@CrackingtheCode - Vihangi Vagal

afternoon everyone uh my name is rungi and I'm going to be talking about mobile app testing thanks for coming down and stopping by for this presentation by the way so let's start with a question how many of you have more than one device could be yeah okay it's the most of the room do you remember a time when we did not have a device We R from having a single device or no device to having multiple devices we have so many applications exactly we have so many applications now that we don't even know well the number I don't know at least there might be some responsible people here but I don't know so the point is the thre landscape

has been changing over time we were worried about vulnerabilities on web now we're also looking at malware spread through mobile applications or subscription scams spyware such as Pegasus or one liability such as the ones on Google The Google camera app or the Amazon Ring app so today we're going to talk about how to identify these vulnerabilities I don't have solutions for all of them but we'll try to find some before we dive into that here's a bit of introduction and a bit of a brag but mostly introduction um so how did I get into Fest thing really I was aspiring to be a developer but did not enjoy really making code or building it enjoyed breaking it so here I am five

years down uh work as a senior penetration tester at KPMG if you're wondering what happened in those five years connect with me on LinkedIn and we can chat more um while I get super stress one of my advice is to take a holiday and during my holiday that's what the picture of the mor eel is doing there nothing relevant to this presentation by the way um okay so let's dive in uh today I'm going to talk about um what I normally do during a mobile app test so we'll go through a bit of initial setup look at some case studies and the gening process any mobile app testers here by the way okay uh a

few so let's begin um what does your initial setup look like so I have a Windows machine on top of that I have a Wim running Ki or beet and then there are a set of tools let's begin with a very basic tool set for most of our app testers during this talk we'll continue building our tool set and by the end hopefully we'll have something good enough to do mobile app testing

okay so the first thing if you got an Android application you could use the free open- source Android emulator present on Android Studio but if you're using testing for iOS apps the scenario is a bit different you see there is uh the iOS simulator is not super useful what you do have is either a physical device device which you can Jailbreak please don't jailbreak your own device that's not going to be good uh or you could use a platform like coralium but if you decide to go down the route of physically uh jailbreaking your physical device here's what you're going to do but let's see how it works now when you turn on your iPhone the

first thing it does is it executes code from the bootrom the bootrom contains the app uh the app root certificate and public key now that is used to verify the LLB the LLB uses to validate the ibots kernel and so on till the end now Apple was amazing and they were able to manage the hardware and software and which is why we able to see this this process there are also several jailbreaks available based on the version you want but the interesting thing is three out two four here they are so let's say check right they're all based on the same vulnerability so that is uh Checkmate now Checkmate vulnerability is present in the dfu mode

which is in the bootrom well the problem here was you can even if you try to send a software update it's not going to fix it right um so Apple had to come up with the new chipet uh the one a12 to a12 after you cannot you cannot use these Shield breaks but there are multiple versions because based on the iOS version you have and the requirement whether you want to Ted nonth it and so on you can choose that works for you there's also an attemp like uncover some of few must have used that but that was Rel it was relying on the vulnerabilities on the operating system rather than uh vulnerability is in the

boot drop so now that we've seen how our initial setup looks like our tool set is increasing so we keep going so now that we've learned what our setup looks like let's try retrieve an application decompile it um and see how that goes so first we reun application multiple ways to do that you could use a third party app store if you're using Android for Android you can use APK mon or APK pure um if you're using iOS the third party app stores third party stores are like quite limited or you could ask your client to give you the bills and that will make your life easier to decompile this you uh what you'll observe is APK files or IPA files

they're just zip files you can unzip it and you can see the structure if you were testing an Android application you could use different decompilers like APK tool Jed X and so on if you're using iOS you could use gidra or Hopper these are some examples I'm sure they lot more present there if you're really lazy you can also use mob SF but like any other automated scanner you don't want to rely on this um you want to use this as a starting reference point and you want to use this okay these are the vulnerabilities that have been flag we can go manually check them okay so we've seen a bit of static analysis now this is how a tool set it's

expanding you're getting there okay we've done this now let's go to the easy stuff let's plug it in uh and actually load the application how many of you have come across this area great so if your phone is rooted then you should get this error while loading an application it's basically a security mechanism to check whether your device is rooted or not what do we do there are some Solutions we could use an Android emulator which we'll see in a second we could write a custom script um and hook the application with objection or 3D we could use a non-rooted device not the best solution or we come back to this later let's look at the first scenario

which is using an emulator for this instance I'm using Andre goat anyone come across that before okay uh so Andre goat is a publicly available application and it it has a lot of challenges and I really recommend it for anyone who's trying to learn mobile app testing so here I used Android Studio the muls on that and then I was able to bypass the normal route detection but normally there are checks for whether this is an emulator or not too in this scenario obviously didn't pass it so for those who don't know what Freeda or objection is it's just Dynamic instrumentation tool that injects code so we can interact with the application what you see on the screen

