Hi guys, in this post we continue series exploitMe Mobile Android. To day, we will check secure Parameter Manupulation and Insecure file storage in mobile application.
The parameter manipulation lab is contained within the bank transfer section.
The purpose of this lab is to demonstrate that many common Android applications still rely on traditional web architectures or REST interfaces in the back end to perform their tasks. Often, if you’re able to trap the request, you can make the application or server act in ways it may not have felt possible.
We will pipe communication between the client and server through a proxy and use this to manipulate the data sent. Start your emulator in proxy mode: emulator @YOURAVDNAME –http-proxy localhost:8008
In this tutorial we will use Charles proxy.
I will have to make some settings in the application to perform this Lab. I will need to know the IP address of my computer. Perform set ip for the application.
In this post, my ip is: 192.168.31.157
Charler proxy interface
Config proxy listen in port 8008
Setting > Proxy Setting
Now, run emulator with mode proxy:
Then we run emulator mode proxy, we will get the information required to allow virtual machines to connect to the proxy. Select Allow.
Emultor is running, we will install application.
Run server with mode HTTPS:
python app.py –ssl –port 8443
In Menu select Preference
In “Bank Service Address” you enter your IP:
And, you Enable HTTPS.
Now, you tranfer money:
Information from Charles Proxy:
We can obtain the proxy client session_id and implementation Repate attacked by editing transfer information.
You can see that the app is sending the request to the web server through a standard HTTP POST. Often with these mobile applications they will either be POSTs with a session key or a Web service XML request.
Notice that the from account is now from another user. If you go back to the account screen, you will see that you successfully transfered money without losing any. If you reset the application and login as the other user, you will see they lost money.
Insecure file storage
Often, it is a necessity for a developer to store files on the device itself, but there are numerous issues that may arise from doing this.
One example, is storage on an SD card. Typically, if we look at a mobile application, its file systems are sandboxed into certain directories preventing other applicaitons that may be malicious from accessing another apps sensitive data.
In this lab we will see how that Android allows reader specified file when it is stored on the SD card.
Opening Statement to view transaction history. If no one can make a new transaction in the Transfer.
Additionally, this information will also be stored offline.
I will go to the directory/mnt/sdcardin the virtual machine via adb shell.
The transaction information will be stored in the form of HTML files. Anyone can access the sdcard can also access this file.
We can see with the rights on the files can be read by any application:
—-rwxr-x system sdcardrw 160 2011-08-03 16:48 1312361332270.html