PLEASE BE AWARE: Do not try this lab on your personal phone. If a personal Android device is used, make a backup of the data on device.
Note: You need to submit a detailed lab report, with screenshots, to describe what you have done and what you have observed. You also need to provide explanations for the observations that are interesting or surprising. Finally, answer all questions in the lab instructions if there are any.
Task 0, Install drozer drozer (formerly Mercury) is the leading security testing framework for Android. The website is https://github.com/WithSecureLabs/drozer
Option 1, install latest drozer Follow the instructions, install it with pip pipx install drozer
Option 2, install drozer 2.4 The latest version of drozer supports python3.x. An older version is for python 2.x. If you only have Python 2.x, please install drozer 2.4. Download drozer-2.4.4.win32.msi and save it in the python27 folder. Ignore the warning message. Go to Windows Security Virus & threat protection, and under Virus & threat protection settings select Manage settings. Switch Real-time protection to Off. Double click msi to install it. When asking for python version, choose the python27.
There are two options to run drozer with python2 instead of python3: Option 1, each time before running drozer type (use your own path for python27): set path=C:\Python27;C:\Python27\Scripts;%path%
option 2, open drozer.bat under the directory C:\Python27\Scripts, replace python.exe to C:\python27\python.exe
Back to the cmd, navigate to C:\Python27\Scripts, type: drozer We should see some information. Type: drozer console connect We should find an error. Install libraries. python -m pip install service_identity
After successfully installing drozer on the PC, install drozer.apk in the Android device. download drozer.apk from https://labs.withsecure.com/tools/drozer select drozer (Agent .apk only)
Open Android Studio, turn on a device. Drag the apk to the device to install it. Do not use a higher version of Android. Drozer does not support it.
Open the Drozer in the device.
Task 1, install InsecureBankv2 and tools Step 1, install python 2.7.x. Download and install it. Assuming that your Python installation is in C:\Python27\, add this to your PATH: C:\Python27\;C:\Python27\Scripts\
Step 2, install pip if you have not installed it. In the CMD, try pip pip -help If it returns an error, navigate to the python directory, type: python -m ensurepip --upgrade run: python -m pip install protobuf python -m pip install pyopenssl python -m pip install twisted
Step 3 InsecureBank is a purposely vulnerable app designed for educational purposes. It has a server and an apk. https://github.com/dineshshetty/Android-InsecureBankv2 We need to launch the server so that the vulnerable app can connect to it, and we can start reversing.
Download InsecureBankv2.apk. Install it in virtual device. If it says the SDK version is lower, try this: .\adb install --bypass-low-target-sdk-block InsecureBankv2.apk Please use your own path for InsecureBank2.apk here.
Step 4, setup AndroLab server. The back end for the InsecureBankv2 application is a simple python server running simple Flask and CherryPy web frameworks. The server component can be found in the AndroLabServer folder in the InsecureBankv2 project source folder.
Download AndroLab source code. Navigate to the AndroLab directory. To set up the AndroLab server, use pip to install the necessary requirements. C:\Python27\python.exe -m pip install -r requirements.txt
step 5, Once all the requirements were installed, run the HTTP server on the default port 8888. C:\Python27\python.exe app.py If you encounter an “ImportError: No module named wsgiserver”, run C:\Python27\python.exe -m pip install wsgiserver If you encounter an “ImportError: No module named wsgiserver” error, change “from web.wsgiserver import CherryPyWSGIServer” to from cheroot.wsgi import Server as CherryPyWSGIServer
then run again the “app.py” file to start the server.
view the available arguments for the AndroLab server component. python app.py –help
Step, 6 Drag InsecureBankv2.pak file onto the emulator screen. Or we use Android Debug Bridge (ADB) to connect to the emulator and install the InsecureBankv2 APK file. adb install InsecureBankv2.apk Once successfully installed, the application icon appears on the emulator.
Step 7, Once installed, open the app.
