Pentesting Android Apps: Harsh Modi

so today's talk will be on pant testing Android applications uh I have kind of uh uh have a lot of examples and stuff and I'll start with the basics for keeping the entire audience in the mind so that you will learn the basics and then you will know how to attack an Android application and I will also give a disclaimer but everyone will ignore after when the uh poc's will start because uh we all are here to have fun and proba to earn something out of it I'll who am I I'm harsh Modi I'm from Vancouver so if anyone else is also from Vancouver then you will always freak out with the gas prizes here so if you're

Vancouver you will understand the joke if you're here then it's okay but I I was very excited when I saw the gas station for the first time when I landed in Alberta and I worked at Fortune 500 companies like uh Optive PW and all those and have worked with government and other clients to help them secure their web application and mobile application and all those kind of pen testing and I have done all Ive also done iot Network and other things where I hacked a Bluetooth uh pacemaker which controls the heart and all that stuff so yes I've been doing this uh since I was when I was in my ninth grade I started this at that time I was not aware things

like bug Bounty exist otherwise I would have made a lot of money because that was an ERA where everything was vulnerable and exploitable so recently I uh doing my own research on car hacking which I will be presenting at bides Calgary in November uh I will see the community there as well I also done research on Chad GPT because you know Chad GPT is the new uh new thing in this uh modern world and uh we were able to do a lot of uh things with that and uh Samsung pay because I'm I'm Samsung pay and blockchain and smart contracts are something I'm working on right now because web 3 and blockchain are the future uh of our industry or

probably they have started uh uh you being used by a lot of people I also done some bounties and on Buck croud hacker one and with Cobalt but when I came to Canada I and that's so I I I never heard my American friend saying that we have tax tax tax and all those things but when I came to Canada I had to pay 40% so I kind of gave up the Bounty thing because yes so that's like whatever I've done the agenda is pretty much Clear I'll I'll start with the basic question what is fantasting because uh my family members and relatives and some of my friends don't understand what is fantasting they think I am testing fans

so so I think offens is security is a term coined after when people don't realize what is pentesting so then I'll have some prerequisites what you should know what you should know about Android and all those things and there is a disclaimer that as in application development Android and mobile application is for security so you know how secure these apps would be there is no as because no one laugh from the audience so I'm making it clear so then I have some poc's and then I will share some of the resources that what you can do on your own and then you can ask all the questions and you have so the first question comes what

the heck is pant testing like uh anyone who is working here uh before 2010 from the industry or like 2015 and stuff so when I was like when I started 2015 I started with uh mobile U hacking Android applications and games just for fun and then I was also selling those games to my friends and other people and I'm an entrepreneur so yes but uh so it was very difficult to explain everyone what is fantasting and what we do so I have kept this slide to like fantasting is finding security flaws for uh anything that has an IP or anything which is electrical but you have to report it documented you have to take full uh responsibility for what you

do and then you are also kind of uh responsible for patching it or at least give an idea on how to patch it and the most important question is legal unless you want to come in come in like global news or CTV News I'm not much aware what are the news channels in Canada but if you want to land up there you can ignore the fifth point also one other uh thing that a lot of people don't understand is that uh scanning is scamming which I tell and I I'm sure my friend Corey will agree with this because he also had his in his uh talk saying that I've seen a lot of people like just scanning with

all those uh 100,000k or 100K uh tools and which they are not able to find anything uh it is same for the web uh apis it is same for the mobile applications as well so uh why mobile application pan testing so according to the statistics uh there are like five billion plus applications or something like that on app store and play store so uh and every company when you go on uh like for example bides Edmonton and I don't want to take any names of any company or something because this is being recorded so uh for example if you like everyone has their own application that goes into Android and iOS and all those stuff so we have

seen a pretty high surge of mobile applications and that's why and so that's the difficult Point here that we have seen a high surge in development but we have seen a low surge like a steep in the security side of it so security is less there are lots of misconfigurations there is lot of sensitive information that is being leaked by that I mean that hardcoded credentials and everything and I'll prove my point in the remaining slides so not to worry much uh API leakage endpoint leakage so by endpoint I mean that uh uh how the mobile application interacts with uh with the server or anything sometimes that information you cannot find it on Via the Recon process

