Programu za Android Pentesting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Misingi ya Programu za Android

Inapendekezwa sana kuanza kusoma ukurasa huu ili kujua kuhusu sehemu muhimu zaidi zinazohusiana na usalama wa Android na vipengele hatari zaidi katika programu ya Android:

Android Applications Basics

ADB (Android Debug Bridge)

Hii ni zana kuu unayohitaji kuungana na kifaa cha Android (kilichoigizwa au halisi).
ADB inakuwezesha kudhibiti vifaa kupitia USB au Network kutoka kwa kompyuta. Utility hii inaruhusu kunakili faili kwa pande zote, kusakinisha na kuondoa apps, kutekeleza amri za shell, kufanya backup ya data, kusoma logs, miongoni mwa kazi nyingine.

Tazama orodha ifuatayo ya ADB Commands ili kujifunza jinsi ya kutumia adb.

Smali

Wakati mwingine inavutia kubadilisha msimbo wa programu ili kupata taarifa zilizofichwa (labda nywila zilizofichwa vizuri au flags). Kisha, inaweza kuwa muhimu ku-decompile apk, kubadilisha msimbo na kuirecompile tena.
In this tutorial you can learn how to decompile and APK, modify Smali code and recompile the APK with the new functionality. Hii inaweza kuwa muhimu kama alternative for several tests during the dynamic analysis ambazo zitatolewa. Kumbuka daima uwezekano huu.

Mbinu nyingine za kuvutia

Upataji wa APK kutoka vyanzo vingi kwa njia ya automatiki (justapk)

pip install justapk (Python 3.11+). CLI hutoa JSON kwa stdout na maendeleo kwa stderr (inayofaa kwa pipe). Inajaribu mnyororo wa deterministic fallback kupitia APK20 → F-Droid → APKPure (mobile API) → APKMirror (HTML scrape) → Uptodown (mobile API) → APKCombo (HTML scrape). Vyanzo vilivyo chini ya ulinzi wa Cloudflare vinatumia curl_cffi kwa kuiga TLS fingerprint ili kuiga wateja halisi na kupunguza vizuizi vya utambuzi wa bot.

justapk download <package>              # auto fallback
justapk download <package> -s apkpure   # pin a source / version / output dir
justapk search telegram
justapk info org.telegram.messenger
justapk convert app.xapk -o output/      # merges splits, re-signs with debug key

convert huunganisha XAPK/split APKs na kuvisaini kwa debug key, hivyo saini/chanzo ya APK inayotokana itatofautiana na ile ya asili (tumia kwa majaribio/uchambuzi, sio kwa usakinishaji wa uzalishaji).

  • Chukua APK kutoka kwenye kifaa:
adb shell pm list packages
com.android.insecurebankv2

adb shell pm path com.android.insecurebankv2
package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk

adb pull /data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
  • Unganisha splits zote na base apks kwa kutumia APKEditor:
mkdir splits
adb shell pm path com.android.insecurebankv2 | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar ../APKEditor.jar m -i splits/ -o merged.apk

# after merging, you will need to align and sign the apk, personally, I like to use the uberapksigner
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed

Mbinu za malware za Android (loaders, fileless DEX, persistence)

Native staging + fileless DEX loaders

Baadhi ya Android droppers huingiza maktaba ya native (lib*.so) ambayo ina-decrypt na kuandika ELF ya pili (kwa mfano, l.so) kwenye path ya muda, kuiweka kupitia JNI, kisha inapakia logic halisi kama DEX katika kumbukumbu pekee kwa kutumia dalvik.system.InMemoryDexClassLoader. Hii inapunguza uonekano wa static wa payload na kuepuka kuandika classes*.dex kwenye disk.

Vidokezo vya triage vya vitendo:

  • Tafuta maktaba za native ambazo dlopen au zinaita System.loadLibrary mapema sana, kisha zina-resolve Java methods kupitia stack strings zilizofichwa (mfano, zinazo-decode kwa XOR kwenye stack).
  • Tazama kwa ajili ya InMemoryDexClassLoader katika logs/strings au hooks, ambayo inaonyesha utekelezaji wa fileless DEX.

Hook fupi ya Frida kutupa (dump) buffer ya DEX iliyomo kwenye kumbukumbu:

Java.perform(() => {
const IM = Java.use('dalvik.system.InMemoryDexClassLoader');
IM.$init.overload('java.nio.ByteBuffer','java.lang.ClassLoader').implementation = function(buf, parent){
const arr = Java.array('byte', buf.array());
const fos = Java.use('java.io.FileOutputStream').$new("/sdcard/memdex.dex");
fos.write(arr); fos.close();
return this.$init(buf, parent);
};
});

Anti-analysis kill-switch

Loaders zilizopakiwa mara nyingi hujizima wakati ukaguzi wa emulator au uchambuzi unashindwa (kwa mfano, uthibitishaji wa CPU_ABI) kwa kuita:

android.os.Process.killProcess(android.os.Process.myPid());

Persistence via foreground service + MediaPlayer loop

Pattern nyepesi ya persistence ni kuweka foreground service hai kwa kutumia pinned notification na kucheza mzunguko wa sauti karibu usiotamkwa kwa kutumia MediaPlayer. Hii inafanya process “active” na kupunguza kuuliwa na OS kwa ukosefu wa shughuli. Angalia matumizi ya ForegroundService + MediaPlayer yanayozungusha asset ndogo (mara nyingi sekunde chache).

Accessibility overlay + ACTION_SET_TEXT hijacking

Baada ya mtumiaji kutoa Accessibility, banking trojans zinaweza kufuatilia foreground app, kuonyesha overlay yenye muonekano wa kweli (mara nyingi WebView HTML iliyohifadhiwa kama Base64), na kubadilisha mashamba ya muamala kwa kutumia AccessibilityNodeInfo.ACTION_SET_TEXT. Hii inaruhusu kubadilisha kimya anwani ya mpokeaji huku mwathirika akiiona UI inayofaa.

Mfano mdogo wa kubadilisha maandishi:

Bundle args = new Bundle();
args.putCharSequence(AccessibilityNodeInfo.ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE,
"ATTACKER_USDT_ADDRESS");
node.performAction(AccessibilityNodeInfo.ACTION_SET_TEXT, args);

Miundombinu halali ya push kama C2 gating

Badala ya custom sockets, baadhi ya malware hutumia Firebase Cloud Messaging (FCM) kama channel ya C2. Ujumbe za FCM zinaweza kusababisha telemetry checks (charging state, battery %, temperature, user inactivity) na gate actions kama mining au fraud kwa ajili ya stealth.