There are pre-defined users, login with either of them. • dinesh/Dinesh@123$ • jack/Jack@123$ When the correct set of credentials is entered, the click of the Login button redirects us to the next screen.
Task 2 Login Vulnerabilities: Login Bypass There are two ways to bypass login. One is using apk tool to find target activity and run it through adb. The other one is using drozer.
Option one: apk + adb Step 1, reverse engineering the apk file. Navigate to the apktool and run apktool d C:\{Your Path}\InsecureBankv2.apk
Step 2, Look at the AndroidManifest.xml file. There are four exported Activities.
Find the activity name “PostLogin”. Using ADB, we can call this exported activity. adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
This will bring a new Activity to us that should only be available after logging in successfully, demonstrating that the login can be bypassed entirely.
Option two: drozer Step 1, Run drozer in the device. The Drozer server runs on port 31415 of your device. We need to set up a suitable port forward so that our PC can connect to a TCP socket opened by the Agent inside the emulator. By default, Drozer uses port 31415. Forwarding port 31415 on the host to port 31415 on the device. adb forward tcp:31415 tcp:31415 then, connect drozer to the device: .\drozer console connect This time we should find that drozer is successfully installed and working.
Step 2, Find package name of the InsecureBankv2 application dz> run app.package.list -f bank
determine attack surface: dz> run app.package.attacksurface com.android.insecurebankv2 We will find the following information:
Attack Surface: 5 activities exported 1 broadcast receivers exported 1 content providers exported 0 services exported is debuggable It enumerates exported activities along with the permissions necessary to invoke them, i.e. activities that can be launched by other processes on Android device. Let’s launch it dz> run app.activity.info -a com.android.insecurebankv2 We will find:
Package: com.android.insecurebankv2 com.android.insecurebankv2.LoginActivity Permission: null com.android.insecurebankv2.PostLogin Permission: null com.android.insecurebankv2.DoTransfer Permission: null com.android.insecurebankv2.ViewStatement Permission: null com.android.insecurebankv2.ChangePassword Permission: null There are 5 exported activities. One can guess that LoginActivity is probably the one launched when the application starts. Here we will launch PostLogin activity to see what will happen. dz> run app.activity.start --component com.android.insecurebankv2 com.android.insecurebankv2. PostLogin Questions: What if we launch ChangePassword? Show your screenshot. Can an unauthenticated person have access to the device? What can he/she do after that?
If we want to fix this, remove the highlighted line.
Task 3, Hidden Create User Button for Admins Step 1, find the source code for the “LoginActivity”.
We will find that the login activity has a hidden button. A check is performed to determine if a resource string called “is_admin” is set to “no”. If this is true, then the “setVisibility(8)” method is used to set the button invisible without taking any space for layout purposes.
Step 2, patch the vulnerability. Since this is a string resource, the value we need to modify should be located under the “/res/values/” directories in the strings.xml file. Open this file and change the “is_admin” value from “no” to “yes”, then save the changes.
Step 3, Use apktool again to rebuild the application with the now modified strings.xml file. apktool b -f -d InsecureBankv2/ We can find the new generated apk in folder dist.
Sign it. Find the tool zipalign and apksigner, for me they are in folder
uninstall the unaltered version of the application from the emulator before installing the new APK. # install adb install button_InsecureBankv2-final.apk Once successfully installed, open the application and a new button called “Create user” appears.
Step 7, However, looking at the source code for the “createUser()” method shows that the button does not actually allow us to create a user, so this concludes the vulnerability.
Task 4, Insecure Logging The “DoLogin” activity produces a debug log message whenever a user attempts to login.
These logs can be dumped using logcat. The command below will show all the log messages for the application while it is running. adb logcat | grep "$(adb shell ps | grep com.android.insecurebankv2 | awk '{print $2}')" If we attempt to login while logcat is running, we will see a log message that shows the username and password we used to successfully login.
Examining the code carefully, we find if the username is “devadmin”, the application does not require a password.