or information gathering that is a a standard thing when you uh perform a penetration test but here you can find all kinds of handpoint and stuff and because they are they are hidden security is obviously Less on these end points we all know the popularity of Android and iOS so that's like a huge Market out there also I have some gs on the side I hope no one gets offhanded or something like that but uh last time when I presented there was someone from the government and he was like is it a joke to you I said I I I didn't understand whether it was the report or the GFE [Laughter] but uh so if you're a college student

then you will always get a something like this uh uh architecture but I I think it is better to understand what the architecture is so you will know how to if you find anything you will know how to report things and in what you are the first layer is the applications and basically this is the most upper level where you install any application and a sandbox is assigned to that application so that the other applications cannot uh see the data or those things those are the pretty standard stuff then there is application framework uh there is activity manager and location manager resource manager which will give the allocated memory and all those stuff then comes Library

libraries so libraries are something that will help the application to for a support for example if you want to uh want to play a music file then there will be a library supporting MP3 if you want to stream a video or something like that so that would be uh these libraries would support uh there is also something called as uh DVM and uh all those things so that is related to the when when you write a Java code and it gets compiled an assembly code and then it is binary code that SP men you get the APK so those are those things but we not go there Hardware is uh Hardware layer is something that is uh like the the

buttons on your phone so I have this pixel so if you press this and all those buttons those are Hardware ler so they have a different code so that even if you uh sometimes even if the operating system is not there on the phone but still you are able to interact with the with the buttons so that's what the hardware layer is so it is it's a different piece of code it doesn't come into the and kernel so if you are exploiting anything in the kernel then you will have uh root access and stuff so we'll talk about those in detail I think yes so now there are four types of app components so if you have installed an

app then what after that so when you open an application uh any screen that you see that is activities like your login screen you're sending some money all those things any individual screen or activities Services I'll go again back to the windows background anything that is uh running in the background so that are called Services broadcast receivers if you turn on your Wi-Fi then a broadcast message is uh is given to all the applications that Wi-Fi is turned on so everyone will go WhatsApp Facebook everyone will give you notifications that this is you have what you have been missed and content providers like the supply data from one application to other on on request uh

you have to understand one thing that the mobile phone that you have also stores data and it can also work as a server so sometimes it will take data from the internal memory and then it will send it to the server so that is like the client side mechanism and the server side mechanism but a lot of people have this confusion because a lot of people come from the web application background so like your browser is the phone and but mobile do store data in the internal storage in the Android data slom doth package and all those things so please keep in mind that one thing I've seen a lot of people with the Mis

uh uh like misinterpretation so I clarified it this is what is in the application that is the Android application uh whether you download it from the Google Play store or uh pated versions of the Google Play Store like uh Black Market APK APK Pure or anywhere you download and install these are the Android manifest um Android man so there's it's a funny thing in Android applications so when they were developing uh they were like okay we will have this kind of index thing where we will give all out all information out so people like me will just go to Android manifest XML Fant test over because everything is there in the Android Manu XML name

version permissions components everything The Meta INF folder is these are the files which is required for installation or execution and the classes deex which we will uh reverse it but basically it has bite code and applic Android applications are written in Java or cotl the library folder is something that will have native Library specific to certain device architecture so that would be like ARM device 32 64 whatever you have but it would have everything that would be compatible to your device so that you don't have to like on Samsung on Google on one uh Google pixel OnePlus you only click the install button and it installs based on your resolution and everything so here is it I think those things comes

from the Library resources is very in interesting thing because if if application wants to uh display a picture or want to play a sound or if any hardcoded things is there like uh AWS Firebase key or anything then it goes into the resources and string and XML so everything in Android is stored in XML and there is also no s in XML so there is also no security in XML so and resources. is this one uh file where everything from the resources is uh compiled in in compiled version so that it uh the uh application can understand it it's in binary form now the prerequisites like these are not the complete list of prerequisits visits but

