Reviewing Android Webviews File Access Attack Vectors

Introduction WebViews are a crucial part of many mobile applications and there are some security aspects that need to be taken into account when using them. File access is one of those aspects. For the implementation of some checks in our security tool Droidstatx, I’ve spent some time understanding all the details and noticed that not all attack vectors are very clear, specially in their requirements. WebView file access is enabled by default.…

Keep reading

droidstat-x, Android Applications Security Analyser, Xmind Generator.

TL;DR Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis. The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment. This was the main goal driving the tool development. The tool also allows to add custom checks in a simple way, to confirm the existence of those patterns in the dalvik bytecode instructions.…

Keep reading

Proxy Android App Communication via USB

Intructions to enable the access to the SSHd on a LineageOS: 1- Mount the / as rw (Android Device) mount -o rw,remount,rw / 2- Generate a keypair that will allows to connect via SSH: (Android Device) /system/bin/ssh-keygen This will generate a keypair and save it in the defined location. 3- Generate host keys: (Android Device) /system/bin/ssh-keygen -A 4- Add the public key to the sshd authorized_keys (Android Device) cat /id_rsa.…

Keep reading

This is the secure droid you are looking for.

This talk was done on Pixels Camp 2016 and aimed to show developers the best practices for secure development in the Android platform. We walked through the topics such as Networking, Storage, IPC, Unintended Data Leakage, among others. Also covered some of the new security features coming to developers on Android Nougat. Here are the Android Projects I developed with the vulnerable code for each vulnerability: https://github.com/clviper/pixelscamp_talk_resources This is the secure droid you are looking for from Cláudio André…

Keep reading

Google 2016 CTF Mobile Challenges

I presented in c0nfraria how I solved the three Android challenges in Google CTF 2016. (Portuguese)…

Keep reading

Google AOSP Email App HTML Injection

The Google AOSP Email App is vulnerable to HTML Injection on the email body. It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email. This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.…

Keep reading

Trend Micro CTF Asia Pacific & Japan 2015 Online Qualifier - Offensive 200

This particular challenge was an Android Application. The VirusClicker Application. The application has a button that you have to click until you reach 10.000.000 clicks and then you should receive the flag. Looking at the decoded manifest, we could see that there are two activities and one broadcast receiver. Time to look into the decompiled source code. The code is obfuscated so the task of analyzing the code is a bit more difficult.…

Keep reading

APKS Filesystem Locations

User installed applications apks are stored at /data/app/ but there are few more locations where other types of apks reside, such as vendor apks that come with the phone and system permissions apks. Those can be stored on the following locations: /system/app/ /system/vendor/ /system/priv-app/ (system permission since 4.4) …

Keep reading

Bytecode Viewer

For those who don’t know, ByteCode Viewer is a awesome reverse engineering suite that its perfect for using on apk reverse engineering. It comes with support for 5 different decompilers: Procyon CFR FernFlower Krakatau JD-GUI In the GUI it allows to have up to 3 pane to compare side-by-side the different outcomes of the different decompilers: Since version 2.9.7, it comes with a command line interface, feature that I request to @konloch and he kindly implemented.…

Keep reading

Is my app secure?

Presentation done on Bsides Lisbon 2015 alongside Herman Duarte. Based on our experience on testing mobile applications, both on Android and iOS, we challenged ourselves on doing an assessment of both app stores’ applications, using OWASP mobile top 10 as a reference in terms of vulnerabilities to search for. As a criteria for choosing the apps to test, we focused on the most common mobile applications available in the Portuguese Android and iOS app stores, from several categories such as finance, social media, medical and security.…

Keep reading