i ExploitME Mobile Android – Parameter Manipulation & Insecure file storage – All things in moderation

ExploitME Mobile Android – Parameter Manipulation & Insecure file storage

Hi guys, in this post we continue series exploitMe Mobile Android. To day, we will check secure Parameter Manupulation and Insecure file storage in mobile application.
Let’s go!
Parameter Manupulation

The parameter manipulation lab is contained within the bank transfer section.
The purpose of this lab is to demonstrate that many common Android applications still rely on traditional web architectures or REST interfaces in the back end to perform their tasks. Often, if you’re able to trap the request, you can make the application or server act in ways it may not have felt possible.
We will pipe communication between the client and server through a proxy and use this to manipulate the data sent. Start your emulator in proxy mode: emulator @YOURAVDNAME –http-proxy localhost:8008
In this tutorial we will use Charles proxy.
I will have to make some settings in the application to perform this Lab. I will need to know the IP address of my computer. Perform set ip for the application.
In this post, my ip is: 192.168.31.157

1
Charler proxy interface

Config proxy listen in port 8008
Setting > Proxy Setting

Lab2 setting proxy

Now, run emulator with mode proxy:

Lab2 run emulator mode proxy

Then we run emulator mode proxy, we will get the information required to allow virtual machines to connect to the proxy. Select Allow.

Lab2 allow proxy

Emultor is running, we will install application.
Run server with mode HTTPS:
python app.py –ssl –port 8443

Setting “BankService”.
In Menu select Preference

Lab2 setting bankservice

Lab3 setting bankservice 2

In “Bank Service Address” you enter your IP:

Lab2 Address

And, you Enable HTTPS.

Lab2 enable https

Now, you tranfer money:

Lab2 tranfer

Lab2 tranfer money

Information from Charles Proxy:

Lab2 information proxy

View packet:

LAb2 packet

We can obtain the proxy client session_id and implementation Repate attacked by editing transfer information.

Lab2 edit information

You can see that the app is sending the request to the web server through a standard HTTP POST. Often with these mobile applications they will either be POSTs with a session key or a Web service XML request.

Lab2_POST_method

Notice that the from account is now from another user. If you go back to the account screen, you will see that you successfully transfered money without losing any. If you reset the application and login as the other user, you will see they lost money.

Insecure file storage

Often, it is a necessity for a developer to store files on the device itself, but there are numerous issues that may arise from doing this.
One example, is storage on an SD card. Typically, if we look at a mobile application, its file systems are sandboxed into certain directories preventing other applicaitons that may be malicious from accessing another apps sensitive data.
In this lab we will see how that Android allows reader specified file when it is stored on the SD card.
Open application:

Main

Opening Statement to view transaction history. If no one can make a new transaction in the Transfer.

history tranfer

view tranfer

Additionally, this information will also be stored offline.
I will go to the directory/mnt/sdcardin the virtual machine via adb shell.
The transaction information will be stored in the form of HTML files. Anyone can access the sdcard can also access this file.

view sdcard

We can see with the rights on the files can be read by any application:
—-rwxr-x system sdcardrw 160 2011-08-03 16:48 1312361332270.html

view file

Leave a Reply