it will help you to get going first of all I I recommend everyone who wants to pentest Android apps should have at least one uh rooted phone why because there are a lot of uh attack vectors where you want to see where the uh application is storing something or all those things I also recommend to have Android 8 or above because if you use Android 5 that was released in 20145 then there is no use of using such uh Android operating system I am a little bit lazy so I in I have Ki Linux because everything comes into it but you can also have your own uh any version of Linux like UB 2 or

anything I think everything works fine because uh Android is also Linux on the base so Linux Linux you can destroy it better so if you are Android Studio if you have that much capability then to run Android Studio then you should run it but I I'm I use jny motion if I want to do any emulation or if I want to use any emulator so Jim motion is like uh you select a mobile phone that is Google pixel OnePlus you select Android operating system from gingerbread that is 2. something to the latest 11 or 12 whatever it is and then it will spun your shell and janim motion knows like this is people don't use it for

development only they use it for testing so I think it comes pre- rooted so you don't have the uh you don't have the what do you say like you don't have to root it like all things are there inside it now this are these are some tools that I uh like one is burb suit and everyone knows burb suit because like for dynamic testing uh whatever your application is sending you intercept it and then you can play with it and you can manipulate a lot of things so BBS suit comes from ports figer and I will not go much into BB suit because I think there are two or three conferences today where BB suit was already been said

drower is something that is based on a client and a server model so drower will be installed on this your mobile phone and there would be a server installed on your uh on your computer and then you from the server you will interact with the mobile drowser and then you will poke applications thank you uh there is mobile security framework so if you're really lazy then you can just grab an application and put it into Mobile security framework because it does like 50 60% of all the task reverse engineering or uh Android manifest. XML and everything so that is a good tool to look out I started myself with mobile security framework and then I saw where

what kind of things mobile security framework is doing and then I started from their path actually the lead developer of Mobile Security framework is also from Vancouver his name is aene Abraham and I had a pleasure to talk with him as well Android debug Bridge we Android debug Bridge is a utility created by Android itself we are misusing is it that's a different thing but so Android debug bridge is like you can install you can connect with your phone so here you can see that if uh if you have connected something and you type the command ADB device then this is my uh pixel and this is how the pixel looks basically so if you have

done all the things right like installing Android if you're installing Android Studio then you will get ADB for free because it's a part of the Android Studio module but you can also install Android studio uh alone so I've done that what Android what ADB does is that ADB interacts with the application with the logs of the mobile application and then you can also interact with the application uh and you can put your files in there install a binary if you mod modified it on your on your laptop using the reverse engineering and anything so ADB is handful ADB is like your C language it has all the all the functionalities but you have to really

look into all the methods and there I highly recommend that uh documentation by Google itself now the fun part is rooting a a mobile phone uh does anyone uh like have rooted their Android devices and void their warranty and stuff like that yes I like the audience yes so why do you want to root uh your mobile phone uh to buy some free games or something or no because when when you when you buy any Android device the problem is that you don't have full access of that Android device so you have to do kind of like uh you have to root the device and then you can look into the internal uh memory system you can modify a lot of

things uh I personally use Magis manager and okay I have to run fast I personally use magic manager and I install a lot of utilities because now magic manager is a standard way to root all the mobile or all Android system like it doesn't matter whether you're Samsung or anything you just grab the file and Flash it and it will root it and you will have all the access to this/ system/ b/ xbin moding Applications so I have done a lot of things so I have a demo for you

and basically I've chosen two apps that are not that famous here but it works with most of the applications so here this is an application which is used for peer to-peer and now I will uh as you can see here upgrade to add free option is there so basically you have to go and buy a key on the Play store and then there will be no advertisement but I don't like to pay so this is the second application where you can see there is remove ads feature so now we will try to patch the application and so this is another application called Lucky Patcher and I'm sure everyone would be aware of it because it's in the market since

