SlideShare uma empresa Scribd logo

Android Pentesting Techniques Explained in 40 Characters

Transferir como PPTX, PDF
kunwaratul hax0r
kunwaratul hax0r

Kunwar Atul presented techniques for pentesting Android applications without root access. This included bypassing SSL pinning by modifying the app's manifest to allow user certificates, extracting sensitive data from backup files without root using ADB, and exploiting insecure Firebase databases and deep links. Deep links could be triggered via ADB to load attacker URLs within an app's webview. References were provided on SSL pinning bypass with Burp Suite, Frida, and modifying apps; reading data without root; and exploiting Firebase and deep links. The presentation did not cover Android architecture, tools like Drozer and Apktool, or lab setups.

Tecnologia
1 de 27
Android Pentesting @kunwaratulhax0r
root@whoami • Kunwar Atul • Yet another Appsec and DevSecOps Guy • Break – Fix – Repeat • Part time Bug Hunter • Synack Red Team Member • OWASP MASVS Hindi Contributor (Ongoing Project) • DevSecOps University Contributor • I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs, Offensive Security Work, Cricket, and no compromise with food and coffee. • Social media- kunwaratulhax0r
Agenda • What We Will Be Not Talking About • SSL Pinning Bypass • Reading Sensitive Data Without Rooted Device • Exploiting Insecure Firebase Database • Deep Links • References • Q/A
What We Will Be Not Talking About • Android Architecture • How to Use Drozer, ApkTool, JD-GUI, Dex2jar. • Lab Setup • Burp Configuration etc. Because??
Because
SSL Pinning Bypass • Use Xposed + SSLUnpinning for bypassing the certificate, but if the super tricky SSL Pinning is implemented then you can simply decompile the apk via apktool and change protocol from https to http, compile back and sign, create a rule in Charles that replaces the protocol from https to http. Source: https://www.hackerone.com/blog/AndroidHackingMonth-qa-with-bagipro
SSL Pinning Bypass You can install Burp as a System Level Trusted Certificate https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0 https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • Copy the certificate to the device We can use adb to copy the certificate over, but since it has to be copied to the /system filesystem, we have to remount it as writable. As root, this is easy with adb remount. • adb root • adb remount • adb push 9a5ba575.0 /sdcard/ https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • The just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts and chmod it to 644: • mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ • chmod 644 /system/etc/security/cacerts/9a5ba575.0 • Lastly, we have to full reboot the device with either adb reboot or a power cycle. • After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA. https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • Modifying and repackaging an app • If you don’t have root or don’t want to modify the system trusted certificates, you can install the Burp CA as a user cert and then modify the specific APK you want to MitM. • Starting with Nougat, apps will ignore user-installed certificates by default. This is evident by looking at logcat output when launching the app: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • Without a network security config, the app will only trust system CAs and will not honor the user installed Burp certificate. • To get around this, it involves: • Disassembling the APK • Adding a new XML resource to define a network security profile • Modifying AndroidManifest.xml • Repackaging and self-signing the APK https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • Next, add a new network security config by creating the file network_security_config.xml in the res/xml directory: 1. <network-security-config> 2. <base-config> 3. <trust-anchors> 4. <!-- Trust preinstalled CAs --> 5. <certificates src="system" /> 6. <!-- Additionally trust user added CAs --> 7. <certificates src="user" /> 8. </trust-anchors> 9. </base-config> 10. </network-security-config> https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
SSL Pinning Bypass • Define the network security config in AndroidManifest.xml file, in the <application> tag add the android:networkSecurityConfig attribute. • Reassemble and sign the apk. For self sign we can use keytool to create a new keystore and key, then with the help of jarsigner sign the new apk. https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ <application android:allowBackup="true" android:networkSecurityConfig="@xml/network_security_config" ...etc...>
SSL Pinning Bypass • Apart from this, we can use Frida as well for bypassing the SSL Pinning. You can follow below blog for more understanding about Frida. https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android- e9e1d733d29
