Month: August 2022

This is another series on android reverse engineering. In this series I will be going through num1r0’s crackme’s and give detailed steps on how I solved these challenges. The first crack me is crackme_0x01. Though these crackmes are a bit older, they offer useful guidance on how to look at an android apk and begin doing some basic reverse engineering on an application. 

The apk can be pulled down from github and examined using any apk decompiling tool. I prefer to use jadx-gui. Opening the apk I first examine the AndroidManifest.xml file for any useful hints as to what I might be looking for. 

Defined in the code above I can see that the application has a single activity. Called MainActivity with an intent that supplies an action MAIN and category LAUNCHER. Opening the MainActivity class we can see the main onCreate and onClick methods. 

The onCreate method from lines 20 – 29 is what builds our main activity to submit the user defined password. This allows the user to submit any string for the password only once the Button tied to the onClickListener is clicked on line 29. Once clicked this will evaluate the editTest string on line 27 submitted by the user to the value of the getFlag method in the FlagGuard class. 

Once the correct password is submitted the if statement will execute the FlagGuard class and decodes the hard coded flag. Sending a message dialogue to the user with the flag.

The FlagGuard class runs a series of if else statements to evaluate the scrambled string using an index from a-z to evaluate the array charArray. What is particularly interesting is that the private String unscramble uses the log.e method. Logging the letter and FLAG of the application which can be obtained via adb’s logcat functionality. 

Furthermore we can see that the public string getFlag evaluates the str string from the application MainActivity class with the private string getData Data class on lines 10 – 13. If the password is correct the application will jump to the private String unscramble and begin executing the code. 

If we inspect the Data class we can see an interesting plaintext string stored in the application. 

This appears to be the application’s password to obtain the flag. Lets type the password in the prompt and see if it gives us the flag.

Alright this looks like the solution. I hope you enjoyed the first crackme from num1r0. Look out for my anothr blog post in the series on cracking the second one.

One major flaw in mobile testing is the use of insecure logging. Often developers will use log methods to trace code for debugging purposes. Sometimes this can include sensitive data like usernames and passwords, and as applications go from the development phase into production the code can make its way into production mobile applications. 

In this example we can see that Insecure Shop makes use of the log.d method or the Log Debug Android API. Do take some time to overview the common use of the logging methods. It can help with understanding each of their intended uses.

In the last part of the blog series we took some time to examine the LoginActivity class. We observed that the class took in the username and password of the application user. This specific class also has a log method flaw built into the code. As we can see in the example code below. The highlight red text identifies the user of log.d or the debugging log Android API call. 

We can see that the username and password are logged into the application logs and can be retrieved in real time. This can be a major risk for any user who may be using an application and if their phone is stolen. Sensitive data can be pulled from the log files on the phone and used to further an attack against the user’s device. 

Logcat is a useful tool built into adb. It allows for monitoring and even storing logs of an application on an Android device. Often used in mobile penetration tests as part of the dynamic analysis part of the application test. The tester can observe all the actions happening on the device that may be logged. 

Using the command below let’s start adb and log into the Insecure Shop application the device:

adb logcat > log.txt

I like to make use of the standard redirect command to create a log.txt file. This helps me parse the logs to locate any sensitive user data. 

Below we can see the sensitive data stored in the logs of the android application that we submitted in the prior blog post. This includes the fake credentials used in the boolean bypass and the default username and password. 

Remediation

It is advised to remove code that could log sensitive information in a mobile application. Especially if that application is in production. As we saw in this post, user credentials are stored directly into the log file.