Encrypted native payload staging with filename‑derived keys

Native payloads zinaweza kutolewa kama blobs za ELF zilizofichwa na kufichuliwa kwa CipherInputStream(), zikitumia key iliyotokana na SHA‑1 ya filename iliyopakuliwa. Kila filename/version hutoa key tofauti, ikizuia matumizi tena ya static IOC reuse.

Jezail rooted Android pentesting toolkit (REST API + web UI)

  • Itaendesha kwenye rooted device (Magisk/rootAVD) na inaanzisha HTTP server kwenye tcp/8080 yenye Flutter web UI na REST API.
  • Sakinisha release APK kwa perms: adb install -g -r jezail.apk, kisha anzisha app (server anaanzisha kwa auto).
  • Endpoints: http://<device-ip>:8080/ (UI), http://<device-ip>:8080/api/json (API listing), http://<device-ip>:8080/api/swagger (Swagger).
  • Fanya emulator port-forward ili kufikia UI/API kutoka host: adb forward tcp:8080 tcp:8080 kisha tembelea http://localhost:8080.

Android Enterprise & Work Profile Attacks

Android Enterprise Work Profile Bypass

Case Studies & Vulnerabilities

Air Keyboard Remote Input Injection

Android Rooting Frameworks Manager Auth Bypass Syscall Hook

Abusing Android Media Pipelines Image Parsers

Firmware Level Zygote Backdoor Libandroid Runtime

Static Analysis

Kwanza kabisa, kwa kuchambua APK unapaswa kuitaangalia Java code ukitumia decompiler.
Tafadhali, soma hapa ili kupata taarifa kuhusu decompilers mbalimbali zinazopatikana.

Kutafuta Habari Zinazovutia

Kwa kuangalia tu strings za APK unaweza kutafuta passwords, URLs (https://github.com/ndelphit/apkurlgrep), api keys, encryption, bluetooth uuids, tokens na chochote kinachovutia… tazama hata kwa code execution backdoors au authentication backdoors (hardcoded admin credentials kwenye app).

Firebase

Toa umakini maalum kwa firebase URLs na uhakiki kama imewekwa vibaya. Maelezo zaidi kuhusu nini ni Firebase na jinsi ya kuiexploit hapa.

Uelewa wa msingi wa application - Manifest.xml, strings.xml

Ukaguzi wa faili za programu Manifest.xml na strings.xml unaweza kufichua udhaifu wa usalama potensiali. Faili hizi zinaweza kupatikana kwa kutumia decompilers au kwa kubadilisha extension ya faili ya APK kuwa .zip kisha kuizifungua.

Vulnerabilities zilizobainishwa kutoka kwa Manifest.xml ni pamoja na:

  • Debuggable Applications: Applications zilizowekwa kama debuggable (debuggable="true") katika faili la Manifest.xml zinaweza kuwa hatari kwa kuwa zinaruhusu connections zinazoweza kusababisha exploitation. Kwa uelewa zaidi juu ya jinsi ya ku-exploit debuggable applications, rejea tutorial kuhusu jinsi ya kupata na ku-exploit debuggable applications kwenye kifaa.
  • Backup Settings: Attribute android:allowBackup="false" inapaswa kuwekwa wazi kwa applications zinazoendesha taarifa nyeti ili kuzuia backups zisizoidhinishwa kupitia adb, hasa wakati usb debugging imewezeshwa.
  • Network Security: Custom network security configurations (android:networkSecurityConfig="@xml/network_security_config") katika res/xml/ zinaweza kubainisha maelezo ya usalama kama certificate pins na mipangilio ya HTTP traffic. Mfano ni kuruhusu HTTP traffic kwa specific domains.
  • Exported Activities and Services: Kutambua exported activities na services katika manifest kunaweza kuonyesha components ambazo zinaweza kutumika vibaya. Uchambuzi zaidi wakati wa dynamic testing unaweza kufichua jinsi ya ku-exploit components hizi.
  • Content Providers and FileProviders: Content providers zilizo wazi zinaweza kuruhusu upatikanaji au urekebishaji wa data usioidhinishwa. Utekelezaji wa FileProviders pia unapaswa kuchunguzwa kwa makini.
  • Broadcast Receivers and URL Schemes: Components hizi zinaweza kutumika kwa exploitation, hasa kuangalia jinsi URL schemes zinavyosimamiwa kwa ajili ya input vulnerabilities.
  • SDK Versions: minSdkVersion, targetSDKVersion, na maxSdkVersion zinaonyesha toleo la Android linaloungwa mkono, zikibainisha umuhimu wa kutokuunga mkono matoleo ya zamani ya Android yenye vulnerabilities kwa sababu za usalama.

Kutoka kwenye faili ya strings.xml, taarifa nyeti kama API keys, custom schemas, na maelezo mengine ya developer yanaweza kugunduliwa, ikibainisha haja ya kupitia kwa makini rasilimali hizi.

Tapjacking

Tapjacking ni shambulio ambapo programu hatarishi inaanzishwa na kujipanga juu ya application ya mwathirika. Mara inapoifunika app ya mwathirika, interface yake ya mtumiaji imeundwa kwa namna ya kumdanganya mtumiaji kuingiliana nayo, wakati kwa kweli inapitisha hiyo interaction kwa app ya mwathirika.
Kwa vitendo, inamfumba mtumiaji ili asijue kwamba kwa kweli anaendelea kufanya vitendo kwenye app ya mwathirika.

Find more information in:

Tapjacking

Task Hijacking

An activity yenye launchMode imewekwa kuwa singleTask bila taskAffinity imefunikwa kuwa hatarishi kwa Task Hijacking. Hii ina maana kwamba, application inaweza kusanikishwa na ikiwa itaendeshwa kabla ya application halisi inaweza hijack task ya application halisi (hivyo mtumiaji atakuwa akiingiliana na malicious application akidhani anatumia ile halisi).

More info in:

Android Task Hijacking

Insecure data storage

Internal Storage

Katika Android, faili zilizohifadhiwa kwenye internal storage zimeundwa ili zipatikane pekee na app iliyozitengeneza. Ulinzi huu wa usalama unatekelezwa na mfumo wa uendeshaji wa Android na kwa ujumla unatosha kwa mahitaji ya usalama ya applications nyingi. Hata hivyo, developers wakati mwingine hutumia modes kama MODE_WORLD_READABLE na MODE_WORLD_WRITABLE kuruhusu files kusharikiwa kati ya applications tofauti. Mode hizi hazizizuizi upatikanaji wa faili hizi na applications nyingine, ikiwa ni pamoja na zile ambazo zinaweza kuwa malicious.