SSL Pinning Bypass • Apart from this, we can use Frida as well for bypassing the SSL Pinning. You can follow below blog for more understanding about Frida. https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android- e9e1d733d29
Reading Sensitive Data Without Root • Application stores data in /data/data/app.packagename/shared_prefs/SensitiveData.xml • Via rooted device you can read data like this, • adb shell cat data/data/app.packagename/shared_prefs/SensitiveData.xml And output will be like this, <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="email">test@test.com</string> <string name=“name">Kunwar atul</string> <string name=“username">kunwaratulhax0r</string> <string name=“phoneNumber">9876543210</string> </map
Reading Sensitive Data Without Root • But What If Device is UnRooted????? • We already knows that application is storing data in data/data/app.packagename/shared_prefs/ folder. For achieving this we can use Android allowBackup feature. We know that this feature allow us to perform a backup of an application via ADB. • Using ADB run the following command, Once you will execute this command it will ask the device for backing up the data, if password is required, fill up or if there is no password then leave it blank. • adb backup -f backup.ab -f app.packagename
Reading Sensitive Data Without Root • Once we got the backup.ab, we will use a open source tool called android-backup- extractor for extracting the data from backup file. • With the help of this tool, we will turn the backup file into a tar archive. • Extract it tar xvf tarfile and we will be able to read the sensitive data file, which was stored in data/data. Here, You can read all the data including SQLite databases, images, app’s configuration files and security tokens etc.
Reading Sensitive Data Without Root • We can achieve sensitive data with Debuggable method. • You can check this in AndroidManifest.xml file (android:debuggable=“true”). • Now check which applications are connected to debugging socket(@jdwp-control), type adb jdwp and it will list the PIDs (Process Identifiers) of the app which can be debugged. • Now check which PID belongs to the target application, • adb shell ps | grep PID • Now type adb shell, with the help of run-as binary we can execute command as com.apptest.data application. Now you can extract the data or run an arbitary code using application permission. https://manifestsecurity.com/android-application-security-part-21/
Exploiting Insecure Firebase Database • For achieving this, simply decompile the apk and go to Resources > resources.arsc > res >values > strings.xml • Search for *.firebaseio.com in xml file, navigate to the browser > https://*.firebaseio.com/.json, you might find read access to the database. • If the site gives you null or response in json, means read permission is enabled and you need to test for the write permission, here is the script through which you can achieve this, https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/
Deep Links • Deep linking is a methodology for launching a native mobile apps via a link. • It connects a unique URL to a defined action in mobile app, seamlessly linking to relevant content. • Once triggered, the deeplink would direct users to load any attacker-controlled URL within a webview • Example: • <data android:host="user" android:pathPrefix="/" android:scheme=“abcd"/> • <data android:host="user" android:pathPrefix="/" android:scheme=“abcde"/> Means we can use abcd://user/user-id or abcde://user/user-id
Deep Links • Here is a html POC, <!DOCTYPE html> <html> <a href=“abcd://user/<any user-id>/follow">Demo Page</a> </html>
Deep Links • Exploiting Deep Links via ADB, let’s analyse below androidmanifest.xml code, <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="content" /> <data android:scheme="file" /> <data android:mimeType="text/plain" /> <data android:host="*" /> </intent-filter> adb shell am start -W -a android.intent.action.VIEW -d "example://gizmos" com.companyname
References • https://youtu.be/wyIx0D-M2S8 • https://youtu.be/m2h3sK7s2eQ • https://youtu.be/8Yd1myx6BG0 • https://blog.intigriti.com/2019/03/26/bug-bytes-11-insecure-deeplinks-new-xs-techniques-and-int0x33-s-365daysofpwn/ • https://hackerone.com/reports/401793 • https://www.nowsecure.com/blog/2019/04/05/how-to-guard-against-mobile-app-deep-link-abuse/ • https://dzone.com/articles/how-to-guard-against-mobile-app-deep-link-abuse • https://www.tooboat.com/?p=1116 • https:// hackerone.com/reports/583987 • https://hackerone.com/reports/805073 • https:// hackerone.com/reports/401793 • https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/ • https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ • https://servicenger.com/blog/mobile/android-privilege-escalation-techniques/ • http://nestedif.com/android-security/identifying-hard-coded-sensitive-values-native-library-files-12-diva-solution/ • https://manifestsecurity.com/android-application-security-part-21/
Q/A
Thank You Everyone

