# 4. Android Static Analysis
## Injured Android
> π [InjuredAndroid](https://github.com/B3nac/InjuredAndroid)
>
> π [InjuredAndroid walk-throughs](https://github.com/B3nac/InjuredAndroid/blob/master/InjuredAndroid-FlagWalkthroughs.md)
>
> 1. Download the latest release [injuredandroid.apk](https://github.com/B3nac/InjuredAndroid/releases/tag/v1.0.12) from Github
> 2. Enable USB debugging on your Android test phone.
> 3. Connect your phone and your pc with a USB cable.
> 4. Install via `adb` if installing from releases. (You need to use the absolute path to the .apk file or be in the same directory)
>
> π Packages name: `b3nac.injuredandroid`
`InjuredAndroid` is a *a vulnerable Android application that shows simple examples of vulnerabilities in a ctf style*.
```bash
mkdir ~/apks
cd ~/apks
wget -O InjuredAndroid.apk https://github.com/B3nac/InjuredAndroid/releases/download/v1.0.12/InjuredAndroid-1.0.12-release.apk
adb install InjuredAndroid.apk
```
> **EXTRA**
>
> * Check for app's path (and pull `base.apk` if necessary)
>
> ```bash
> adb shell
> pm list packages | grep injured
> package:b3nac.injuredandroid
> pm path b3nac.injuredandroid
> package:/data/app/b3nac.injuredandroid-Ms4WCz1i9EefZuncV6Xnpw==/base.apk
>
> # Pull the apk from the path into the host OS
> exit # the adb shell
> adb pull /data/app/b3nac.injuredandroid-Ms4WCz1i9EefZuncV6Xnpw==/base.apk InjuredAndroid_base.apk
> ```
π¬ Open `InjuredAndroid.apk` with `jadx-gui` for analysis.
***
## [AndroidManifest.xml](https://developer.android.com/guide/topics/manifest/manifest-intro)
The `AndroidManifest.xml` file contains essential information about the app, declaring the components of the app like minSDKVersion, Permissions, Activities, Services, Content Providers, Intent Filters, Debugging Info, etc.
* [Permissions](https://developer.android.com/reference/android/Manifest.permission) (Network, Internet, Phone, RW External Storage, etc)
* [Activities](https://developer.android.com/guide/components/activities/intro-activities) (UI elements for user's interaction)
* hidden screens protected with *intent-filters*
* outside exposed activity - `android:exported="true"`
* [Content Providers](https://developer.android.com/guide/topics/providers/content-providers) (sharing data between apps)
* dangerous if exported
* Look for
* `minSdkVersion`
* `android.permission`
* `activity` & `provider`
* `android:exported` flags
* various normal strings
* backup options
```xml
```
***
## Manual Static Analysis
> [Apktool CLI Parameters](https://apktool.org/docs/cli-parameters)
π¬Decompile the app using [`apktool`](https://apktool.org/)
```bash
apktool d InjuredAndroid.apk
```
* `lib` - directory where source code is changed for injection (`.so` files = shared objects)
* `original` - check for sensitive information in the files, `AndroidManifest.xml`
* `res` - resources directory, check the `values/strings.xml` file
* `smali` - directory where the app's source code is stored (Smali is not human readable, use `dex2jar` converter or `jadx-gui` that decompile the files directly into Java)
* `AndroidManifest.xml` - important for static analysis
```bash
# Read .so files' strings, e.g.
strings ~/apks/InjuredAndroid/lib/x86_64/libencrypt.so
# Read strings.xml, AndroidManifest.xml files
cat ~/apks/InjuredAndroid/res/values/strings.xml
cat ~/apks/InjuredAndroid/AndroidManifest.xml
```
***
## Hardcoded Strings
**Hardcoded strings** refer to strings or text values that are directly written into the source code of a program, typically without being stored in a separate configuration file or resource file.
* Found in `Resources/strings.xml` and in Activity source code
Threat vector can be login bypass with hardcoded credentials, exposed URLs and API Keys, Firebase URLs, etc.
π¬ Open `InjuredAndroid.apk` with `jadx-gui` for analysis, open `Resources/resources.arsc/res/values/*.xml` files and search for hardcoded strings.
```bash
# strings.xml
https://injuredandroid.firebaseio.com
AIzaSyCUImEIOSvqAswLqFak75xhskkB6illd7A
1:430943006316:android:d97db57e11e42a1a037249
AIzaSyCUImEIOSvqAswLqFak75xhskkB6illd7A
injuredandroid.appspot.com
```
Use the `Text search` tool to search the source code. Search for useful info like API, URLs, ids, passwords, SQL, Firebase, HTTP/HTTPS, secrets, sensitive data, etc.
***
## Injured Android Flags
### Flag1
Using `jadx-gui` open `Source code\b3nac.injuredandroid\FlagOneLoginActivity`
> The `submitFlag` method verifies user input against the string "**F1ag\_0n3**" and, if matched, navigates to the `FlagOneSuccess` activity, with associated actions related to flags and UI.
