Scribd
Upload
69 views15 pages

MASPTv2.5 LocatingSecrets

The document discusses reversing an APK file to identify sensitive information. It provides tasks to install and review the application functionality, decode and decompile the APK, identify how it retrieves files by reviewing the manifest, and gather any hard-coded credentials or secrets by analyzing the application code. Key details discovered include the application requiring internet permission to retrieve remote files, usernames and passwords stored in plain text in the resources, and a hardcoded code granting access to privileged files.

Uploaded by

usuario.celeste.luna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views15 pages

MASPTv2.5 LocatingSecrets

The document discusses reversing an APK file to identify sensitive information. It provides tasks to install and review the application functionality, decode and decompile the APK, identify how it retrieves files by reviewing the manifest, and gather any hard-coded credentials or secrets by analyzing the application code. Key details discovered include the application requiring internet permission to retrieve remote files, usernames and passwords stored in plain text in the resources, and a hardcoded code granting access to privileged files.

Uploaded by

usuario.celeste.luna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Reversing APKs

Locating Secrets LAB

LAB Topics
Reverse Engineering APKs

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 1


SCENARIO
Congrats, you past the first test and the manager is impressed. He has given you another task.
You must reverse engineer the supplied mobile application to identify possible hard-coded
information and understand the mobile application’s logic through its source code.

LAB OBJECTIVES
The objective of this lab is to highlight the importance of reverse engineering while
performing a mobile application penetration test. A large amount of critical information can
be extracted through reverse engineering a mobile application, such as hard-coded
information, API calls and insufficiently secure implementations in general.

LEARNING OBJECTIVES
The learning objective of this lab is to build on your hands-on experience in reversing APKs
and to reinforce your knowledge of different tools and techniques to reach your goal.

RECOMMENDED TOOLS
 Apktool
 dex2jar
 JD-GUI
 Smali/Baksmali

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 2


RECOMMENDED CONFIGURATION
Setting up your testing environment for this lab

There can be different configurations to accommodate this lab’s testing environment. We


used the following configuration:

1. Windows 10 Machine:
Running:

 Android Studio 2.2.3


 Java verion 1.8
 No virtualization

2. Tools Installed

 Apktool-2.2.2
 dex2jar-2.0
 JD-GUI-1.4.0

TASKS
TASK 1. INSTALL THE APPLICATION AND REVIEW ITS
FUNCTIONALITY
Install the supplied application in your device and review its functionality.

TASK 2. DECODE AND DECOMPILE THE APPLICATION


To decode and decompile the application, you should use Apktool, dex2jar and JD-GUI.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 3


TASK 3. IDENTIFY HOW THE APPLICATION RETRIEVES
THE FILE
To determine how the application retrieves the file, you must step through the
AndroidManifest.xml. What permissions are required and what activities are used?

TASK 4. GATHER ALL SENSITIVE INFO HARD-CODED


INSIDE THE MOBILE APPLICATION
Let’s take Task 3 further. Use the JD-GUI tool and open the out_LocatingSecrets.jar file.

Start at the package com.els.locatingsecrets and exam the class Access. Follow the code to
see how the activity is created.

Are you able to find the username, password and code to access the hidden files?

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 4


SOLUTIONS

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 5


TASK 1. INSTALL THE APPLICATION AND REVIEW ITS
FUNCTIONALITY
For this task, a device (virtualized or physical*) that is able to reach the Internet is required.

*In the case of using a physical device, please make sure that you have authorized your
device, after you have connected it to your machine, so that it is accessible via ADB.

To install the supplied application, first open a terminal and navigate to the path:
your_drive:\Users\your_username\AppData\Local\Android\sdk\platform-
tools

Then the following command should be executed:

adb.exe install
your_drive:\path_of_extracted_zip\LocatingSecrets\app\build\outputs\apk\app-debug.apk

Please note that if you are using different devices concurrently, you must use the -s switch
to select a specific device.

This simple Android application seems to retrieve a list of files from a remote server and
prompts for a password on the device. Depending on the code different lists of file will be
displayed.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 6


TASK 2. DECODE AND DECOMPILE THE APPLICATION
Since, at this time, you do not know the code or the address of the remote server what you
can do is reverse engineer the mobile application’s APK and inspect its internals for
sensitive information.