Recomendados

Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 

Recomendados

Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Firebase
FirebaseFirebase
FirebaseRanjith Alappadan
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudEberhard Wolff
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 

Mais conteúdo relacionado

Mais procurados

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudEberhard Wolff
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 

Mais procurados (20)

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Android security
Android securityAndroid security
Android security
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Android Security
Android SecurityAndroid Security
Android Security
 
Firebase
FirebaseFirebase
Firebase
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 

Semelhante a Android Pentesting Techniques Explained in 40 Characters

iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Externalized Distributed Configuration Management with Spring Cloud Config-Se...
Externalized Distributed Configuration Management with Spring Cloud Config-Se...Externalized Distributed Configuration Management with Spring Cloud Config-Se...
Externalized Distributed Configuration Management with Spring Cloud Config-Se...Nikhil Hiremath
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneGary Wisniewski
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEMSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEannalakshmi35
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themKarl Ots
 

Semelhante a Android Pentesting Techniques Explained in 40 Characters (20)

iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Iac d.damyanov 4.pptx
Iac d.damyanov 4.pptxIac d.damyanov 4.pptx
Iac d.damyanov 4.pptx
 
Externalized Distributed Configuration Management with Spring Cloud Config-Se...
Externalized Distributed Configuration Management with Spring Cloud Config-Se...Externalized Distributed Configuration Management with Spring Cloud Config-Se...
Externalized Distributed Configuration Management with Spring Cloud Config-Se...
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with Chaperone
 
Android App Bundles - Overview
Android App Bundles - OverviewAndroid App Bundles - Overview
Android App Bundles - Overview
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEMSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 

Último

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Último (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Android Pentesting Techniques Explained in 40 Characters