2015 and these are the things that like uh I will choose the support patch and for in LV so it will basically create a server here on the application and intercept the request and then it will uh return the request saying that the payment was successful but it is not successful as we know because we have never went to the Google Play Store so now you can see here that oops now you can see here we have a professional version because we have patched the application and there is no like server side validation that whether you really uh bought it or not this is another application and you can see that uh ads are removed

from here now I will ask a quick question to the audience that if you have this kind of uh if you have this kind of knowledge which application will you try to get it for free YouTube okay see that's why we are different because I did it on Google Play Store itself I said why to buy why to go and buy applications individually where you can do it where you can do it uh just patch the Google Play store and get everything for free right so yes I was able to do it in 2015 and 16 and the problem was I was not aware of bug bounties at that time otherwise I would have gotten it a lot

of bounties but after patching the Google Play Store uh the my first Gmail ID is blocked now I've never uh I I don't have the access to one but I remember that a lot of other applications were free for me uh not not all the applications from Google Play Store but like uh and then there was like Google constantly getting updated and all those things but someone did this and Google patched it in like uh 6 or 8 hours so and yes so that's why something that's why it happened with Google and I tried to find that video where some where it was a video released by a researcher where you can just he's just going on buying all those things

right he's bought everything for $10,000 and like in 5 minutes and any app that comes he's just buying buying buying buying because he's not paying so and the other cool bug that uh that I found at that time like or I saw at that time but I did not have the resources to do it the Pokémon go and even I saw someone here in the campus playing Pokémon go so uh you can we can share the IDS you know I still play Pokémon go so the the problem here with Pokémon go is when you reverse engineer you will find some endpoints which spawn the Pokémons so and there is entire document mentation given to it so basically you

can sit here at bides Edmonton and you can spawn all the Pokémons because you have your own server locally hosted and the first request goes there so I I think I completed the jotto league region doing that but obviously now the security is much higher I'm talking about 2016 17 sometime when the app was recently released and yes so bypassing root detection so how root root detection works and if you don't bypass the root detection the most of the mobile banking apps don't work on your phone but uh the the I know the how the developers uh do this so I'll teach you how to work how to work uh banking apps on uh rooted device so so how the

detection works is when you root a phone these kind of things are available in the root directly SL su/ superu and all those things these are the places where your this is basically the package that you install if you install magic manager or any other rooting device then you will see uh those uh those directories so change the directories create a link list or something like that or you can use magisk hide and all those features and most of the banking applications work we are in Canada we have and it works in Canada as well because we are being recorded I will not say the banks but it works on all the banks enjoy so this is the like the systemless

host and the Magis CDE config so I think we are late on time so ssl's pinning so what is SSL pinning so SSL pinning is a feature that you cannot intercept the the request from a mobile to a BB suit or something in between but they have not met a hacker so I'll teach you how to do that usually if you have a rooted phone and you import the BB suit certificate on the root directories then most of the applic will work but considering that we are uh we are taking a very secure application which I have not found yet but you can do with uh you can do with Freda and other tampering tools where uh

create your own server on the application uh in a rooted device and then these are the commands there are lots of commands actually to start a server to spawn a server to grab the Freeda binary and all those stuff but I would recommend to look into the uh documentation of freed itself anything that you want to learn always go and look at the documentation first rather than going on some blogs because documentation is uh made for the most latest and recent version whereas blocks can be depending on how old they are and see this is like a very famous application I would not name it but the SSL pinning has been bypassed and now I

can use uh verb suit or any other thing to uh uh catch the traffic reverse engineering and how many of you have done any kind of reverse engineering from the audience like yes you are a CTF player so you would have done it and so basically reverse engineering is something that you have the binary but you don't have the source code and you obtain the source code and then look into the source code and poke it into the source code just to see how how things are working so Android application there are two or three ways to reverse engineer but I prefer the APK tool because it's very easy so you can use APK tool you

can decrypt and view the source code also the second thing is you can rename the APK to zip and you can extract it if you just want to use the bare minimum tools uh Linux every Linux operating system have and then the Java or any kind of source code that is available can be used in any Java interpreters or Java code viewer that is jadex JD GUI and all those stuff why do you want to read the source code because there are Keys strings apis and all those juicy stuff and also when you so you have to understand this functionality that whenever you are logging in the the de developers kind of record something in