  1. Static Analysis:
  • Hakikisha kwamba matumizi ya MODE_WORLD_READABLE na MODE_WORLD_WRITABLE yanachunguzwa kwa makini. Mode hizi zinaweza kuonyesha files kwa upatikanaji usiotarajiwa au usioidhinishwa.
  1. Dynamic Analysis:
  • Thibitisha permissions zilizowekwa kwenye files zilizotengenezwa na app. Haswa, angalia kama faili yoyote imewekwa iwe readable au writable worldwide. Hii inaweza kuwa hatari kubwa ya usalama, kwani itaruhusu application yoyote iliyosanikishwa kwenye kifaa, bila kujali asili au nia yake, kusoma au kubadilisha faili hizi.

External Storage

Wakati ukishughulika na faili kwenye external storage, kama SD Cards, tahadhari fulani zinapaswa kuchukuliwa:

  1. Accessibility:
  • Faili kwenye external storage ni globally readable and writable. Hii inamaanisha application au mtumiaji yeyote anaweza kufikia faili hizi.
  1. Security Concerns:
  • Kwa kuzingatia urahisi wa ufikivu, inapendekezwa kutoiweka taarifa nyeti kwenye external storage.
  • External storage inaweza kuondolewa au kufikiwa na application yoyote, na kuifanya isiwe salama.
  1. Handling Data from External Storage:
  • Daima fanya input validation kwa data inayopatikana kutoka external storage. Hii ni muhimu kwa sababu data ni kutoka chanzo kisichoaminika.
  • Kuhifadhi executables au class files kwenye external storage kwa ajili ya dynamic loading haipendekezwi kabisa.
  • Ikiwa application yako inahitaji kupata executable files kutoka external storage, hakikisha faili hizi ni signed na imekaguliwa cryptographically kabla ya ku-load kwa dynamic. Hatua hii ni muhimu kwa kudumisha uadilifu wa usalama wa application yako.

External storage inaweza kufikiwa katika /storage/emulated/0 , /sdcard , /mnt/sdcard

Tip

Kuanzia Android 4.4 (API 17), SD card ina muundo wa directory ambao unakengeusha upatikanaji kutoka kwa app hadi directory maalum kwa app hiyo. Hii inazuia malicious application kupata read au write access kwa faili za app nyingine.

Sensitive data stored in clear-text

  • Shared preferences: Android inaruhusu kila application kuhifadhi kwa urahisi xml files katika path /data/data/<packagename>/shared_prefs/ na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.
  • Databases: Android inaruhusu kila application kuhifadhi kwa urahisi sqlite databases katika path /data/data/<packagename>/databases/ na wakati mwingine inawezekana kupata taarifa nyeti kwa clear-text katika folda hiyo.

Broken TLS

Accept All Certificates

Kwa sababu fulani wakati mwingine developers wanakubali certificates zote hata kama kwa mfano hostname haifai, kwa mistari ya code kama ifuatayo:

SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Njia nzuri ya kujaribu hili ni kujaribu kunasa trafiki kwa kutumia proxy kama Burp bila kuidhinisha Burp CA ndani ya kifaa. Pia, unaweza kuunda kwa Burp cheti kwa hostname tofauti na kukitumia.

Broken Cryptography

Poor Key Management Processes

Baadhi ya developers huhifadhi data nyeti katika local storage na kui-encrypt kwa key iliyowekwa katika code/have predictable. Hii haipaswi kufanywa kwa sababu reversing inaweza kumruhusu attacker kutoa taarifa za siri.

Use of Insecure and/or Deprecated Algorithms

Developers hawapaswi kutumia deprecated algorithms kufanya authorization checks, store au send data. Baadhi ya algorithms hizi ni: RC4, MD4, MD5, SHA1… Ikiwa hashes zimetumika kuhifadhi passwords kwa mfano, inapaswa kutumika hashes zenye upinzani dhidi ya brute-force pamoja na salt.

Other checks

  • Inashauriwa ku obfuscate the APK ili kupelekea kazi ya reverse engineer kuwa ngumu kwa attackers.
  • Ikiwa app ni sensitive (kama bank apps), inapaswa kufanya own checks to see if the mobile is rooted na kuchukua hatua zinazofaa.
  • Ikiwa app ni sensitive (kama bank apps), inapaswa kukagua kama emulator inatumiwa.
  • Ikiwa app ni sensitive (kama bank apps), inapaswa check it’s own integrity before executing ili kuona kama imebadilishwa.
  • Tumia APKiD ili kuangalia compiler/packer/obfuscator iliyotumika kujenga APK

React Native Application

Read the following page to learn how to easily access javascript code of React applications:

React Native Application

Xamarin Applications

Read the following page to learn how to easily access C# code of a xamarin applications:

Xamarin Apps

Superpacked Applications

According to this blog post superpacked ni Meta algorithm inayoscompress content ya application ndani ya single file. Blog inazungumzia uwezekano wa kuunda app inayoweza decompress aina hizi za apps… na njia ya haraka ambayo inahusisha execute the application and gather the decompressed files from the filesystem.

Automated Static Code Analysis

Tool mariana-trench ina uwezo wa kupata vulnerabilities kwa scanning code ya application. Tool hii ina series ya known sources (inayoonyesha kwa tool places ambapo input iko controlled by the user), sinks (inayoonyesha kwa tool dangerous places ambapo malicious user input inaweza kusababisha uharibifu) na rules. Rules hizi zinaonyesha combination ya sources-sinks inayotambulisha vulnerability.

Kwa maarifa haya, mariana-trench itapitia code na kupata vulnerabilities zinazowezekana ndani yake.

Secrets leaked

Application inaweza kuwa na secrets (API keys, passwords, hidden urls, subdomains…) ndani yake ambazo unaweza kuwagundua. Unaweza kutumia tool kama https://github.com/dwisiswant0/apkleaks

Bypass Biometric Authentication

Bypass Biometric Authentication (Android)

Other interesting functions

  • Code execution: Runtime.exec(), ProcessBuilder(), native code:system()
  • Send SMSs: sendTextMessage, sendMultipartTestMessage
  • Native functions declared as native: public native, System.loadLibrary, System.load
  • Read this to learn how to reverse native functions
  • In-memory native code execution via JNI (downloaded shellcode → mmap/mprotect → call):

In Memory Jni Shellcode Execution

Other tricks

content:// protocol

Dynamic Analysis

First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.