  • 2. root@whoami • Kunwar Atul • Yet another Appsec and DevSecOps Guy • Break – Fix – Repeat • Part time Bug Hunter • Synack Red Team Member • OWASP MASVS Hindi Contributor (Ongoing Project) • DevSecOps University Contributor • I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs, Offensive Security Work, Cricket, and no compromise with food and coffee. • Social media- kunwaratulhax0r
  • 3. Agenda • What We Will Be Not Talking About • SSL Pinning Bypass • Reading Sensitive Data Without Rooted Device • Exploiting Insecure Firebase Database • Deep Links • References • Q/A
  • 4. What We Will Be Not Talking About • Android Architecture • How to Use Drozer, ApkTool, JD-GUI, Dex2jar. • Lab Setup • Burp Configuration etc. Because??
  • 6. SSL Pinning Bypass • Use Xposed + SSLUnpinning for bypassing the certificate, but if the super tricky SSL Pinning is implemented then you can simply decompile the apk via apktool and change protocol from https to http, compile back and sign, create a rule in Charles that replaces the protocol from https to http. Source: https://www.hackerone.com/blog/AndroidHackingMonth-qa-with-bagipro
  • 7. SSL Pinning Bypass You can install Burp as a System Level Trusted Certificate https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 8. SSL Pinning Bypass • Android wants the certificate to be in PEM format, and to have the filename equal to the subject_hash_old value appended with .0 https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 9. SSL Pinning Bypass • Copy the certificate to the device We can use adb to copy the certificate over, but since it has to be copied to the /system filesystem, we have to remount it as writable. As root, this is easy with adb remount. • adb root • adb remount • adb push 9a5ba575.0 /sdcard/ https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 10. SSL Pinning Bypass • The just drop into a shell (adb shell) and move the file to /system/etc/security/cacerts and chmod it to 644: • mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ • chmod 644 /system/etc/security/cacerts/9a5ba575.0 • Lastly, we have to full reboot the device with either adb reboot or a power cycle. • After the device reboots, browsing to Settings -> Security -> Trusted Credentials should show the new “Portswigger CA” as a system trusted CA. https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 11. SSL Pinning Bypass • Modifying and repackaging an app • If you don’t have root or don’t want to modify the system trusted certificates, you can install the Burp CA as a user cert and then modify the specific APK you want to MitM. • Starting with Nougat, apps will ignore user-installed certificates by default. This is evident by looking at logcat output when launching the app: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 12. SSL Pinning Bypass • Without a network security config, the app will only trust system CAs and will not honor the user installed Burp certificate. • To get around this, it involves: • Disassembling the APK • Adding a new XML resource to define a network security profile • Modifying AndroidManifest.xml • Repackaging and self-signing the APK https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 13. SSL Pinning Bypass • Next, add a new network security config by creating the file network_security_config.xml in the res/xml directory: 1. <network-security-config> 2. <base-config> 3. <trust-anchors> 4. <!-- Trust preinstalled CAs --> 5. <certificates src="system" /> 6. <!-- Additionally trust user added CAs --> 7. <certificates src="user" /> 8. </trust-anchors> 9. </base-config> 10. </network-security-config> https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
  • 14. SSL Pinning Bypass • Define the network security config in AndroidManifest.xml file, in the <application> tag add the android:networkSecurityConfig attribute. • Reassemble and sign the apk. For self sign we can use keytool to create a new keystore and key, then with the help of jarsigner sign the new apk. https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ <application android:allowBackup="true" android:networkSecurityConfig="@xml/network_security_config" ...etc...>
  • 15. SSL Pinning Bypass • Apart from this, we can use Frida as well for bypassing the SSL Pinning. You can follow below blog for more understanding about Frida. https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android- e9e1d733d29
  • 16. SSL Pinning Bypass • Apart from this, we can use Frida as well for bypassing the SSL Pinning. You can follow below blog for more understanding about Frida. https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android- e9e1d733d29
  • 17. Reading Sensitive Data Without Root • Application stores data in /data/data/app.packagename/shared_prefs/SensitiveData.xml • Via rooted device you can read data like this, • adb shell cat data/data/app.packagename/shared_prefs/SensitiveData.xml And output will be like this, <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="email">test@test.com</string> <string name=“name">Kunwar atul</string> <string name=“username">kunwaratulhax0r</string> <string name=“phoneNumber">9876543210</string> </map
  • 18. Reading Sensitive Data Without Root • But What If Device is UnRooted????? • We already knows that application is storing data in data/data/app.packagename/shared_prefs/ folder. For achieving this we can use Android allowBackup feature. We know that this feature allow us to perform a backup of an application via ADB. • Using ADB run the following command, Once you will execute this command it will ask the device for backing up the data, if password is required, fill up or if there is no password then leave it blank. • adb backup -f backup.ab -f app.packagename
  • 19. Reading Sensitive Data Without Root • Once we got the backup.ab, we will use a open source tool called android-backup- extractor for extracting the data from backup file. • With the help of this tool, we will turn the backup file into a tar archive. • Extract it tar xvf tarfile and we will be able to read the sensitive data file, which was stored in data/data. Here, You can read all the data including SQLite databases, images, app’s configuration files and security tokens etc.
  • 20. Reading Sensitive Data Without Root • We can achieve sensitive data with Debuggable method. • You can check this in AndroidManifest.xml file (android:debuggable=“true”). • Now check which applications are connected to debugging socket(@jdwp-control), type adb jdwp and it will list the PIDs (Process Identifiers) of the app which can be debugged. • Now check which PID belongs to the target application, • adb shell ps | grep PID • Now type adb shell, with the help of run-as binary we can execute command as com.apptest.data application. Now you can extract the data or run an arbitary code using application permission. https://manifestsecurity.com/android-application-security-part-21/
  • 21. Exploiting Insecure Firebase Database • For achieving this, simply decompile the apk and go to Resources > resources.arsc > res >values > strings.xml • Search for *.firebaseio.com in xml file, navigate to the browser > https://*.firebaseio.com/.json, you might find read access to the database. • If the site gives you null or response in json, means read permission is enabled and you need to test for the write permission, here is the script through which you can achieve this, https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/
  • 22. Deep Links • Deep linking is a methodology for launching a native mobile apps via a link. • It connects a unique URL to a defined action in mobile app, seamlessly linking to relevant content. • Once triggered, the deeplink would direct users to load any attacker-controlled URL within a webview • Example: • <data android:host="user" android:pathPrefix="/" android:scheme=“abcd"/> • <data android:host="user" android:pathPrefix="/" android:scheme=“abcde"/> Means we can use abcd://user/user-id or abcde://user/user-id
  • 23. Deep Links • Here is a html POC, <!DOCTYPE html> <html> <a href=“abcd://user/<any user-id>/follow">Demo Page</a> </html>
  • 24. Deep Links • Exploiting Deep Links via ADB, let’s analyse below androidmanifest.xml code, <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="content" /> <data android:scheme="file" /> <data android:mimeType="text/plain" /> <data android:host="*" /> </intent-filter> adb shell am start -W -a android.intent.action.VIEW -d "example://gizmos" com.companyname
  • 25. References • https://youtu.be/wyIx0D-M2S8 • https://youtu.be/m2h3sK7s2eQ • https://youtu.be/8Yd1myx6BG0 • https://blog.intigriti.com/2019/03/26/bug-bytes-11-insecure-deeplinks-new-xs-techniques-and-int0x33-s-365daysofpwn/ • https://hackerone.com/reports/401793 • https://www.nowsecure.com/blog/2019/04/05/how-to-guard-against-mobile-app-deep-link-abuse/ • https://dzone.com/articles/how-to-guard-against-mobile-app-deep-link-abuse • https://www.tooboat.com/?p=1116 • https:// hackerone.com/reports/583987 • https://hackerone.com/reports/805073 • https:// hackerone.com/reports/401793 • https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/ • https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/ • https://servicenger.com/blog/mobile/android-privilege-escalation-techniques/ • http://nestedif.com/android-security/identifying-hard-coded-sensitive-values-native-library-files-12-diva-solution/ • https://manifestsecurity.com/android-application-security-part-21/
  • 26. Q/A