Posts

Hacking Android Apps Through Exposed Components

In almost every Android application, developers expose activities without sufficient protections. Exposing activities can lead to various attacks. For example, an attacker or a malicious app installed on the same device, can call those exposed activities to invoke internal pages of the application. Calling internal pages puts the application at risk of phishing by manipulating […]

Android Emulator Tricks

When performing security (or regular) tests on Android applications, we sometimes need to emulate or fake mobile data or actions; making/receiving calls, sending SMS or setting the exact geo-location are some commands that can be done, using the Emulator Console.  Here are a few tricks that will help you through Android application testing using the emulator:

· First, connect to the emu, using telnet:

telnet localhost 5554

· To change geo-locations:

geo fix <longtitude value> <latitude value>

· To make a phone call to the emulator:

gsm call <callerPhoneNumber>

· To send an sms to the emulator:

sms send <senderePhoneNumber> <textMessage>

· To scale the emulator window:

window scale <value from 0 to 1>

· To take a screenshot:

screencap -p  </path/to/filename.png>

· To create input events (event codes list):

input keyevent  <event_code>

Monkey

The Monkey is a command-line tool that runs on the emulator instance or on a device. When the Monkey runs, it generates pseudo-random events and sends them to the system.

Read more

IOT – Compiling Brillo Easily

Google published the first version of Brillo, and as IoT researchers, the first thing that we want to do is to quickly compile and run it in order to get a feel for it, investigate it and learn as much as possible about the system…
 

At the beginning of our work we made some assumptions, which we found to have been correct:

  1. Instead of installing a new environment, it will be easier to install it on our AppUse VM which already has a lot of stuff on it.
  2. Google probably built it similarly to Android (both are Unix-based), so we took the Android compilation guide (links below).

 
Despite these shortcuts, we still came across a lot of trouble… I know for sure that you don’t want to waste your time to find and fix some stupid errors, so let me give you the shortest way to install it in a few steps and one script 🙂
 
Read more

Android Application Security Sucks! Here’s what to do about it

Prologue: The following post was written and published by Checkmarx (link) on their website as part of a collaboration between AppSec Labs and Checkmarx. Originally published on May 26th, 2015 by Amit Ashbel.

 

Android…. It is no longer just a mobile phone.

Nowadays Android applications are running anywhere and everywhere. Home Appliances, watches, TVs, car applications and with the Internet of Things kicking in quickly, Android applications will probably become even more prevalent in our lives.

android_dudeAndroid is based on a customized Linux OS version. The main differentiation from the classic PC Linux is that the Android OS was adapted to define every Application on the device as a separate User or entity.

Each Application runs on its own Virtual environment within the  OS called a “Dalvik Machine (DVM)”*. Application code written in Java is modified to Java Byte Code and then converted to DEX (Dalvik byte code). The DVM will generate, on the fly, machine specific instructions to the ARM CPU (or other CPU in use). All Android applications are packaged as an APK (Android Application Package). The APK is a type of archived file which contains everything the android device needs in order to execute the application downloaded via the Google Play store or an alternate source.

*Dalvik is being shifted aside (Android L). Newer Android OS versions are using ART (Android Runtime) however the general idea stays the same.

Read more

AppUse and Server-Side Attacks on Android Applications

Introduction

We all know our smartphones contain a lot of sensitive information about us, from credit card details through WhatsApp correspondence, our location, pictures and more.

Today we see serious development of the telephony field; banks and credit card companies are developing account management telephone applications, chat applications which hold a history of our conversations, and much more important information of ours is managed by the smartphone.

The Android operating system (OS) architecture allows the programmer to broadly manage the information; to create components which are accessible to other applications on the device, to save data in dangerous locations and so information can easily be managed incorrectly. In addition, many programmers who have always developed server-side applications are now faced with the need to develop client-side applications and are not aware of the possible risk – which, in turn, increases the known attacking surface available to the attacker.

When a tester performs a penetration test to an Android application, it is divided into to two main areas:

  • Client-Side Attacks – include client-side vulnerabilities such as saving sensitive information in a dangerous manner, saving passwords in the code, manipulation of activities, broadcast receivers, etc.
  • Server-Side Attacks – include applicative server-side vulnerabilities such as XSS, SQLi, Authorization Bypass, Authentication Bypass, etc.

Read more

ADB – Common commands

What is ADB (Android Debug Bridge)

The ADB shell is a bridge between your computer and the Android device, which may be a physical device or an emulator.

 

How to install ADB

ADB comes with Android SDK, but you can also find it alone. Inside the AppUse VM we have installed and prepared it for you.

Read more