Online Dynamic analysis

Unaweza kuunda free account katika: https://appetize.io/. Platform hii inakuwezesha upload na execute APKs, kwa hivyo ni muhimu kuona jinsi apk inavyo behavior.

Unaweza hata see the logs of your application kwenye web na ku-connect kupitia adb.

Thanks to the ADB connection unaweza kutumia Drozer na Frida ndani ya emulators.

Local Dynamic Analysis

Using an emulator

  • Android Studio (Unaweza kuunda x86 na arm devices, na kwa mujibu wa this latest x86 versions support ARM libraries bila ya kuhitaji slow arm emulator).
  • Jifunze jinsi ya kui-setup kwenye ukurasa huu:

AVD - Android Virtual Device

  • Genymotion (Free version: Personal Edition, unahitaji kuunda account. It’s recommend to download the version WITH VirtualBox ili kuepuka potential errors.)
  • Nox (Free, lakini haitoi support kwa Frida au Drozer).

Tip

Unapotengeneza emulator mpya kwenye platform yoyote kumbuka kwamba skrini kubwa inasababisha emulator kukimbia polepole. Kwa hivyo chagua skrini ndogo iwezekanavyo.

Ili install google services (kama AppStore) katika Genymotion unahitaji kubofya kitufe kilichoangaziwa kwa rangi nyekundu kwenye picha ifuatayo:

Pia, kumbuka kwamba katika configuration of the Android VM in Genymotion unaweza kuchagua Bridge Network mode (hii itakuwa muhimu ikiwa utakuwa unakuja ku-connect na Android VM kutoka kwa VM tofauti yenye tools).

Use a physical device

Unahitaji ku-activate debugging options na itakuwa vizuri ikiwa unaweza kui root:

  1. Settings.
  2. (FromAndroid 8.0) Select System.
  3. Select About phone.
  4. Press Build number 7 times.
  5. Go back and you will find the Developer options.

Mara tu unapoweka application, jambo la kwanza unapaswa kufanya ni kuitumia na kuchunguza inafanya nini, inafanya kazi vipi na kuzoea nayo.
Ninapendekeza perform this initial dynamic analysis using MobSF dynamic analysis + pidcat, ili tuweze learn how the application works huku MobSF captures data nyingi za interesting ambazo unaweza kupitia baadaye.

Magisk/Zygisk quick notes (recommended on Pixel devices)

  • Patch boot.img with the Magisk app and flash via fastboot to get systemless root
  • Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required
  • Keep original boot.img to recover from OTA updates; re-patch after each OTA
  • For screen mirroring, use scrcpy on the host

Unintended Data Leakage

Logging

Developers wanapaswa kuwa makini kwenye kuonyesha debugging information kwa umma, kwani inaweza kusababisha data nyeti ku-leak. Tools pidcat na adb logcat zinapendekezwa kwa monitoring ya application logs ili kubaini na kulinda taarifa nyeti. Pidcat inapendekezwa kwa urahisi wake wa matumizi na readability.

Warning

Kumbuka kwamba tangu later newer than Android 4.0, applications are only able to access their own logs. Kwa hivyo applications haziwezi kupata logs za apps nyingine.
Hata hivyo, bado inashauriwa not log sensitive information.

Copy/Paste Buffer Caching

Android’s clipboard-based framework inaruhusu functionality ya copy-paste katika apps, ila inaleta hatari kwani other applications zinaweza access clipboard, na hivyo ku-expose taarifa nyeti. Ni muhimu disable copy/paste kwa sehemu nyeti za application, kama maelezo ya kadi ya mkopo, ili kuzuia data ku-leak.

Crash Logs

Ikiwa application inakurupuka (crash) na inahifadhi logs, logs hizi zinaweza kumsaidia attacker, hasa wakati application haiwezi kufanyiwa reverse-engineer. Ili kupunguza hatari hii, epuka logging wakati wa crashes, na ikiwa logs lazima zitumwe mtandaoni, hakikisha zinatumwa kwa chanel ya SSL kwa usalama.

Kama pentester, jaribu kuangalia logs hizi.

Analytics Data Sent To 3rd Parties

Apps mara nyingi hujumuisha services kama Google Adsense, ambayo inaweza kwa bahati mbaya ku-leak data nyeti kutokana na implementation isiyo sahihi na developers. Ili kutambua potential data leaks, ni vyema intercept the application’s traffic na kuangalia kama kuna taarifa nyeti zinatumwa kwa third-party services.

SQLite DBs

Most ya applications zitakuwa zikitumia internal SQLite databases kuhifadhi taarifa. Wakati wa pentest tazama databases zilizoundwa, majina ya tables na columns na data zote zilizohifadhiwa kwani unaweza kupata sensitive information (ambayo itakuwa vulnerability).
Databases zinapaswa kuwa kwenye /data/data/the.package.name/databases kama /data/data/com.mwr.example.sieve/databases

Ikiwa database inahifadhi taarifa za siri na ime encrypted but unaweza find password ndani ya application bado ni vulnerability.

Orodhesha tables kwa kutumia .tables na orodhesha columns za table kwa kutumia .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

From Drozer Docs: Drozer inakuwezesha assume the role of an Android app na kuingiliana na apps nyingine. Inaweza kufanya anything that an installed application can do, kama kutumia Android’s Inter-Process Communication (IPC) mechanism na kuingiliana na operating system ya chini. .
Drozer ni tool muhimu kwa exploit exported activities, exported services and Content Providers kama utakavyojifunza katika sehemu zifuatazo.

Exploiting exported Activities

Read this if you want to refresh what is an Android Activity.
Pia kumbuka kwamba code ya activity inaanza katika onCreate method.

Authorisation bypass

Wakati Activity ime-exported unaweza kuitisha screen yake kutoka kwa external app. Kwa hivyo, ikiwa activity yenye sensitive information ime exported unaweza bypass mechanisms za authentication ili kuipata.

Learn how to exploit exported activities with Drozer.

Unaweza pia kuanza exported activity kutoka adb:

  • PackageName is com.example.demo
  • Exported ActivityName is com.example.test.MainActivity
adb shell am start -n com.example.demo/com.example.test.MainActivity

TAARIFA: MobSF itatambua kama hatari matumizi ya singleTask/singleInstance kama android:launchMode katika activity, lakini kutokana na this, inaonekana kuwa hatari tu kwenye matoleo ya zamani (API versions < 21).