the log of the device and logs of the devices are uh are accessible by every other application in the in the mobile application so here there is an application where if you if you log in then the access token is uh shared to the log cat and so any application can grab it and the developer was under the influence that I have the best application so the session code token was not even expiring so you know how things can go you can also automate these things so you can use Linux utilities like grab and unique sort and all those things and you can find all the SML and you can look for terms like password tokens apis and keys

and uh you can just poke it around with it usually there are two files Android manifest.xml and strings.xml where you can see these things but usually developer leave developers leave everything anything anywhere so uh yes it is good to know all those things this is something that I've like I have to explain you what is oo so oo is something that log in like Google or login with Twitter or all those things a unique token is generated that is like your username and password is not shared or a token is generated and these token is then shared it with those services for like this is a functionality which is not logging into Google or Twitter

but this is just a functionality where you share your video on Twitter or Google so you will get a link and you can post that link onto the Google or sorry Twitter or Facebook or stuff but I think the developer copy pasted the code from somewhere which had the authent oath uh kind of request so the token is also shared in the request and response so I had to hide it because you know someone would call me tomorrow so so those are the like this is BB suit and I I intercept the request and first I missed it because I was not expecting it to be there and then I found it and we had a big conversation after

that so another feature of uh Android is web view so what is web view is that basically you can have anything from the website displayed directly into your Android application so you will have all the ovas stop 10 for web application available for in mobile application also because there is a web View kind of feature here we have gained an rce on this application and what we have done is that we have uh we have uploaded this shared object we have uploaded this shared object and it has just a simple uh command that sends a request to us in our in our local environment but we can do it on the internet as well uh but I

prefer to do it local because the phone is with you but using uh tools like NG rock and all those things you can send your shell and the thing is that youve this is a a application where you upload a file and then you can share it with anyone bya message so for example if I upload this file and I share it to anyone and then they open it then I will get the shell for it why because this is the graph lip graphic. shared object what does it does it that like GF and all those kind of extensions uh this application renders it via this uh graphic library but as you can see it is

dot do/ do do/ dot dot if I upload it like this it will go to the root directory of the application and replace this file because the application have the permission to do that even on a non-rooted device so it will replace it and once you open it or once you open it then it will give me a Shell so here we have

oh so as you can see here we have the shell and I just did LS and I have a a lot of uh information from that mobile phone but we can access all kinds of data here because uh the application has the permission to uh check the file storage uh photos and everything because usually we don't see what kind of permissions the application is asking and we just allow allow allow and we just press allow as fast as we can so how Android should ask for permissions there is a debate still going on and I in my experience a lot of applic ask for a lot of uh lot of permissions which they do not require or

maybe they require in future or something but uh permissions are always misplaced uh drower so we have this drower is again client server model where you install the application on the on the mobile on the on your mobile and then you interact with the server drer is same as Matas flit because it has and I absolutely Ely like the person who invented Roser why because he was very like he was very fun of English language so you can see the commands run app. package. list so you know that it will list all the applications on the phone and then you there is that do attack surface so it will see that how the broadcast receivers the content providers whatever

is exported and all those stuff if you have installed rower this is something that it would look like in a in a entu Linux so I'm covering all Linux operating systems kly entu so this is this is an application where I have uh the application was storing everything in the in the in the root like slw SL liip which is kind of that that that space is only allocated to that application and if you navigate you cannot navigate to that application uh to that folder if you don't have a rooted device but you don't need a rooted device because from drower you can find out that there is a a content provider which exports all the

databases and on those in those datab sorry in those databases we have passwords Keys pins and everything stored in there and I think the developer was not aware that uh he was under the impression that every no one can see here so everything was in plain text but to convince him we had to uh do a SQL injection so imagine you already know what's in the database but still you have to do an SQL injection because the developer doesn't understand what you are saying but I love developers why because I'm getting paid for their mistakes so I don't complain but uh this is the thing so yeah so this is the same vulnerability I'm showing it via SQL

injection on the local device and yes this was the GP where he got offended so deep link exploitation so what are deep links so deep links is another uh Android feature where you can uh access uh something if if it has a unique URI or unique protocall like HTTP FTP as STP and all those things then you can Define it as a deep Link in intents or those kind of things and then the application will basically go and authenticate and then it will come back the problem here is if it is misconfigured then you can authenticate it somewhere else as well so for example the URL is HTTP abc.com or anything but the application is not checking whether this

is the URL I should go to or not go to so basically it's like uh if I'm from uh abc.com this kind of request should only go to abc.com but here it is not kind of going that here here the somehow the local host of a of a machine is uh is in the white list section so I just uh spawn it and where it is written URI schema you can uh have that uh deep link and you can get the uh you can get the oart token which is obviously the O token is also shared across web application mobile application and stuff so you can do it I am also big F big fan of zaton

