used : apktool d InsecureBankv2.apk
It created one folder which contains following Files & folders
So I found AndroidManifest Document here lets analyze it manually
Findings
- Write External Sotrage there is no need to provide this on application the attacker can insert malicious data in storage its vulnerable.
2) Use Credentials it’s a sensitive data which should be protected in this app attacker can use credentials which may lead to attack.
3) Read external storage it’s a sensitive data which is exposed to attacker. And its contact profile phone stat call log all are sensitive data exposed.
4) Access Network State & access Coarse Location with the help of this attacker can get network state of app user & physical location of app user.
5) Debuggable & Backup = True It should not be true because Debuggable provides the capability of running commands on behalf of the application by any other application or through an ADB shell. It means, the application files can be accessed and activities can be triggered by ADB shell commands or through any application on the device.
Backup Should be false because it provides the capability to backup the application and all its data into a single file by using ADB shell command.
6) Exported Activities are true It should also set to be false because the login functionality of the application could be by passed due to exported activities by using ABD and Drozer.
Now lets convert apk file into file for this we used des2jar tool
Command :
We had successfully created the jar file now lets open it with the help of jd-gui
- Insecure Communication : Application is weak communication method bcoz its using http method which is not secure because it does not use TLS/SSL to encrypted the request.
2) Insecure login Here, it is creating the URL string which will be http://:devlogin. The devlogin end point is a backdoor for developers to login in to the application, but there is no proper authentication in place and the developer forgot to remove it from the production application which leads to end point disclosure to everyone using this application.
3) Insecure Authentication : If username is devadmin so there is no need to enter a password a random password will work as u can see in below ss.
4) Insufficient Cryptograph
5) Weak Change Password implementation
6) Root Detection : Application shows the root path it will rooted easily
7) Sensitive Data Exposure : Database name, table name, version all exposed
Dynamic Analysis
For Dynamic Analysis I am using Drozer
Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing.
After getting drozer console first I listed by using : ls
After ls we get to know everything is working properly so I started to see some basic info about the app so I run the following command
run app.package.info –a insecurebankv2
Now after getting app info now lets identify the attack surface with a single command
run app.package.attacksurface com.android.insecurebankv2
Now lets extract the AndroidManifest.xml file
run app.package.attacksurface com.android.insecurebankv2
Now lets find out what are the activities in the app
run app.activity.info -a com.android.insecurebankv2
In the above we can see list of activities in the app.
So lets try some of them after analyzing AndroidManifest.xml
Try to launch these activities using drozer by using this command
run app.activity.start — component com.android.insecurebankv2 com.android.insecurebankv2.LoginActivity — action android.intent.action.MAIN — category android.intent.category.LAUNCHER
after using this command I get this interface
Now lets do transfer activity without logging
Command : run app.activity.start — component com.android.insecurebankv2 com.android.insecurebankv2.PostLogin
We are successfully logged in after executing this command
We have bypassed the authentication
We can change the password by simply executing this command
run app.activity.start — component com.android.insecurebankv2 com.android.insecurebankv2.ChangePassword
In drozer list command I have found this
Lets try this
Now will gather some more info
1)About the content providers
run app.provider.info -a com.android.insecurebankv2
2) Interacting with Services
run app.service.info -a com.android.insecurebankv2
App do not have any exported service
CONCLUSIONS
Security testing should be a priority when developing a mobile app — equally important to features, design, and delivering it on time. This holds true for every app, whether it is a grocery list, online shopping or a banking app. Most vulnerabilities can be avoided or limited if security practices are observed, while loopholes can be found and closed through strategic, comprehensive automated and manual mobile testing.
This is the end. Thank you for reading this write-up.