Tip

Kumbuka kwamba an authorisation bypass sio kila wakati vulnerability; itategemea jinsi bypass inavyofanya kazi na ni taarifa gani zinazoonekana.

Sensitive information leakage

Activities can also return results. Ikiwa utaweza kupata activity iliyotolewa na isiyolindwa inayoitisha method ya setResult na returning sensitive information, basi kuna sensitive information leakage.

Tapjacking

Kama tapjacking haitazuia, unaweza kutumia activity iliyotolewa kumfanya mtumiaji afanye vitendo visivyotarajiwa. For more info about what is Tapjacking follow the link.

Exploiting Content Providers - Accessing and manipulating sensitive information

Read this if you want to refresh what is a Content Provider.
Content providers kwa kawaida hutumika kushiriki data. Ikiwa app ina content providers zinazoruhusiwa unaweza kuwa na uwezo wa kutoa data nyeti kutoka kwazo. Pia inafaa kujaribu uwezekano wa SQL injections na Path Traversals kwani zinaweza kuwa vulnerable.

Learn how to exploit Content Providers with Drozer.

Exploiting Services

Read this if you want to refresh what is a Service.
Kumbuka kwamba vitendo vya Service huanza katika method onStartCommand.

Service kwa msingi ni kitu kinachoweza kupokea data, kuichakata na kurejesha (au la) majibu. Kwa hivyo, ikiwa app inatoa services, unapaswa check the code ili kuelewa inafanya nini na kuitest dynamically kwa ajili ya kupata taarifa za siri, bypassing authentication measures…
Learn how to exploit Services with Drozer.

Exploiting Broadcast Receivers

Read this if you want to refresh what is a Broadcast Receiver.
Kumbuka kwamba vitendo vya Broadcast Receiver huanza katika method onReceive.

Broadcast receiver itasubiri aina fulani ya ujumbe. Kulingana na jinsi receiver inavyoshughulikia ujumbe, inaweza kuwa vulnerable.
Learn how to exploit Broadcast Receivers with Drozer.

Exploiting Schemes / Deep links

Unaweza kutafuta deep links kwa mikono, ukitumia zana kama MobSF au scripts kama this one.
Unaweza open declared scheme ukitumia adb au a browser:

adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Kumbuka kwamba unaweza kuacha jina la kifurushi na simu ya mkononi itaita moja kwa moja app ambayo inapaswa kufungua kiungo hicho.

<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Msimbo unaotekelezwa

Ili kupata msimbo utakaotekelezwa ndani ya App, nenda kwenye activity inayoitwa na deeplink na tafuta function onNewIntent.

Sensitive info

Kila mara unapokuta deep link hakikisha ihaina kupokea data nyeti (kama nywila) kupitia vigezo vya URL, kwa sababu programu nyingine yoyote inaweza kuiga deep link na kuiba data hiyo!

Parameters in path

Unapaswa pia kuangalia kama deep link yoyote inatumia parameter ndani ya path ya URL kama: https://api.example.com/v1/users/{username} , katika hilo unaweza kulazimisha path traversal kwa kufikia kitu kama: example://app/users?username=../../unwanted-endpoint%3fparam=value .
Kumbuka kwamba ukipata endpoints sahihi ndani ya application unaweza kusababisha Open Redirect (kama sehemu ya path inatumika kama domain name), account takeover (kama unaweza kubadilisha user details bila CSRF token na vuln endpoint ilitumia method sahihi) na ranjaka nyinginezo. Tazama zaidi info about this here.

More examples

Ripoti ya bug bounty ya kuvutia: interesting bug bounty report kuhusu links (/.well-known/assetlinks.json).

Uhakiki wa Transport Layer na Kushindwa kwa Uthibitishaji

  • Certificates are not always inspected properly kwenye Android applications. Ni kawaida kwa applications hizi kupuuza onyo na kukubali self-signed certificates au, katika baadhi ya matukio, kurudi kutumia HTTP connections.
  • Negotiations during the SSL/TLS handshake are sometimes weak, zikitumia insecure cipher suites. Udhaifu huu unafanya connection iwe rahisi kwa man-in-the-middle (MITM) attacks, ukiruhusu attackers ku-decrypt data.
  • Leakage of private information ni hatari wakati applications zinathibitisha kwa kutumia secure channels halafu zikaanza kuwasiliana kwa non-secure channels kwa miamala mingine. Njia hii haitulinde sensitive data, kama session cookies au user details, dhidi ya interception na wahalifu.

Certificate Verification

Tutazingatia certificate verification. Uadilifu wa certificate ya server lazima uthibitishwe ili kuongeza usalama. Hii ni muhimu kwa sababu misanidiwa isiyo salama ya TLS na uhamishaji wa sensitive data kupitia channels zisizo-encoded unaweza kusababisha hatari kubwa. Kwa hatua za kina za kuthibitisha server certificates na kushughulikia udhaifu, this resource inatoa mwongozo kamili.

SSL Pinning

SSL Pinning ni hatua ya usalama ambapo application inathibitisha certificate ya server dhidi ya nakala inayojulikana iliyohifadhiwa ndani ya application yenyewe. Njia hii ni muhimu kuzuia MITM attacks. Kustawisha SSL Pinning kunapendekezwa sana kwa applications zinazosimamia taarifa nyeti.

Traffic Inspection

Ili kuchunguza HTTP traffic, ni muhimu kufunga certificate ya proxy tool (mfano, Burp). Bila kufunga certificate hii, encrypted traffic huenda isionekane kupitia proxy. Kwa mwongozo wa jinsi ya kufunga custom CA certificate, click here.

Applications zinazolenga API Level 24 and above zinahitaji mabadiliko kwenye Network Security Config ili kukubali proxy’s CA certificate. Hatua hii ni muhimu kwa kuchunguza encrypted traffic. Kwa maelekezo kuhusu kubadilisha Network Security Config, refer to this tutorial.

Kama Flutter inatumika unahitaji kufuata maelekezo kwenye this page. Hii ni kwa sababu, kuongeza tu certificate kwenye store haitafanya kazi kwani Flutter ina orodha yake ya CA sahihi.

Static detection of SSL/TLS pinning

Kabla ya kujaribu runtime bypasses, chora haraka maeneo ambapo pinning inatekelezwa ndani ya APK. Ugunduzi wa static unakusaidia kupanga hooks/patches na kuzingatia code paths sahihi.

Tool: SSLPinDetect

  • Open-source static-analysis utility ambayo ina-decompile APK hadi Smali (kupitia apktool) na inascan kwa curated regex patterns za utekelezaji wa SSL/TLS pinning.
  • Inaripoti exact file path, line number, na code snippet kwa kila match.
  • Inashughulikia frameworks za kawaida na custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, na Network Security Config XML pins.

Install

  • Prereqs: Python >= 3.8, Java on PATH, apktool
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt

Matumizi

# Basic
python sslpindetect.py -f app.apk -a apktool.jar

# Verbose (timings + per-match path:line + snippet)
python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v

Mfano wa sheria za pattern (JSON) Tumia au panua signatures kutambua mitindo ya pinning ya proprietary/custom. Unaweza kupakia JSON yako na scan kwa kiwango kikubwa.

{
"OkHttp Certificate Pinning": [
"Lcom/squareup/okhttp/CertificatePinner;",
"Lokhttp3/CertificatePinner;",
"setCertificatePinner"
],
"TrustManager Override": [
"Ljavax/net/ssl/X509TrustManager;",
"checkServerTrusted"
]
}

Notes and tips

  • Uchunguzi wa haraka kwenye apps kubwa kwa kutumia multi-threading na memory-mapped I/O; pre-compiled regex hupunguza mzigo/matokeo chanya za uwongo.
  • Pattern collection: https://github.com/aancw/smali-sslpin-patterns
  • Lengo la kawaida la ugunduzi la kuchunguza kisha:
  • OkHttp: matumizi ya CertificatePinner, setCertificatePinner, marejeo ya package okhttp3/okhttp
  • Custom TrustManagers: javax.net.ssl.X509TrustManager, overrides za checkServerTrusted
  • Custom SSL contexts: SSLContext.getInstance + SSLContext.init na custom managers
  • Declarative pins katika res/xml network security config na marejeo ya manifest
  • Tumia maeneo yaliyoambatana kupanga Frida hooks, static patches, au mapitio ya config kabla ya majaribio ya dynamic.

Kuepuka SSL Pinning

Wakati SSL Pinning imewezeshwa, kuepuka kwake kunakuwa muhimu ili kuchunguza trafiki ya HTTPS. Mbinu mbalimbali zinapatikana kwa madhumuni haya:

Kutafuta Udhaifu wa Wavuti wa Kawaida

Ni muhimu pia kutafuta udhaifu wa kawaida wa wavuti ndani ya programu. Taarifa za kina kuhusu kutambua na kupunguza udhaifu hizi ziko nje ya muhtasari huu lakini zimeelezewa kwa kina mahali pengine.

Frida

Frida ni toolkit ya dynamic instrumentation kwa watengenezaji, reverse-engineers, na watafiti wa usalama.
Unaweza kufikia application inayoendesha na kupiga hook methods wakati wa utekelezaji kubadilisha tabia, kubadilisha thamani, kutoa thamani, kuendesha code tofauti…
Ikiwa unataka pentest Android applications unahitaji kujua jinsi ya kutumia Frida.

Anti-instrumentation & SSL pinning bypass workflow

Android Anti Instrumentation And Ssl Pinning Bypass

Dump kumbukumbu - Fridump

Angalia kama application inahifadhi taarifa nyeti ndani ya memory ambazo haipaswi kuhifadhi kama nywila au mnemonics.

Kwa kutumia Fridump3 unaweza dump kumbukumbu ya app kwa:

# With PID
python3 fridump3.py -u <PID>

# With name
frida-ps -Uai
python3 fridump3.py -u "<Name>"

Hii itadump memory kwenye folda ./dump, na ndani yake unaweza grep kwa kitu kama:

strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+$"

Taarifa nyeti katika Keystore

Katika Android Keystore ni mahali pazuri zaidi pa kuhifadhi data nyeti, lakini, kwa ruhusa za kutosha bado inawezekana kuifikia. Kwa kuwa apps huenda kuhifadhi hapa data nyeti kwa maandishi wazi, pentests zinapaswa kuangalia hili kama root user au mtu mwenye ufikiaji wa kimwili wa kifaa anaweza kuiba data hii.

Hata kama app ilihifadhi data kwenye keystore, data hiyo inapaswa kuwa imekódwa (encrypted).

Ili kufikia data ndani ya keystore unaweza kutumia Frida script hii: https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/tracer-cipher.js

frida -U -f com.example.app -l frida-scripts/tracer-cipher.js

Fingerprint/Biometrics Bypass

Kwa kutumia script ifuatayo ya Frida inaweza kuwa inawezekana bypass fingerprint authentication ambayo Android applications zinaweza kufanya ili kulinda maeneo fulani nyeti:

frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>

Picha za Mandharinyuma

Unapoweka programu kwa mandharinyuma, Android inahifadhi snapshot ya programu ili inaporejeshwa mbele (foreground) inaanza kupakia picha kabla ya programu, hivyo kuonekana kama ilipakia haraka.

Hata hivyo, ikiwa snapshot hii inabeba taarifa nyeti, mtu mwenye ufikiaji wa snapshot anaweza kuiba taarifa hizo (kumbuka kwamba unahitaji root ili kuifikia).

Snapshots mara nyingi huhifadhiwa katika: /data/system_ce/0/snapshots

Android inatoa njia ya kuzuia kunaswa kwa screenshot kwa kuweka parameter ya layout FLAG_SECURE. Kwa kutumia flag hii, yaliyomo kwenye dirisha yanachukuliwa kuwa salama, na kuzuia yaonekane katika screenshots au kutazamwa kwenye maonyesho yasiyo salama.

getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);

Android Application Analyzer

Zana hii inaweza kukusaidia kusimamia zana tofauti wakati wa dynamic analysis: https://github.com/NotSoSecure/android_application_analyzer

Intent Injection

Waendelezaji mara nyingi huunda proxy components kama activities, services, na broadcast receivers zinazoshughulikia Intent hizi na kuzipitisha kwa methods kama startActivity(...) au sendBroadcast(...), jambo ambalo linaweza kuwa hatari.

Hatari iko katika kuwawezesha wadukuzi kusababisha non-exported app components au kupata content providers zenye taarifa nyeti kwa kupangusa Intent hizi kwa njia isiyo sahihi. Mfano muhimu ni component ya WebView inayobadilisha URL kuwa vitu vya Intent kupitia Intent.parseUri(...) kisha kuvitumia, jambo linaloweza kusababisha malicious Intent injections.