here is I've hooked the application using objection and I've listed a bunch of activities now activities are just screens like your login screen where any screen that's an activity the most relevant activity here is the emulator detection activity okay let's look at it further so we've decompiled and we're looking at the code snippet here I've done the heavy lifting for you so you're seeing the good part um here if you say it's this function is checking whether it's an emulator or not now now we use objection to identify the class method for this activity one of the class methods that we saw in the previous one was alter is emulator and it returned bullan value

now what that means is it will either return true or false and but that I mean something like this so if it's an emulator it's going to return true if it's not it will return false so currently it's returning true correct so what could you do to change this well the answer is quite simple change the value default now we are returning fals to the function every time it calls this and this is how we bypass the emulator well that seem to have work uh so let's try something else now we're going to go on looking at different case studies um since we have seen some of the initial stuff initial setup and we walked

through a bunch of that now we have a complete tool set this is again a basic tool set you obviously would expand as you keep going but this is a good starting point so the case study I'm going to be talking about is one of my favorite case studies because this was one of my first mobile app tests and i' a few years ago but at the end I was super happy you'll see why the first thing uh it was rooted uh it's looked for root detection like any most applications but the interesting thing was it was using a third party Library called rud beer anyone come across rud beer okay so right um now if you Google

rotth beer you're going to find it and what it does is it uses this function to return whether the device is rooted or not we could go back and use the same method that we used in the last slide or we switch it up a little bit and write a Freeda script this Freeda script is returning false every time we call this function so you're able to bypass the checks we hook the script bya Freda we run the script by Freda and it should work okay we've done this what's next we want to intercept the traffic but they implemented another third party Library as a to stop test um and they to use a certificate pin to make sure that

you cannot intercept the traffic well we can go back and use the same method or change it up again this time we're going to use the scripts that already present on objection so I used Android SSL pinning disable which is basically calling the same script which is calling the script present on objection to disable it now the thing to note here is the frea culture is quite massive so you can go on there and download the script and modify it based on what you want you don't always have to spend time creating your own script this saves a lot of time especially on shot engagement okay so now we've done all the basic stuff let's look at the next

B there were three points that were identified the first one it requires a bar token and some of the other parameters to give all the information about the current user that is me in this case but it also using another endpoint for SE to search for valid users now it's using the phone number parameter to check whether the user exists it returns an ID if the user exists and tells you whether the user is active now the next one we know the passcode is only full digits this one uses the user ID from the previous one and uses a four digigit pass Cod which you use when you enter the application to return all the information about the

user which you saw in the first end point if you're thinking what I'm thinking we got to automate this and get all the users let's do it then well obviously you don't want to do it manually it's quite tedious so generate a list of random numbers then use a python library to validate whether these phone numbers are valid or not based on the country code then use the first endpoint to search for phone numbers and collect a list of valid user IDs ah hold on there was a problem there was rate limiting but the rate limiting reset after every 30 seconds so why don't we past our requests the next one once we have a

list of valid user IDs we can now use that user ID and send it with brute for the password if this all works we should be able to create a database containing all users possible well that was fun what was more fun was an unencrypted database I was lying on the phone once he load the application just because we were able to bypass through detection so during this case study we went through bypass passing some of the basic security mechanisms looking at vulnerable mobile API during the next case study we look at another time where we found multiple vulnerable mobile apis okay so this is a banking application as you can see uh that's my

user account as any other banking application I can transfer funds at a [Music] beneficiary I able to enter separate request I can see my username now I can see my account number and I can see a bar talk these three things are required to make any requests well that all seems normal now I have only as user account details well I have an account number which you would normally get if you transferring money to anyone again normal what's interesting is the last two digits of a username were only slightly different to mine and what I'm trying to get at is the username was iterable so if I found a valid account number and username I could access other

people's account that's what I'm thinking by the way so let's try it out so now I'm logged in into my account and I want to transfer funds I modify the request to change the username and account number to Anya's user name and account number do you think that would work well it did here is her Account Details while I'm logged into my account now to transfer funds there are two things I need to be a beneficiary on her account which I did but adding myself as one and two I should be able to access her Account Details which I was able to now let's go on transfer funds well this would have been a very good

Friday evening if it worked but there was MFA checks on aable but even better you can disable it by making fults and I just got richer um that should up that should pay for all my diving trips so now we were able to in a scenario where this this was possible on the application at that time but if this if you look at it the larger impact would be you could take over any user account and be able to transfer funds the next case study is not going to be about mobile vulnerable mobile apis anymore this time we're going to be talking about vulnerable Android components so we're going to be using Andro androo one of the challenges from

there so the challenge is bypass PIN verification as any other test there the first thing that comes to my mind let's brute P which I tried didn't seem to work the error message not go out anything super unhelpful but there's another way to do it too we decompile the application now this time around you can see the exported is set to true well what does that mean it means another application can read or call this Android component but we're not going to be focusing on this the task here is try identify another Android component which can be exported if you haven't it yet amazing because we're going to walk through it now so first let's make sure we on the same

activity so we call the activity and we now we are on access control issue activity yeah that's the one we look at the code snippet what it's doing it's verifying where it's verifying whether we have the right pin or not once it's verified whether we have the right pin it's calling this activity and you can see it's using an explicit intent to call this activity now let's go back to the Manifest code what you can see here is that activity has an implicit intent declared now normally exposed is usually set to F by default unless you specifically set it to true but in this instance since the activity has a intent filter declared if you don't set it

manually it by default it's considered true so now we know we can export this activity okay let's go back we know it's calling this activity so why go through all the trouble of trying to find the PIN here's what we do we call the activity and we've bypassed that so now we can log in as a user without having to verify as a pin in this scenario we saw how to bypass PIN verification but sometimes on applications you can bypass the login screen or the password reset SK uh screen if some of the Android components exported to summarize we went through the Journey of how to conduct mobile app testing or how I would and hopefully this was

helpful and we saw some case studies of where this was possible and how it let to account takeover pii disclosure and also looked at some of the vulnerable Android components is there one solution not n of there are multiple solutions for every little thing which we've seen here but what we can take away from this is if we can all be mobile app testers and it's not that hard if you want to do it thank

you questions yeah any questions yeah got any [Music] questions thank you for apprciate I wanted to ask that if this is possible for I guess I answer least in your case would it be possible to also SPO purchases so if you to get enough purchases would you be able to do something similar to this and would it be possible now would you will pay apis and be a to SPO is false just like I mean it's possible I cannot comment into that Google Google API side of things because I haven't tried it but in the reason why this was possible is because how the app was configured when you call like other apis they're more

securely configured so if they were implemented in the application in a way that it was checking or calling um could technically SP it hopefully that answers your question anymore not a problem thanks um pretty new to the m development world where is a good resource for getting hold of the XML files around Android configuration of applications as well as any other alter iOS similar to XML Andrew um if you looking if you're looking for a methodology that you can create your own or there is um there are few available online but the mvs if you heard of that it's a good guideline to know what you want to what you're looking for right and if you're

looking for platforms it's quite limited but there has been a lot of research so the Andro go application or insecure Bank these are all like other applications which are present which you can just test and since it's all based on Android and you have Android emulator which is free and open source you don't need the whole Jazz to set up and all of that you can just technically start testing there and there have a bunch of challenges which help you progress and learn few of the things

I want to ask about cuz there wasn't much that understand I grade closed down but check see if you got device since it's um obviously i' say hard it's oper be possible to operating systems like Linux to Old iPads for instance sorry to understand your question you want to load Linux on an iPad I guess or I know would it be possible I think it's technically possible um as far as I know like I know for MacBooks as well you can partition it and you can load um Windows while running Mac so this scenario is possible yes uh but it won't run iOS applications again Checkmate to what what potential Solutions you think' be apart from

jailbreaking right

uh what other things could I Implement instead of jailbreaking device yes because since Che level could you ESS do anything I believe so um but I'm not entirely sure so what what so Checkmate is vulnerability on the secure R correct and the main goal of this you can do other things right this vulnerability was used by this jailbreak software to for this particular purpose of jailbreaking but as a vulnerability you can use it for other stuff so it's not a no of course not so jailbreak the jailbreak software requires an exploit to perform a certain action but the exploit itself can be used for multiple purposes [Music]

[Music] so I I think it's like some model devices um have like payment mechanisms and things where if you mess messing with boot Lo it flips a hardware fuse yeah using then methologies for doing the testing you do that let let you access those features without killing themess I mean it's kind of tough um I've bricked my phone a few times uh but um there there's actually a large community uh the xdr community where you can find um very specific methodologies on how to root your phone uh for especially for Android based whether it's a Samsung or whether it's a pixel and that if most of the times if you follow that and even if you get like a c like L Jo

um it's usually fine um yeah than no [Music] worries [Music] today thank you so the question here would be we talked about root bypass and ulator detection bypass how does safy get play Integrity affective methodologies is it also just a simple matter of hooking the function that checks play Integrity status or is there some more integrated way that we exposes for [Music] app so I think the they depend how they implement it again so there are different ways to bypass rate detection and SSL pinning and all of that and it you can so if you disable hooking entirely for the application you can't you you need to find a way to First bypass that and then if the components

are exported which comes to the point where whether you can access other parts of the application yes only to the parts which are Expos though I see thanks cool any more questions should get perhaps you guys need to cook up after [Music] the I wanted to ask you someone who's not just looking to iess their device someone who's looking to find and exploits where would guess what literature what sort of course of material would you recommend to them any certifications you well I'm a big fan of sans but I can't I don't want to be biased um there there are a few certifications out there not not many but there's a lot of it's still like quite a growing field

so if you want to look at I can't remember on the top of my head but there is uh one certain place where you where it lists it's like a mini checklist uh which I'll come back at some point today and let you know uh but there's a mini checklist of what you supposed to look when you're chesing Android and iOS um and again going back to you can use MBS as a good starting point if you're looking for stuff um sorry what was the other part of your question oh for I guess General lit reading material for to learn about and discover themselves right um well for you're looking for yeah I would say the

OS Community is quite large um and you can keep an eye on that for any new vulnerabilities that I discovered and all of that and you going to be around after to take question yeah so if anybody else has any questions and then please feel free to find me and uh and uh yeah again should