Friday, March 3, 2017

Android Application Backup Vulnerabiility Testing

You must be already knowing about android application backup process. Beauty of this vulnerability is it works on non-rooted devices too sometimes. The vulnerability lies within the AndroidManifest.xml file.

Today we are going to test DIVA (Damn Insecure Vulnerable Application) against this vulnerability. First I had diva-beta.apk file. I unzip that using below command:

unzip diva-beta.apk

I got files and folders as listed in below screenshot. Then I tried to inspect AndroidManifest.xml file which was showing junk data. In order to see that in clear-text, I moved to apktool.


I used below command to decompile diva-beta.apk file.

apktool d diva-beta.apk


From above screenshot it can be observed that now AndroidManifest.xml file is in cleartext. To check if application allows to take backup or not, lets inspect the file using grep. I will straightaway look for backup keyword using grep. Command for the same is as mentioned below:

cat AndroidManifest.xml | grep Backup


From the above screenshot you can observe that application allows backup. Now this is by default
behavior of any application. Developers need to explicitly set this value to false in order to prevent this issue.

Our information gathering part is over here. Lets move to quickly exploit this issue. In order to exploit this issue, you need to first take backup shown below screenshot. Command for the same as as follow:

adb backup jakhar.aseem.diva

- adb (Android Debug Bridge)
- backup (Your output file name)
- Jakhar.aseem.diva (Target application name)

In case if you are confuse how to setup android pentest environment using genymotion and all required tool, you can visit this guide.

Setup pentest environment - https://www.youtube.com/watch?v=gwF3qxYxRFM

Setting up and using adb - https://www.youtube.com/watch?v=NPYCpbMoWkQ 
 

As shown in screenshot below first it will ask you to create a backup using password so called as encrypted backup. As hackers we always do not want this. So simply click on 'BACK UP MY DATA' button to start the process.


Backup in progress...

 
Backup finished...


From here onwards its been tricky for beginners. Now as you can see that 'backup.ab' file has been created. 

Now if you follow online well known references mentioned below, then they will ask you to convert your .ab file into extractable tar file using below command:


dd if=mybackup.ab bs=24 skip=1| openssl zlib -d > mybackup.tar

Reference 1 - http://resources.infosecinstitute.com/android-hacking-security-part-15-hacking-android-apps-using-backup-techniques/
Reference 2 - http://nelenkov.blogspot.in/2012/06/unpacking-android-backups.html

However, due to issues with OpenSSL zlib library, you may get error message as shown in below screenshot.




As a hacker your obivious try will be to copy paste this error and search online if there is any solution or not. You will find a solution to not to use default dd and openssl commands. Rather than that you can use android backup extractor tool from below referenced link:

Reference: https://sourceforge.net/projects/adbextractor/

I have downloaded and extracted the same in my box. Also copied backup.ab file in the same folder as mentioned below:


Out of all usage options we will use below highlighted option in our case:


I used below command to convert .ab file into extractable tar file using abe (Android Backup Extractor) tool.

java -jar abe.jar unpack backup.ab diva.tar


You can observe that diva.tar file was as mentioned in above screenshot. Now lets extract it using below command:

tar -xvf diva.tar


You can observed that it has created few files under apps/ folder. Now lets navigate and access those files. I was able to access divanotes.db (Database) file using Sqlite3 command as mentioned below:

sqlite3 divanotes.db (to open database)

.tables (to list all tables)

select * from notes; (to view complete 'notes' table data)


So this is how we can check for android application backup vulnerability for any target application.

Thanks

No comments: