- Layout for this exercise:
1 - What is DIVA?
- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.
https://github.com/payatu/diva-android
- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.
- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.
2 - Installing DIVA from Santoku Linux to Android device
- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:
- Santoku connects to the mobile device:
- Installing DIVA on Nexus, using ADB (Android Debug Bridge):
- Launching the application:
- DIVA includes 13 challenges:
3 - Decompiling, reversing and analyzing the application
- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:
- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:
- As a result of executing jadx a diva-beta folder is created:
- The folder diva-beta contains all the components of the application:
- The manifest file tells that the package of the application is jakhar.assem.diva:
- Going down the path of the folders indicated by the package:
- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges:
ANALYSIS WITH ANDROGUARD
- Androguard is an open source framework for iPython designed to analyze and perform reverse engineering with Android applications.
- Some of Androguard's functionalities include automated and scripting analysis of dex, odex, apk and xml binaries files, disassemble, decompiler, malware dissection, ...
- It can be found here:
https://github.com/androguard/androguard
- Once downloaded, let's unzip the file:
- The tool androlyze is part of the Androguard platform and allows static analysis of .apk applications:
https://androlyze.readthedocs.io/en/latest/
- Let's take the application box.apk as example. The whole path:
- Getting permissions of the application:
- Detailing the permissions, for example .INTERNET is considered "dangerous" because allows full access to the network, for instance creating sockets:
- Identifying the activities of the application:
- Services:
- Broadcast receivers:
- Signature in hexadecimal:
- The package name:
- Determining whether the application is valid or not:
- Files:
- Now, let's retrieve classes and methods from the application:
- Writing a small script for getting the classes:
- Same thing for the methods:
- The options and the scope of Androguard is immense. So far just a small approach to all the possibilities of this very handy framework for Android analysis.