- AndroidManifest.xml (basically a blueprint for the application)
Find exported components, api keys, custom deep link schemas, schema endpoints etc.
- resources.arsc/strings.xml
Developers are encouraged to store strings in this file instead of hard coding in application.
- Search source code recursively
Especially BuildConfig files.
Decompiled apk: Resources/resources.arsc/res/values/strings.xml, search for "firebsae.io" and try to access:
https://*.firebase.io/.json
- String references in Android Classes
getString(R.string.cmVzb3VyY2VzX3lv)
cmVzb3VyY2VzX3lv is the string resource label.
- Find these string references in strings.xml
- Piece together the domains and required params in source code
- Activities - Entry points for application interactions of components specified in AndroidManifest.xml.
Has several states managed by callbacks such as onCreate().
→ Access to protected intents via exported Activities
One exported activity that accepts a user provided intent can expose protected intents.
→ Access to sensitive data via exported Activity
Often combined with deep links to steal data via unvalidated parameters. Write session tokens to an
→ Access to sensitive files, stealing files, replacing imported files via exported Activities
external-files-path, external-path
→ Look for "content://" in source code
- Service - Supplies additional functionality in the background.
→ Custom file upload service example that is vulnerable because android:exported="true". When exported by third party
applications can send data to the service or steal sensitive data from applications depending on the services function. Check if params and intent data can be set with proof of concept application.
- Broadcast receivers - Receives broadcasts from events of interest. Usually specified broadcasted intents in the broadcast receiver activity.
→ Vulnerable when receiver is exported and accepts user provided broadcasts.
→ Any application, including malicious ones, can send an intent to this broadcast receiver causing it to be triggered without any restrictions.
- Content providers - Helps applications manage access to stored data and ways to share data with other Android applications
→ Content providers that connect to sqlite can be exploited via SQL injection by third party apps.
- In Android, a deep link is a link that takes you directly to a specific destination within an app.
- Think of deep links as Android urls to specific parts of the application.
- Usually mirrors web application except with a different schema that navigate directory to specific Android activities.
- Verified deep links can only use http and https schemas. Sometimes developers keep custom schemas for testing new
- Type of vulnerabilities are based on how the scheme://, host://, and parameters are validated
→ CSRF - Test when autoVerify=”true” is not present in AndroidManifest.xml It’s easier.
→ Open redirect - Test when custom schemes do not verify endpoint parameters or hosts
→ XSS - Test when endpoint parameters or host not validated, addJavaScriptInterface and
→ setJavascriptEnabled(true); is used.
→ LFI - Test when deep link parameters aren’t validated. appschema://app/goto?file=
- Check database is encrypted under /data/data/<package_name>/
- Check in source code for database credentials
- Lead to sensitive information disclosure
- adb backup com.vendor.app
- Check logcat when login and any action performed
Storing Sensitive Data in External Storage
- Check data stored after usage /sdcard/android/data/com.vendor.app/
- MD5 is a weak algorythm and have collisions
Predictable Random Number Generator (PRNG)
- The java.util.Random function is predictable
- Hard-coded user authentication information (credentials, PINs, etc.)
- Hard-coded cryptographic keys.
- Hard-coded keys used for encrypted databases.
- Hard-coded API keys/private
- Hard-coded keys that have been encoded or encrypted (e.g. base64 encoded, XOR encrypted, etc.).
- Hard-coded server IP addresses.
- Start a shell on Android and gain an interactive shell with run-as command
- adb exec-out run-as com.vendor.app cat databases/appName > appNameDB-copy
If you get built-in WebView and try to access:
appscheme://webview?url=https://google.com
appscheme://webview?url=javascript:document.write(document.domain)
If install apk in Genymotion fails with "INSTALL_FAILED_NO_MATCHING_ABIS":
- Apk is compiled only for ARM
- Download zip for your Android version here https://github.com/m9rco/Genymotion_ARM_Translation
- Move zip to VM and flash
https://pentester.land/tips-n-tricks/2018/10/19/installing-arm-android-apps-on-genymotion-devices.html