Damn Insecure and Vulnerable Application – Walk-through

In this post I would be discussing about how to perform security testing on android application. And at the end of the post, a document is provided in which you would find the lab setup steps.

Before understanding the security testing of android application, you must have a good understanding of the android platform & its architecture and the building blocks (components) of android application. If you are not aware about these then I recommend that you read the following links:

Coming to the lab environment I am using is mentioned below:

  • host system is windows which has virtual box and genymotion
  • virtual box and genymotion’s device are both in bridge mode
  • Android 4.4 (kitkat API version 19) is used
  • In virtual box, kali linux is also simultaneously running (along with genymotion)

Note: This setup works good for me. But you might also try host system as kali linux in which you can install genymotion on it.

Now, I would like to introduce the tool called adb or android debugger bridge. Adb would help us to connect, fetch data and pass instructions to the remote android device ( which has debugging mode on; it can be turned on through developer mode in the device settings ). But in this case we would be using the genymotion device ( virtual device ).

For explaining purpose, I am taking up a vulnerable application called DIVA ( Damn insecure and vulnerable mobile Application ). The application was developed by a security analyst in Payatu, for understanding the vulnerabilities in android application. So lets make his wish complete 😊 !!!

First, let’s start the genymotion device by following the following steps:

  • Search for Genymotion Application in your Windows / Linux
  • Start the genymotion.
Fig 1 : Genymotion Interface
  • Click on the device you want to start and press the start button
Fig 2 : Genymotion Interface – Start device

If you have followed the steps correctly then, you may find a screen similar to the below image:

Fig 3 : Android Device 4.4

As we see that the Android device has booted up, so it’s time for launching our kali machine in virtual box. So for doing that follow the steps below :

  • Start the virtual box
  • Launch the kali virtual machine from it.

Note: These two virtual machines are on bridge mode, so you would need to be connected to the router or a network were there is a DHCP server.

As we can see that both machines has been booted up, now it’s time to check the connectivity between our kali machine and the Android device. To check this, you would need to know the IP address of the Android device. To identify the IP address of device :

  • Navigate to the settings menu
  • Click on the WiFi option
  • You would see a WiredSSID in the networks
  • Long press the “WiredSSID” option
  • You might find a similar screen as below
Fig 4 : Device IP

Now that we know the IP address of the device, we would like to check the connectivity of the kali machine and the Android device. For doing that we would go to the terminal of the Kali machine and type the following command :

adb connect

If the command would execute properly then, you may find the screen similar to the below output.

Fig 5 : ADB connect

Now let’s verify that device is really connected, by executing the following command:

adb devices
Fig 6 : ADB devices

This confirms that the device has connected to the IP address and to the port number 5555 (by default adb connects to this port only).

Now we can execute different adb commands on the Android device. If you want to know the commands that is available with adb then, just fire the following command:

adb -h

You would be presented with a screen like this.

Fig 7 : ADB help

As we are aware of the adb commands, let’s dive deeper into the installation of the vulnerable application ( Android application ).

Note: Please download the application ( link is provide above ) in your kali machine, as all adb commands would be fired from kali.

For installation of the application you would need to execute the following command:

adb install diva-beta.apk
Fig 8 : ADB install

Now that we have finished the installation of diva-beta.apk, lets verify that it has installed successfully in my device.

Fig 9 : DIVA installed

We can see that the application has been installed and is available in the menu of the device.

Now that we have confirmed the installation of diva, lets start the application by clicking on the application icon. We would be presented with the following screen

Fig 10 : Diva – Challenges

The application has presented us with the following challenges:

  1. Insecure Logging
  2. Hardcoding Issues – Part 1
  3. Insecure Data Storage – Part 1
  4. Insecure Data Storage – Part 2
  5. Insecure Data Storage – Part 3
  6. Insecure Data Storage – Part 4
  7. Input Validation Issues – Part 1
  8. Input Validation Issues – Part 2
  9. Access Control Issues – Part 1
  10. Access Control Issues – Part 2
  11. Access Control Issues – Part 3
  12. Hardcoding Issues – Part 2
  13. Input Validation Issues – Part 3

We would be solving the above challenges in order to know different vulnerabilities in android application. As for the first challenge i.e. Insecure Logging, we would be checking the logs of the diva application through the adb command. For checking the logs we have the following command :

adb logcat

When you execute the above command, you might get a screen like the below image.

Fig 11 : ADB logcat

We can see that its bit difficult to understand the logs generated by the device, as it shows many different logging data ( which is of entire device ). To make it simpler, I would combine the results with grep command. Before doing that, lets find out the process id of the application package. So, for getting the exact result, I have executed the following command:

adb shell ps | grep diva

If the command executes without error then, you might find this screen:

Fig 12 : ADB Shell ps – Filtering DIVA

Let me walk you through the command. adb shell is the command used to send any shell instructions through adb; ps was sent as a shell instruction and the output of ps was supplied to the grep command. Grep is a very good tool to search for relevant string, in this case “diva”.

From the output, we now know that pid of diva is 1654 and the package name is “jakhar.aseem.diva”

Now, lets use logcat and grep in a combined way:

adb logcat | grep 1654
Fig 13 : ADB logcat – Filtering with process ID

You will see all the log related to that particular process i.e., diva.

In my next post I would be taking you through all the challenges step by step. Till then sayonara !!!

Mobile Lab Setup Document