AdSense

Saturday, December 24, 2016

ANDROID PT / Backup Vulnerability


BACKUP VULNERABILITY

 - Layout for this exercise:





















- Connecting Santoku to Nexus 5:


- Backup and restoration processes in some Android applications are vulnerable because the backup contents can be altered and later restore back without root privileges.  

 - Some of these vulnerabilities were discovered and investigated by Chris John Riley and Aditya Gutpa.

 - In this exercise the Android Backup Extractor (abe) will be used:

 https://sourceforge.net/projects/adbextractor/



- Once downloaded to Santoku, let's unzip abe:








- On the other hand, to test the backup vulnerability, the application box.apk will be used:
- Installing box.apk to the mobile device:




- Going to Settings, a passcode is introduced:






- From now, to access the application a passcode is needed after 1 minute of timeout: 
- Detecting the name of the package used by the application:


- ADB helps to backup the application, from box.apk, creating the new file box.ab. The extension .ab means "android backup":






- The user is prompted to perform the backup at the mobile device:



- The backup process is successful:










-  hexdump shows the hexadecimal content of box.ab, checking that it is actually an Android backup:




- It is important to notice that an Android Backup (*.ab) file is actually a compressed tar file, that can be created with the Android Backup Extractor, so unpacking box.ab to box.tar:




- Extracting with tar, all the files of box.tar are displayed:


- Listing the files of box.tar to a file box.list:




- Now, the whole package com.box.android is available to be analyzed:



- Going deeper into the folder's structure down to sp (shared preferences):

- Looking up into apps:


- A hardcoded encrypted pin is found at the file myPreference.xml:


- Opening myPreference.xml, the line with the encrypted pin is detected:




- With the purpose of altering the application, the line corresponding to the encrypted pin is just removed:


- Now, to rebuild the application once it has been altered, the pax command is used:








- Redirecting the list of files of box.list (altered) to a new file box1.tar:




- The Android Backup Extractor does the reverse process than before, now packing instead of unpacking, and creating a file box1.ab from the altered box1.tar:




-  hexdump shows the hexadecimal content of box1.ab, checking that it is actually an Android backup:




- Restoring the backup with ADB:
- The user is prompted to perform the restoration (notice that neither passcode nor pin is requested):


- The restoration of data is eventually successful:






- We can also verify that the alteration is effective, by checking that now the Settings configuration says Require passcode = Never, although we set previously a required passcode:





Posted by at
Labels: