i ANDROID PENETRATION TESTING LAB – DIVA – All things in moderation

ANDROID PENETRATION TESTING LAB – DIVA

What is DIVA?

DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure. We are releasing the Android version of Diva. We thought it would be a nice way to start the year by contributing something to the security community. The aim of the App is to teach developers/QA/security professionals, flaws that are generally present in the Apps due poor or insecure coding practices.

Who can use DIVA?

The idea originated, from a developer’s perspective. The Android security training for developers becomes slightly boring with lot of theory and not much hands-on. Diva gamifies secure development learning. With that said, it is an excellent learning tool for aspiring Android penetration testers and security professionals as it gives an insight into app vulnerabilities including the source code. To sum it up:
– Android App developers
– Android Penetration testers
– Security professionals
– Students

What is included in DIVA?

Current Challenges include:
– Insecure Logging
– Hardcoding Issues – Part 1
– Insecure Data Storage – Part 1
– Insecure Data Storage – Part 2
– Insecure Data Storage – Part 3
– Insecure Data Storage – Part 4
– Input Validation Issues – Part 1
– Input Validation Issues – Part 2
– Access Control Issues – Part 1
– Access Control Issues – Part 2
– Access Control Issues – Part 3
– Hardcoding Issues – Part 2
– Input Validation Issues – Part 3

How to compile Diva?

• Download the source
• Open the project in Android Studio
• For Native library – open command line

$ cd /app/src/main/jni

Diva Lab

o $ make (This needs to be done only once, unless you make changes to the native code – in which case run “make clean && make”)
o This will compile the native library and copy all the compiled versions in directory jniLibs which is required when building the app
• From the menu bar: Build->Make Project or Run->Run App

How to run Diva?
– Compile/download the app
– On your phone settings. Go to security and check Unknown Sources checkbox. This allows you to install apps outside of play store. You don’t need to do this if you are installing the app on an emulator.
– Connect your phone to the computer (make sure USB debugging is enabled on your phone) or run the emulator.
– cd
– adb install
– Start playing

Demo

Install use adb:
Check device connect:

adb devices

Install app with adb:

adb install file.apk

Result:

Install with Android studio:
In Menu Bar -> Run
List Devices connect. You can select device/emulator install application.

If you have done everything successfully, launch your application. You should see the following screen.

Reversing the target application:
One of the first steps to find vulnerabilities is static analysis by reversing the app. So, lets reverse engineer our target application to get ready to crack the challenges.
Getting .java files Using Dex2Jar & JD-GUI:
Getting the readable java files is always helpful during an assessment. So, let’s get .java files using dex2jar and JD-GUI tools we set up earlier. Run the following command to convert the dex file into a jar file.

$ d2j-dex2jar.bat diva.apk

Result:
Once done, you should see diva-dex2jar.jar file in the same directory where you have dex2jar.

Open file .jar with JD-GUI:

Challenge 1: “1. INSECURE LOGGING”

Many developers used to write their information to the android log ( for debugging ). Sometimes sensitive data as well.
Steps to solve:
Click on “1. INSECURE LOGGING” in your application. The goal is to find out where the user-entered information is being logged and also the code making this vulnerable.

It is common that Android apps log sensitive information into logcat. So, let’s see if this application is logging the data into logcat.
Run the following command in your terminal.

$adb logcat

E/diva-log( 3166): Error while processing transaction with credit card: 1122334455

As you can see in the above logs, the data entered by the user is being logged.
Vulnerable code:
Open up LogActivity.class file using JD-GUI and check the following piece of code.

As you can see in the above figure, the following line is used log the data entered by the user into logcat.

Log.e("diva-log", "Error while processing transaction with credit card: " + paramView.getText().toString());
      Toast.makeText(this, "An error occured. Please try again later", 0).show();

Solution
It’s important to be aware of what you are logging and only log non-sensitive information. Verbose log output is very useful for developers, but can be a goldmine of sensitive information for attackers. Be especially careful about logging session keys and URLs that may contain important values.

Here I introduced the DIVA Lab to you. Please practice with the rest of the lab. Leave a comment if you have any difficulty during the practice.

Preference:
https://github.com
http://resources.infosecinstitute.com

Leave a Reply