4. Android Static Analysis
Last updated
Was this helpful?
Last updated
Was this helpful?
🔗
🔗
Download the latest release from Github
Enable USB debugging on your Android test phone.
Connect your phone and your pc with a USB cable.
Install via
adbif installing from releases. (You need to use the absolute path to the .apk file or be in the same directory)📌 Packages name:
b3nac.injuredandroid
InjuredAndroid is a a vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
EXTRA
Check for app's path (and pull
base.apkif necessary)
🔬 Open InjuredAndroid.apk with jadx-gui for analysis.
The AndroidManifest.xml file contains essential information about the app, declaring the components of the app like minSDKVersion, Permissions, Activities, Services, Content Providers, Intent Filters, Debugging Info, etc.
hidden screens protected with intent-filters
outside exposed activity - android:exported="true"
dangerous if exported
Look for
minSdkVersion
android.permission
activity & provider
android:exported flags
various normal strings
backup options
lib - directory where source code is changed for injection (.so files = shared objects)
original - check for sensitive information in the files, AndroidManifest.xml
res - resources directory, check the values/strings.xml file
smali - directory where the app's source code is stored (Smali is not human readable, use dex2jar converter or jadx-gui that decompile the files directly into Java)
AndroidManifest.xml - important for static analysis
Hardcoded strings refer to strings or text values that are directly written into the source code of a program, typically without being stored in a separate configuration file or resource file.
Found in Resources/strings.xml and in Activity source code
Threat vector can be login bypass with hardcoded credentials, exposed URLs and API Keys, Firebase URLs, etc.
🔬 Open InjuredAndroid.apk with jadx-gui for analysis, open Resources/resources.arsc/res/values/*.xml files and search for hardcoded strings.
Use the Text search tool to search the source code. Search for useful info like API, URLs, ids, passwords, SQL, Firebase, HTTP/HTTPS, secrets, sensitive data, etc.
Using jadx-gui open Source code\b3nac.injuredandroid\FlagOneLoginActivity
The
submitFlagmethod verifies user input against the string "F1ag_0n3" and, if matched, navigates to theFlagOneSuccessactivity, with associated actions related to flags and UI.
🚩
F1ag_0n3- Flag found in thesubmitFlagmethod.
There is a way to bypass the main activity and invoke other activities that are exported. Activities can be accessed with adb.
In jadx-guid, search for android:exported="true" in the AndroidManifest.xml file.
Take the <activity android:name="b3nac.injuredandroid.b25lActivity" android:exported="true"/> activity.
b3nac.injuredandroid.b25lActivity can be accessed from anywhere on the phone
🚩
S3c0nd_F1ag
R stands for Resources. Check for xml files.
Using jadx-gui open Source code\b3nac.injuredandroid\FlagThreeActivity
The
submitFlagmethod checks if the user input matches the string resourcecmVzb3VyY2VzX3lv. If true, it directs to theFlagOneSuccessactivity, with related flag handling and UI.
The hardcoded string (containing the flag) is stored in the
strings.xmlfile - easy to reverse engineer.
Search for the cmVzb3VyY2VzX3lv string in the strings.xml file.
🚩
F1ag_thr33
Classes and imports.
Using jadx-gui open Source code\b3nac.injuredandroid\FlagFourActivity
The
submitFlagmethod compares the user input with a string decoded from a byte array obtained by thedecoder.getData()method. If there's a match, it launches theFlagOneSuccessactivity, updating flag status and UI.
Search the obfuscated g class.
The
gclass provides a byte array obtained by decoding a Base64-encoded string. The decoded byte array represents the value "4_overdone_omelets" and is accessible through thea()method.
🚩
4_overdone_omelets
AWS Cli, Profiles and Credentials.
🔗 Tools
Run cloudenum.py
🚩
C10ud_S3cur1ty_lol
EXTRA - Previous AWS with ID & SECRET strings.
Use .json trick with database URL.
🔗 Tools
Open strings.xml and search for firebase.
Found <string name="firebase_database_url">https://injuredandroid.firebaseio.com</string>.
Enumerating Firebase database (if not found in the strings)
Run
firebaseEnum.py
Using jadx-gui open Source code\b3nac.injuredandroid\FlagNineFirebaseActivity
this Firebase directory is not protected.
Base64 encode the found flag [nine!_flag] and input in the app.
🚩
W25pbmUhX2ZsYWdd
Run MobSF (with Docker) and import the InjuredAndroid.apk into it for Static Analysis.
(Network, Internet, Phone, RW External Storage, etc)
(UI elements for user's interaction)
(sharing data between apps)
🔬Decompile the app using
online tool can be used to decode the string or Terminal base64 -d command.
- Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Check the bucket, the enumeration reveals the flag. Instead of attempting to crack the AWS login secret, one of the discovered URLs will get the flag.
- Enumerate exposed firebase databases
Open in a browser - Google login.
Open in the browser and find the flag
🔗 - a security research platform for mobile applications in Android, iOS and Windows Mobile