> π© `F1ag_0n3` - Flag found in the `submitFlag` method.
### Flag2
*There is a way to bypass the main activity and invoke other activities that are exported*. Activities can be accessed with `adb`.
In `jadx-guid`, search for `android:exported="true"` in the `AndroidManifest.xml` file.
* Take the `` activity.
* `b3nac.injuredandroid.b25lActivity` can be accessed from anywhere on the phone
```bash
# Open terminal
adb shell
su
# Start the activity in the app
am start b3nac.injuredandroid/.b25lActivity
```
> π© `S3c0nd_F1ag`
### Flag3
*R stands for Resources. Check for `xml` files.*
Using `jadx-gui` open `Source code\b3nac.injuredandroid\FlagThreeActivity`
> The `submitFlag` method checks if the user input matches the string resource `cmVzb3VyY2VzX3lv`. If true, it directs to the `FlagOneSuccess` activity, with related flag handling and UI.
>
> * The hardcoded string (containing the flag) is stored in the `strings.xml` file - easy to reverse engineer.
Search for the `cmVzb3VyY2VzX3lv` string in the `strings.xml` file.
> π© `F1ag_thr33`
### Flag4
*Classes and imports.*
Using `jadx-gui` open `Source code\b3nac.injuredandroid\FlagFourActivity`
> The `submitFlag` method compares the user input with a string decoded from a byte array obtained by the `decoder.getData()` method. If there's a match, it launches the `FlagOneSuccess` activity, updating flag status and UI.
Search the obfuscated `g` class.
* [CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64\('A-Za-z0-9%2B/%3D',true,false\)\&input=TkY5dmRtVnlaRzl1WlY5dmJXVnNaWFJ6) online tool can be used to decode the string or Terminal `base64 -d` command.
```bash
echo "NF9vdmVyZG9uZV9vbWVsZXRz" | base64 -d
4_overdone_omelets
```
> The `g` class provides a byte array obtained by decoding a Base64-encoded string. The decoded byte array represents the value "**4\_overdone\_omelets**" and is accessible through the `a()` method.
> π© `4_overdone_omelets`
### Flag8
*AWS Cli, Profiles and Credentials.*
> π Tools
>
> * [cloud\_enum](https://github.com/initstring/cloud_enum) - *Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.*
> * [AWS CLI](https://aws.amazon.com/cli/)
```bash
# cloud_enum
cd ~/repo
git clone https://github.com/initstring/cloud_enum.git
cd ~/repo/cloud_enum
pip3 install -r requirements.txt
```
* Run `cloudenum.py`
```bash
python3 cloud_enum.py -k injuredandroid
```
Check the bucket, the enumeration reveals the flag. Instead of attempting to crack the AWS login secret, one of the discovered URLs will get the flag.
> π© `C10ud_S3cur1ty_lol`
> EXTRA - Previous AWS with ID & SECRET strings.
>
> ```bash
> # If bucket exists and access is necessary with ID & SECRET, AWS CLI can be used
> sudo apt install -y awscli
>
> aws configure --profile injuredandroid
> aws s3 ls s3://injuredandroid --profile injuredandroid
> ```
### Flag9
*Use .json trick with database URL.*
> π Tools
>
> * [firebaseEnum](https://github.com/Sambal0x/firebaseEnum) - *Enumerate exposed firebase databases*
Open `strings.xml` and search for `firebase`.
Found `https://injuredandroid.firebaseio.com`.
Open in a browser - Google login.
> * Enumerating Firebase database (if not found in the strings)
>
> ```bash
> # firebaseEnum
>
> cd ~/repo
> git clone https://github.com/Sambal0x/firebaseEnum.git
> cd ~/repo/firebaseEnum
> pip3 install -r requirements.txt
> ```
>
> * Run `firebaseEnum.py`
>
> ```bash
> python3 firebaseEnum.py -k injuredandroid
> # nothing found
> ```
>
> 
Using `jadx-gui` open `Source code\b3nac.injuredandroid\FlagNineFirebaseActivity`
```bash
# Decode the string found in the FlagNineFirebaseActivity method
echo "ZmxhZ3Mv" | base64 -d
flags/
```
Open in the browser and find the flag
* this Firebase directory is not protected.
Base64 encode the found flag `[nine!_flag]` and input in the app.
```bash
echo -n '[nine!_flag]' | base64
W25pbmUhX2ZsYWdd
```
> π© `W25pbmUhX2ZsYWdd`
***
## MobSF Automated Analysis
> π [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - *a security research platform for mobile applications in Android, iOS and Windows Mobile*
Run `MobSF` (with Docker) and import the `InjuredAndroid.apk` into it for Static Analysis.
```bash
docker run -it --rm --name mobsf -p 8000:8000 -v ~/docker/mobsf:/home/mobsf/.MobSF opensecurity/mobile-security-framework-mobsf:latest
```
***