Damn Insecure and Vulnerable Application – Part II

In this post I would continue to discuss about the testing of “diva” application.

Till now we have discussed about:

  • Android Architecture
  • Android Application Architecture
  • Android device virtualization
  • Connecting to the android device using android debug bridge
  • Using shell commands on the device
  • Installing android application using adb
  • Knowing about the process which is executed when we click to launch the application (diva)
  • Getting the logs of the android application

If you don’t know about the above points then please read my previous post.

In this post we will try to solve the challenges which was presented by the android application named “diva”

Fig 1 : DIVA Application Interface

So, I hope you are ready to solve all the challenges with me. Let’s get started with the 1st challenge presented to us which is Insecure Logging.

Challenge 1 :

This challenge presents us, with the following screen –

Objective: Find out what is being logged where / how and the vulnerable code.

Hint: Insecure logging occurs when developers intentionally or unintentionally log sensitive information such as credentials, session IDs, financial details etc.

Fig 2 : DIVA Challenge 1

Note: As I have restarted my android device the pids might change. Currently the pid of diva is 1427. For checking the pid of a process, you might want to refer my previous post.

So first we need to find out what is being logged. As we know that all Android applications generate logs which is monitored and kept by the Android system. The logs which are kept by Android system can be viewed using our old friend which is adb (discussed in my previous post). We have also checked the commands to fetch the logs of Android system. Now lets start the fetching of the Android system logs with the pid ( process ID ), using the following command –

adb logcat | grep 1427
Fig 3 : DIVA Challenge 1 – logcat

As the fetching of logs is started, lets enter our credit card number in the field provided by diva application.

Fig 4 : DIVA Challenge 1

As we proceed with the checkout button and view the logs, which is being fetched and displayed in my kali virtual machine, we would find that out credit card number is displayed in logs (in clear text) –

Fig 5 : DIVA Challenge 1 – Logcat

Now that we have completed the half part of the diva challenge 1, lets proceed to the other part which is find the vulnerable code which is the culprit in this mishap 😊 !!!

For finding the vulnerable code we would need to know about the concept of unpacking / decompile the android application. For now, let’s understand the steps of unpacking / decompile the Android apk ( on later post I would discuss about the concept of unpacking the android application ).

Note: The tool which we are using is Jadx. Jadx simple decompiles our apk to java codes.

Now that we know a bit about the tool, let’s download the tool from Github.

Fig 6 : Download Jadx

After you click and download the stable version of jadx, you would get a zip file. After you unzip the zip file, you would find the files as in the below figure.

Fig 7 : Jadx Files

Note: The main executable file is in the bin directory.

To decompile the android application “diva”, you would just need to run the following command on the diva-beta.apk.

jadx diva-beta.apk
Fig 8 : Jadx for Challenge 1

After completion of the decompiling process, you would get a message that it has completed with errors. Don’t worry…that’s normal (as all files cannot be decompiled).

You can also use the GUI version of Jadx, which would be easy to use for the users who are not that much familiar with the command line approach. I would be also using the GUI version for simplicity.

Fig 9 : Unpacking using Jadx

Now let’s click on “jakhar.aseem.diva” –> then click on “LogActivity”.

You would find the java code in the right panel:

Fig 10 : DIVA Challenge 1 – Jadx

If you know a bit about java language, then you might have analysed that the code which is in red rectangle is the real culprit (killer B). Well now everything which is killer B for me as I am watching B : The Beginning.

Now I hope you are ready for the next challenge:

Challenge 2:

Objective: Find out what is hardcoded and where.

Hint: Developers sometime will hardcode sensitive information for ease

Fig 11 : DIVA Challenge 2

Let’s try some common pass key like “admin” “pass” “password” etc.

Fig 12 : DIVA Challenge 2 – Failed Attempt

It says “Access denied! See you in hell :D” ☹ …

Well I don’t know the vendor key !!! Let’s check what the hint says. As in the figure above we can guess that the key is hardcoded.

So, for this challenge, we would again need to check the code of the application. Let’s get back to Jadx and have a look in the activity file named “HardcodedActivity”.

Fig 13 : DIVA Challenge 2 – Jadx

If we investigate the code, we can see that the secret key is “vendorsecretkey”.

Let’s try this in the application (well all coders out there would know that damm this is the key, no need to test) 😊….

Fig 14 : DIVA Challenge 2 – Access Granted

Hurrrieeee !!!!! It’s a success. So, developers never do this else we would meet on the other side…… 😐

Challenge 2 completed !!!

Moving on to challenge 3.

Challenge 3:

Objective: Find out where / how the credentials are being stored and the vulnerable code.

Hint: Insecure data storage is the result of storing confidential information insecurely on the system i.e. poor encryption, plain text, access control issues etc.

Fig 15 : DIVA Challenge 3

As the objective says, this activity stores the data in an insecure way. So, let’s first enter some data on the provided field and then search for it in the genymotion device, with the help of adb.

Fig 14 : DIVA Challenge 3 – Creds Entered

I have entered 3rd party user name as “admin” and password as “pass”.

Now, let’s get back to our kali machine and let’s try to search the text admin in the entire device.

Before that let me introduce you to the android package and its file location in the android device.

Every application which is installed in the device has a package name and it also creates a folder with this name (during installation). This folder is created in the location /data/data/ in the device memory (this can be changed in the Android version like Marshmallow and above). Now as we know a bit about the application installation in the android device, lets try to find the diva application folder in the genymotion device.

To get into the device shell, we would use the following command:

adb shell
Fig 15 : ADB Shell

As we know the exact path of the directory, which is created while the installation of package / application, we could directly navigate into the “/data/data/” directory using the following command –

cd /data/data/
Fig 16 : ADB Shell

In the “/data/data” directory we need to find the relevant directory which is of diva. As we are unsure for the package name, lets search the entire directory with the word “diva”.

ls -l | grep “diva”
Fig 17 : ADB Shell -DIVA folder

As in the above screenshot we can see that the directory name is “jakhar.aseem.diva”. Now let’s search the file which contains the string which we have entered in the application.

If we use the ls command inside the “jakhar.aseem.diva” directory, we find the following folder / directories –

  • cache
  • databases
  • lib
  • shared_prefs
Fig 18 : ADB Shell – DIVA folder list

If we start guessing, the string can be stored in cache folder. Well let’s check it out.

Hmmm … no luck. If we try this on every folder then we might get something….

After repeated folder searching I found a xml file inside the “shared_pref” folder.

Fig 19: ADB Shell – DIVA shared_pref

When I executed the cat command on it then I found the strings which I was searching for.

Fig 20 : ADB Shell : DIVA shared_pref

Well mission accomplished !!! hip hip hurrrieeeee 😊.

Stay tuned for more enjoyment in my next post.