Ibrahimovic so I kept it there final thoughts so on one side you have all the vulnerable applications that is uh Andro goat mstg is from uh ovas itself diva is by Patu so Patu is a company in India but I read one of the first blogs of Patu so that's why I like know Patu then there is injured Android and so basically if if you want to learn you can grab these applications and break them and and once you have mastered your skills you can go on to Play Store and also grab and break everything if you want because unless you don't tell anyone what you have done you are not guilty uh Advanced research topics for

this is officiation De alisation so some companies have started to encrypt their binaries some companies I mean 1% so so actually they will uh have the entire thing encrypted but there are also ofation techniques so you weren't able to see the source code it would be like a a b b c c a a and all those things when you open the file in uh JD GUI deep link exploitation and Freeda exploitation and all those things are are vast topics so I've kept it here for anyone who is interested in this bypassing Biometrics so since we have a a couple of minutes I will go into bypassing Biometrics because now a lot of things you uh when

and you once log in the next time on mobile applications and every other applications is you can log in Via your face ID or your thumb print and everything so if you're on a rooted device then you can actually break into those things so there is a huge research going on those stuff and reverse engineering is also something that I've just touched it so there are there are lots of techniques for reversing and patching and modding an application so I've kept it here thank you thank you very much and I I also thank uh all the organizers organization organizers uh sponsors volunteers and my man harinder who is the man of the match of bides Edmonton so thank you if

you have any

questions if you have any questions you can shoot at me just the questions though or you can ask here quick question on uh the concept of containerization for okay okay mobile devices security sorry can you containerization yeah so can you comment on that and is it really a good control to protect uh mobile applications because I see it being implemented uh especially for buo bring your own devices to separate between corporate applications and personal applications does containerization help based on what you just presented I I have myself escaped from a lot of containers and sandbox environments so it is really how you have configured those things it is same as cloud like by default cloud is a

little bit secure but all the misconfigurations and those things happen because of that a person is able to break out of it by default also Android gives a container and sandbox en environment so for for example one application cannot access other application though they are at the same level of uh authorization like at the same level in the architecture all the applications are at the application Level and then they ask for resources and stuff yes so you mentioned about U SSL certificate and you know breaking SSL certificate is there what from your uh point of view is there a solution that would be foolproof um and no no why because see the problem with uh SSL certificate and

pinning is that you have the entire Mobile in your hand right so sometimes you can even get the certificate that is uh like which is being used if it is not properly encrypted and all those stuff you can modify it you can go through it if you have Android or if you have a rooted device then this then and the whole game changes the other thing other technique that has happened in the recent industry is that they have tried to like maximize the encryption level to a certain but when it comes to mobile resources I think going at that kind of level of encryption most of the mobile phones will not support because we have like 4

GB 6 GB and uh Android is same as Windows everyone is grabbing memory so I think that's a bitco uh my question for Modi is um I'm just over here okay okay yeah it's Michelle um question for you uh I I was very intrigued by the ooth tokens being exposed by the applications in your research how many applications are not handling the tokens properly because that's clearly not handling the tokens properly right I'm counting actually but I think it's a decent amount of uh applications that does that because here the request was not to sh not to the Token was never asked here still the developer was uh giving out and sharing it and the funny thing was that also

the if you exactly copy paste this token and just go into your developer tools then you can be the same user so that's the thing on that and you are on Twitter for that user because it's O right so that's the thing here yes but see the problem with mobile application development is a part of the D cops where everything is agile means they want everything very fast and when you do everything very fast it is a bit

insecure thank you thank