Muhtasari Muhimu

  • Intent Injection ni sawa na web’s Open Redirect issue.
  • Exploits zinahusisha kupitisha vitu vya Intent kama extras, ambavyo vinaweza kuelekezwa kuendesha operesheni zisizo salama.
  • Inaweza kufunua non-exported components na content providers kwa wadukuzi.
  • Ubadilishaji wa URL kuwa Intent katika WebView unaweza kuwezesha vitendo visivyokusudiwa.

Android Client Side Injections na mengine

Pengine unajua aina hii ya udhaifu kutoka kwenye wavuti. Lazima uwe maalum kuwa mwangalifu na udhaifu huu katika application ya Android:

  • SQL Injection: Unaposhughulikia dynamic queries au Content-Providers, hakikisha unatumia parameterized queries.
  • JavaScript Injection (XSS): Thibitisha kuwa msaada wa JavaScript na Plugin umezimwa kwa WebViews zote (imezimwa kwa chaguo-msingi). More info here.
  • Local File Inclusion: WebViews zinapaswa kuwa na ufikaji wa file system umezimwa (umewezeshwa kwa chaguo-msingi) - (webview.getSettings().setAllowFileAccess(false);). More info here.
  • Eternal cookies: Katika kesi kadhaa pale application ya Android inapomaliza session, cookie haiondolewi au inaweza hata kuhifadhiwa kwenye diski
  • Secure Flag in cookies

Uchanganuzi wa Otomatiki

MobSF

Uchanganuzi wa static

Tathmini ya udhaifu ya application ikitumia frontend nzuri ya web. Unaweza pia kufanya dynamic analysis (lakini unahitaji kuandaa mazingira).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Notice that MobSF can analyse Android(apk), IOS(ipa) and Windows(apx) applications (Windows applications must be analyzed from a MobSF installed in a Windows host).
Pia, ikiwa utaunda faili ya ZIP yenye source code ya app ya Android au IOS (nenda kwenye root folder ya application, chagua kila kitu na unda ZIPfile), itakuwa inayo uwezo wa kuichambua pia.

MobSF pia inakuwezesha kufanya diff/Compare ya analysis na kuunganisha VirusTotal (utahitajika kuweka API key yako katika MobSF/settings.py na kuiwezesha: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). Pia unaweza kuweka VT_UPLOAD kuwa False, basi hash itakuwa upload badala ya faili.

Assisted Dynamic analysis with MobSF

MobSF inaweza pia kuwa msaada sana kwa ajili ya dynamic analysis kwenye Android, lakini katika kesi hiyo utahitaji kufunga MobSF na genymotion kwenye host yako (VM au Docker haitafanyi kazi). Note: You need to start first a VM in genymotion and then MobSF.
The MobSF dynamic analyser inaweza:

  • Dump application data (URLs, logs, clipboard, screenshots ulizofanya, screenshots zilizofanywa na “Exported Activity Tester”, emails, SQLite databases, XML files, na faili nyingine zilizoundwa). Hili lote hufanywa kwa njia ya moja kwa moja isipokuwa screenshots; lazima ubofye wakati unataka screenshot au lazima ubofye “Exported Activity Tester” ili kupata screenshots za exported activities zote.
  • Capture HTTPS traffic
  • Use Frida to obtain runtime information

Kutoka kwenye versions za android > 5, itaanzisha Frida moja kwa moja na itaweka global proxy settings ili capture traffic. Itak captura trafiki tu kutoka kwa application inayojaribiwa.

Frida

Kwa default, pia itatumia baadhi ya Frida Scripts ili bypass SSL pinning, root detection na debugger detection na pia ili monitor interesting APIs.
MobSF inaweza pia invoke exported activities, grab screenshots zao na save kwa ajili ya report.

Ili kuanza testing ya dynamic bofyia kitufe cha kijani: “Start Instrumentation”. Bofya “Frida Live Logs” kuona logs zinazozalishwa na Frida scripts na “Live API Monitor” kuona invocation zote za hooked methods, arguments zilizopitishwa na returned values (hii itaonekana baada ya kubonyeza “Start Instrumentation”).
MobSF pia inakuwezesha kupakia Frida scripts zako mwenyewe (kutoa results za Friday scripts zako kwa MobSF tumia function send()). Ina pia several pre-written scripts unaweza kupakia (unaweza kuongeza zaidi katika MobSF/DynamicAnalyzer/tools/frida_scripts/others/), chagua tu, bofyia “Load” na bofyia “Start Instrumentation” (utaoona logs za script hizo ndani ya “Frida Live Logs”).

Zaidi ya hayo, una baadhi ya Auxiliary Frida functionalities:

  • Enumerate Loaded Classes: Itapiga print ya classes zote zilizo loaded
  • Capture Strings: Itachapisha strings zote zinazokamatwa wakati wa kutumia application (super noisy)
  • Capture String Comparisons: Inaweza kuwa ya msaada sana. Itaonyesha strings 2 zinazolinganishwa na kama result ilikuwa True au False.
  • Enumerate Class Methods: Weka class name (kama “java.io.File”) na itachapisha methods zote za class hiyo.
  • Search Class Pattern: Tafuta classes kwa pattern
  • Trace Class Methods: Trace whole class (iona inputs na outputs za methods zote za class). Kumbuka kwamba kwa default MobSF inafanya trace ya baadhi ya Android Api methods zinazovutia.

Mara utakapochagua module ya ziada unayotaka kutumia lazima ubofye “Start Intrumentation” na utaona outputs zote katika “Frida Live Logs”.

Shell

Mobsf pia inakuleta shell yenye baadhi ya amri za adb, MobSF commands, na shell commands za kawaida chini ya ukurasa wa dynamic analysis. Baadhi ya amri zenye kuvutia:

help
shell ls
activities
exported_activities
services
receivers

Vyombo vya HTTP

Wakati trafiki ya http inakamatwa unaweza kuona muonekano mbaya wa trafiki iliyokamatwa kwenye kitufe cha chini “HTTP(S) Traffic” au muonekano mzuri kwenye kitufe cha kijani “Start HTTPTools”. Kwa chaguo la pili, unaweza kutuma maombi yaliyokamatwa kwa proxies kama Burp au Owasp ZAP.
Ili kufanya hivyo, power on Burp –> turn off Intercept –> in MobSB HTTPTools select the request –> press “Send to Fuzzer” –> select the proxy address (http://127.0.0.1:8080\).

Mara utakapo maliza uchambuzi wa dynamic na MobSF unaweza kubonyeza “Start Web API Fuzzer” ili fuzz http requests na kutafuta udhaifu.