As described in the first lab, you can decode the APK using Apktool as follows.

apktool d
your_drive:\path_of_extracted_zip\LocatingSecrets\app\build\outputs\apk\app-debug.apk

This will result in the following:

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 7


To obtain readable code and make the source code inspection easier you can also convert
the APK (its classes.dex file specifically) to a .jar file, like you did in the first lab. All you have
to do is execute the following:

d2j-dex2jar.bat
your_drive:\path_of_extracted_zip\LocatingSecrets\app\build\outputs\apk\app-debug.apk
–o out_LocatingSecrets.jar

This will create a file named out_LocatingSecrets.jar.

Now, you can use JD-GUI tool to view the file out_LocatingSecrets.jar.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 8


TASK 3. IDENTIFY HOW THE APPLICATION RETRIEVES
THE FILE
You can start your analysis by inspecting the application’s AndroidManifest.xml file. As
you saw on the first lab, you can find the AndroidManifest.xml inside the folder that was
created after decoding the application using Apktool.

You can now open the AndroidManifest.xml file and get some basic information about the
application.

The following information can be extracted by inspecting the AndroidManifest.xml file:

1. The application needs the INTERNET permission. This indicates that the application
is communicating with a remote server, probably to retrieve a list of remote files.
2. The application provides two activities. The activity named Access is the MAIN
activity (the one that will be displayed when the application starts), while the
activity named Files is probably an activity which is linked to the first one.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 9


TASK 4. GATHER ALL SENSITIVE INFO HARD-CODED
INSIDE THE MOBILE APPLICATION
Now that you have some basic information about the application, you can start inspecting
the source code in order to understand its logic.

Go back to JD-GUI tool and open the out_LocatingSecrets.jar file that you created on Task
2.

Now check the contents of the package com.els.locatingsecrets. There, you will find the
two activities declared on the application’s manifest file.

Open the class Access and examine its contents.

As usual, you can find the onCreate method. This one will build the layout of the activity.
There you will also see the resource id (2130968602) in use. You can check its value
(activity_access) by opening the R file.

You can now go to the folder created by Apktool and search for this name. It is stored in
res -> layout folder (the name of the class) in the file named activity_access.xml.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 10


Here, we can see all the elements that will build the first activity interface.

You can see in the node Button that when the button is tapped, it calls the method access.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 11


Now that we found the Access.class, it needs further investigation.

The access method defines the instructions that will be executed when the button is tapped.
This simple code gets and stores a variable in the code: the value from the box. After that, it
calls and sends this value to the activity named Files.

Now that you identified how the first activity works, move on to Files for further
investigation.

The code provided by the user must be verified in some way. If this process is done by the
application (and not remotely), you might be able to understand how it works and retrieve
it.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 12


The code inside Files.class is a bit more complex. It is similar to (but not the same as) the
source code. If you give it a glance you will be able to identify some information, but for
now analyze the code step-by-step to understand how it works.

At the beginning there are some variable declarations and right after that you can find the
onCreate method. As usual, the first bits of code create the layout of the activity.

The values of username and password are stored separately from the source code.

Try to read these values from the resources. First, you have to check in the R.class file
which is the resource that stores the credentials.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 13


Now that you know they are stored in the string class, go into the folder res -> values and
open the file named strings.xml. There you can find the values of the two parameters.

An interesting part of the source code to continue your analysis is where the program
compares the localObject2 with the string 5v3f4g and if it results in true, a new pair
(priv/admin) is added to localObject1 (used before to add the parameters username and
password). As you have seen before, localObject2 contains the code provided by the user
in the previous activity.

Use the code you just discovered and see what happens.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 14


As you can see, providing the code you discovered (5v3f4g), enables you to access more
files.

So far, you have been able to discover hard-coded credentials and a passcode that allows
you to access restricted files. You can continue to analyze the mobile application to
understand where else those credentials are used.

© Caendra Inc. 2017 | MASPTv2.5 | Reversing APKs 15

You might also like