In this blog post, I’ll embark on a comprehensive walkthrough of the InsecureBankv2 Android application, a purposely vulnerable app designed for educational purposes. This application consists of common security flaws, such as insecure data storage, authentication issues, and input validation vulnerabilities. By dissecting the inner workings of InsecureBankv2, we’ll gain valuable insights into the world of mobile app security, helping developers, security professionals, and enthusiasts alike.
Link: https://github.com/dineshshetty/Android-InsecureBankv2
We need to install the server that requires Python2. Upon installing the server and its dependencies, we need to launch the server so that the vulnerable app can connect to it and we can start reversing.
Now that the server is up and running, we need to configure the mobile application so that it can connect to its server.
The initial screen is below.
Android Application Patching and Weak Authentication
I decompiled the application and looked at the strings. There is a setting called is_admin, and it is set to no.
What about if I set it to yes and recompile the application?
As you can see, the create user button appeared.
Android Debugging using JDWP and Changing Local Variables
While analyzing AndroidManifest.xml, I realized that this application is built in debug mode.
“Debuggable” refers to a setting in an Android app’s manifest file (AndroidManifest.xml) that determines whether the app can be debugged or not. When an Android app is marked as “debuggable,” it allows developers to attach a debugger to the app, inspect its code, and monitor its behavior while it’s running on a device or emulator.
Let’s look at the methods available in the PostLogin class.
Let’s put a breakpoint here.
We can tamper with the variable values in real-time; therefore, we can bypass some security mechanisms.
Root Detection Bypass
Root detection bypass in Android refers to the practice of circumventing security mechanisms or checks that are put in place by Android apps in order to detect whether the Android device has been rooted or not. Rooting a device gives users administrative or superuser access, which can potentially pose security risks if malicious software gains elevated privileges. Many Android apps, especially those dealing with sensitive data or financial transactions, include root detection mechanisms to prevent their use on rooted devices.
I bypassed this security check with two different methods.
With Objection
At the code level, the application looks at two different values and performs an “or” operation on them. Therefore, I need to make those functions (doesSUexist and doesSuperuserApkExist) return false.
I attached the application in run-time and made those modifications.
As a result, I was able to pass the anti-reverse engineering mechanism.
With Frida
As a second way, I implemented the Frida anti-root script.
Link: https://codeshare.frida.re/@dzonerzy/fridantiroot/
As a result, I was able to pass the anti-reverse engineering mechanism.
Developer Backdoor
When I decompiled the application, I realized that if the username is “devadmin”, the application does not require a password. It directly sends you to the post login screen.
Android Keyboard Cache Vulnerability
It is related to the keyboard cache feature on Android devices. This vulnerability primarily affects the security and privacy of text input, as it can potentially lead to the exposure of sensitive information that users have entered using the on-screen keyboard.
Exploiting Android Exported Activities
Exported Android activities, if not properly secured, can pose significant security risks to Android applications. Exported activities are those that are set to allow other applications to invoke them, which can sometimes be a necessary feature in certain cases; however, it should be used carefully and with security considerations in mind.
I’ll show two ways to find exported Android activities. The first is through analyzing AndroidManifest.xml.
The second way is through the Drozer framework.
I can directly invoke the PostLogin activity, meaning that I bypassed the authentication mechanism.
Exploiting Android Backup Features
The application allows data backup.
In these XML files, there are user credentials available.
Exploiting Android Vulnerable Broadcast Receiver
An Android Broadcast Receiver is a component of the Android system that allows apps to receive and respond to system-wide or application-specific broadcast messages. Broadcasts are a mechanism for inter-component communication within the Android system, allowing apps to send and receive messages to and from other apps or system components.
In this application, there is a broadcast receiver. Then, I switched to decompiled code to analyze it. The broadcast receiver listens to SMSs and allows password change through SMS.
Exploiting Android Content Provider
An Android Content Provider is a component of the Android operating system that allows apps to share data with other apps securely. Content providers enable controlled access to an app’s data, which can be in the form of a structured database, files, or other data sources. Apps can use Content Providers to read, insert, update, or delete data, and these operations are typically regulated by permissions and a well-defined URI (Uniform Resource Identifier) scheme.
Some risks associated with content providers are as follows: unintended data exposure, inadequate permission control, injection attacks, and leakage of sensitive information.
There is a content provider in this application, and there is no authentication or authorization mechanism for querying the application.
Exploiting Weak Cryptography
When a cryptographic key is hardcoded within an Android application, it means that the key is directly embedded in the source code of the app. This practice can introduce several security issues and vulnerabilities: ineffectiveness against static analysis, security risks of decompilation, lack of key rotation, and difficulty in revoking keys.
In shared preferences, logged-in user credentials are stored in an encrypted manner.
Let’s decrypt it.
The password is Dinesh@123$.
Insecure Logging
Insecure logging is a common security vulnerability in Android applications. It occurs when sensitive information, such as passwords, personal data, or other confidential details, is written to log files without appropriate protection or redaction. This information can then be easily accessible to anyone with access to the logs, potentially leading to the unauthorized disclosure of sensitive data.
The application logs login credentials and password changes made through SMS.
As can be seen, upon successful login, the credentials are logged, resulting in sensitive information leakage.
Proxing Network Traffic
I’ll try to write another write-up/walkthrough regarding HTTP-related vulnerabilities later.
This work has been supported in part by the Energy Transition Fund of the FPS Economy of Belgium through the CYPRESS project, and in part by the VLAIO COOCK program through the IIoT-SBOM project.
Thanks for reading.
Can Özkan