Tip

Baada ya kufanya uchambuzi wa dynamic na MobSF mipangilio ya proxy inaweza kuwa imepangwa vibaya na hutaweza kuirekebisha kupitia GUI. Unaweza kurekebisha mipangilio ya proxy kwa kufanya:

adb shell settings put global http_proxy :0

Uchambuzi wa Dynamic wa Msaada na Inspeckage

Unaweza kupata zana kutoka Inspeckage.
Zana hii itatumia baadhi ya Hooks kukufahamisha kinachotokea kwenye application wakati unafanya uchambuzi wa dynamic.

Yaazhini

Hii ni zana nzuri ya kufanya uchambuzi wa static kwa GUI

Qark

Zana hii imeundwa kutafuta aina mbalimbali za security related Android application vulnerabilities, iwe katika source code au packaged APKs. Zana pia ina uwezo wa kuunda a “Proof-of-Concept” deployable APK na ADB commands, ili kutekeleza baadhi ya udhaifu zilizopatikana (Exposed activities, intents, tapjacking…). Kama ilivyo kwa Drozer, hakuna haja ya ku-root kifaa cha majaribio.

pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java

ReverseAPK

  • Inaonyesha faili zote zilizochimbuliwa kwa marejeo rahisi
  • Inadecompile kwa otomatiki faili za APK hadi muundo wa Java na Smali
  • Inachambua AndroidManifest.xml kwa udhaifu wa kawaida na tabia
  • Uchambuzi wa static wa msimbo wa chanzo kwa udhaifu wa kawaida na tabia
  • Taarifa za kifaa
  • na mengi zaidi
reverse-apk relative/path/to/APP.apk

SUPER Android Analyzer

SUPER ni programu ya command-line inayoweza kutumiwa kwenye Windows, MacOS X na Linux, ambayo inachambua faili za .apk ikitafuta vulnerabilities. Hufanya hivyo kwa kufinyanga APKs na kutumia mfululizo wa kanuni kugundua vulnerabilities hizo.

Kanuni zote ziko katika faili ya rules.json, na kila kampuni au tester anaweza kuunda kanuni zake za kuchambua wanazohitaji.

Pakua binaries za hivi karibuni kutoka kwenye download page

super-analyzer {apk_file}

StaCoAn

StaCoAn ni zana crossplatform inayowasaidia waendelezaji, bugbounty hunters na ethical hackers wanaofanya static code analysis kwenye programu za mkononi.

Dhana ni kwamba unavuta na kuacha faili ya programu yako ya mkononi (faili ya .apk au .ipa) kwenye programu ya StaCoAn na itatengeneza ripoti ya kuona na inayobebeka kwako. Unaweza kubadilisha mipangilio na wordlists ili kupata uzoefu uliobinafsishwa.

Pakua latest release:

./stacoan

AndroBugs

AndroBugs Framework ni mfumo wa uchambuzi wa udhaifu wa Android unaosaidia waendelezaji au hackers kubaini udhaifu za usalama katika Android applications.
Windows releases

python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn

Androwarn ni zana ambayo lengo lake kuu ni kugundua na kuwaonya mtumiaji kuhusu tabia zinazoweza kuwa hatari zinazotengenezwa na programu ya Android.

Uchunguzi hufanywa kwa kutumia static analysis ya Dalvik bytecode ya programu, iliyoonyeshwa kama Smali, kwa kutumia maktaba ya androguard.

Zana hii inatafuta tabia za kawaida za programu “mbaya” kama vile: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution…

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA Framework

MARA is a Mobile Application Reverse engineering and Analysis Framework. Ni zana inayokusanya zana zinazotumika kawaida kwa mobile application reverse engineering na analysis ili kusaidia katika kujaribu mobile applications dhidi ya vitisho vya usalama vya OWASP mobile. Lengo lake ni kufanya kazi hiyo iwe rahisi na rafiki kwa watengenezaji wa mobile applications na wataalamu wa usalama.

Ina uwezo wa:

Koodous

Inayofaa kugundua malware: https://koodous.com/

Obfuscating/Deobfuscating code

Kumbuka kwamba kulingana na huduma na usanidi unayotumia kuobfuscate code, Secrets zinaweza kuwa zimeobfuscate au la.

ProGuard

From Wikipedia: ProGuard ni zana ya open source ya command-line inayopunguza, kuboresha na kuobfuscate Java code. Ina uwezo wa kuboresha bytecode pamoja na kugundua na kuondoa maelekezo ambayo hayatumiki. ProGuard ni free software na imesambazwa chini ya GNU General Public License, version 2.

ProGuard inasambazwa kama sehemu ya Android SDK na inafanya kazi wakati wa kujenga application katika release mode.

DexGuard

Pata mwongozo wa hatua kwa hatua wa deobfuscate apk katika https://blog.lexfo.fr/dexguard.html

(From that guide) Mara ya mwisho tuliyokagua, mode ya uendeshaji ya Dexguard ilikuwa:

  • load a resource as an InputStream;
  • feed the result to a class inheriting from FilterInputStream to decrypt it;
  • do some useless obfuscation to waste a few minutes of time from a reverser;
  • feed the decrypted result to a ZipInputStream to get a DEX file;
  • finally load the resulting DEX as a Resource using the loadDex method.

DeGuard

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

Unaweza kupakia obfuscated APK kwenye platform yao.

[Deobfuscate android App]https://github.com/In3tinct/deobfuscate-android-app

Hii ni LLM tool ya kutafuta potential security vulnerabilities katika android apps na deobfuscate android app code. Inatumia Google’s Gemini public API.

Simplify

Ni generic android deobfuscator. Simplify virtually executes an app kuelewa tabia yake kisha inajaribu optimize the code ili itende sawa lakini iwe rahisi kwa binadamu kuelewa. Kila aina ya optimization ni rahisi na generic, hivyo haijalishi ni type gani maalum ya obfuscation imetumika.

APKiD

APKiD inakupa taarifa kuhusu jinsi APK ilivyotengenezwa. Inatambua compilers, packers, obfuscators, na mambo mengine ya ajabu. Ni PEiD kwa Android.

Manual

Read this tutorial to learn some tricks on how to reverse custom obfuscation

Labs

Androl4b

AndroL4b ni Android security virtual machine inayotegemea ubuntu-mate ambayo inajumuisha mkusanyiko wa latest framework, tutorials na labs kutoka kwa wapenzi wa usalama na watafiti kwa reverse engineering na malware analysis.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks