“Insights from Android VAPT”

Are you intrigued by the world of cybersecurity and fascinated by the realm of mobile applications? Android Pentesting might just be the perfect entry point for you. In this blog, we will explore the basics of Android Pentesting and dive into the detailed scenarios of common bugs that can be found in Android applications.

Now, let’s delve into the Android file system and explore its various folders within the file hierarchy. Understanding these folders is essential for Android Pentesting and conducting security assessments. Here are the commonly encountered folders in the Android file system:

/boot: Bootable files consisting of the Android kernel and ramdisk/system: The entire Android OS is stored inside this folder. It also consists of the pre-installed system applications which are stored inside /system/app/recovery: This folder is designed for backup and is considered as an alternate boot option./cache: This folder stores frequently accessed app data and components/misc: Contains miscellaneous system settings/sdcard: This folder is the space that is available to users to store their files and data./data: This particular folder consists of all user data./data/data: Consists of all applications data installed by the user/data/app: Consists of all APKs of the application installed by the user/data/system: Consists of files such as gesture.key, password.key/data/local/tmp: This folder is used for storing temporary or local files. It can be utilized by various applications for storing transient data.

During Android Pentesting, it is crucial to examine certain files and folders that are typically created during the application’s development process. These files and folders play a significant role in understanding the application’s structure and potential security vulnerabilities. Let’s take a closer look at these important files and folders in the context of Android Pentesting:

AndroidManifest.xml: has the structure and metadata of the application. Usually, all permissions, API keys, etc. are stored inside this particular file.Java: This particular folder contains the Java source code files.drawable: All images, videos, gifs, etc. are stored inside this particular folder.layout: A layout defines the visual structure for a user interface, such as the UI for an Android application.mipmap: The image Asset folder that usually contains different icons.colors.xml: Color resource file of the Android application.lib: Contains native libraries with compiled code, for different device architectures.res: Contains predefined application resources, like XML files that define a state list of colors, user interface layout, fonts, values, etc.resources.arsc: Contains precompiled resources. It holds information that will link the code to resources.strings.xml: contains a collection of string resources used for displaying text in the user interface. It serves as a central repository for storing labels, titles, descriptions, error messages, and other UI-related strings.styles.xml: Styles resource file of the Android application.build.gradle: This particular file is used to add various dependencies. This file also has the SDKVersion number and other important details.

Now, let’s shift our focus to the Android Data Storage Model. Android utilizes five primary methods for storing data, each serving different purposes and offering unique characteristics. These storage options play a crucial role in the overall functionality and data management of Android applications. Let’s explore these five ways in which Android stores data:

Shared Preferences: Store private data in key-value pairs on the device.Internal Storage: Store private data on the device’s memory.External Storage: Store public data on the shared external storage.SQLite Databases: Stored structured data on private databases.Network Connection: Store data on the web with your Network Server.

Perfect! Now since we have learned the android architecture, let’s learn about how the actual pentesting methodology works!! There are two types of analysis which is usually done while performing Android pentesting.

Static Analysis: This means viewing the source code of the APK and finding out vulnerabilities by reviewing the APK. This is kinda similar to Source Code Review. We usually look out for different Intent functions, Sources, and Sinks, Dangerous Permissions, Hardcoded API Keys, etc. This was the reason we went into the details of the Android Architecture.Dynamic Analysis: Dynamic Analysis is all about playing with requests and responses. But here is a catch, like normal Web Pentesting, Sometimes in Android (as well as iOS) the requests and responses are not caught directly. We first need to bypass Root Detection and then bypass SSL Pinning. We will be learning more about this in the upcoming articles.

Now, let’s explore the process of static analysis for Android applications and identify the potential bugs that can be detected through it.

CleartextTraffic Enabled for APP:

CWE : 312 Cleartext Storage of Sensitive Information

The “Clear Text Traffic Enabled” bug refers to a vulnerability in an Android application where the app allows unencrypted network communication over HTTP instead of using secure HTTPS connections. This vulnerability is identified by analyzing the AndroidManifest.xml file.

lets, understand what is difference between android:usesCleartextTraffic=true and android:usesCleartextTraffic=false in an Android application manifest file

The difference between android:usesCleartextTraffic=true and android:usesCleartextTraffic=false in an Android application manifest file lies in how the application handles network traffic and whether it allows unencrypted (clear text) communication.

android:usesCleartextTraffic=true: This attribute indicates that the application permits clear text traffic over unencrypted HTTP connections. With this setting, the application can send and receive data over HTTP without any encryption. It means that sensitive information, such as usernames, passwords, or other user data, can be transmitted without encryption, posing a security risk.android:usesCleartextTraffic=false: This attribute signifies that the application does not allow clear text traffic and enforces the use of encrypted connections, typically over HTTPS. With this setting, the application restricts network communication to secure channels, ensuring that sensitive data is encrypted during transmission.

From a pentesting perspective, android:usesCleartextTraffic=true is considered a vulnerability or bug. Allowing clear text traffic means that sensitive information can be intercepted by attackers who have access to the network traffic, potentially leading to data breaches or unauthorized access to user data. It is recommended to set android:usesCleartextTraffic=false to enforce secure communication protocols and protect sensitive data from interception.

Pentesters analyze the Android application manifest file to identify instances where android:usesCleartextTraffic=true is enabled. By finding this configuration, they can highlight the vulnerability and recommend developers to disable clear text traffic by setting android:usesCleartextTraffic=false. This is an important step in securing the application's network communication and protecting user data from potential attackers.

Severity : The severity of this vulnerability is typically classified as low; however, its impact may vary depending on the sensitive information transmitted through the application like, if the application handles highly sensitive information, such as financial data, healthcare records, or personal identification information. In such cases, the risk and potential impact of data exposure are significantly higher. Any unauthorized access or interception of this sensitive data can have severe consequences, leading to legal and regulatory issues, financial losses, and reputational damage for the affected individuals or organizations.CleartextTraffic Enabled For APP

Steps to Reproduce:

To identify the “android:usesCleartextTraffic=true” vulnerability using jadx, a tool for reverse engineering Android applications, follow these simplified steps:

Install jadx: Download and install jadx from the official repository or preferred source.Obtain the target APK: Obtain the APK file of the Android application you want to analyze for the cleartext traffic vulnerability.Launch jadx: Open jadx from the command line or using the graphical interface.Import the APK: Use jadx to import the target APK by selecting the “Open” or “Import” option within the tool.Analyze the decompiled code: Once the APK is loaded, jadx will decompile it and present the source code.Search for the vulnerability: Within the decompiled source code, search for the AndroidManifest.xml file.Inspect the AndroidManifest.xml: Open the AndroidManifest.xml file to locate the “usesCleartextTraffic” attribute.Identify “usesCleartextTraffic=true”: Check if the “usesCleartextTraffic” attribute is set to “true.” This indicates that the application allows clear text traffic, making it vulnerable to potential security risks.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

2. Debug Enabled for App:

CWE: 489 Active Debug Code

The android:debuggable="true" vulnerability refers to a configuration setting in an Android application that allows it to be debugged and analyzed by external tools. When android:debuggable is set to true, it enables developers or attackers to attach a debugger to the application, granting them access to sensitive information, including log messages, debug logs, internal data structures, and potentially even modifying the application's behavior.

This vulnerability is a security risk because it exposes the application to potential exploitation and unauthorized access. Attackers could leverage debugging capabilities to extract sensitive data, inject malicious code, or gain insights into the application’s inner workings, making it easier to identify vulnerabilities or weaknesses.

To address this vulnerability, it is essential to set android:debuggable="false" in the application manifest file before releasing it to production. This prevents unauthorized individuals from debugging the application and significantly reduces the risk of data exposure and unauthorized access to the application's internals. With debuggable set to false, it restricts the ability to attach debuggers, limiting access to the application’s internals and reducing the risk of unauthorized access, code injection, or information leakage.

Sevrity: The severity of the “android:debuggable=true” vulnerability in an Android application is generally considered low.Debug Enabled for APP

Steps to Reproduce:

Install jadx: Download and install jadx from the official repository or preferred source.Obtain the target APK: Obtain the APK file of the Android application you want to analyze for the debuggable vulnerability.Launch jadx: Open jadx from the command line or using the graphical interface.Import the APK: Use jadx to import the target APK by selecting the “Open” or “Import” option within the tool.Analyze the decompiled code: Once the APK is loaded, jadx will decompile it and present the source code.Search for the vulnerability: Within the decompiled source code, search for the AndroidManifest.xml file.Inspect the AndroidManifest.xml: Open the AndroidManifest.xml file to locate the “android:debuggable” attribute.Identify “android:debuggable=true”: Check if the “android:debuggable” attribute is set to “true.” This indicates that the application can be debugged, potentially exposing sensitive information or vulnerabilities.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

I plan to provide additional information on various security vulnerabilities, including bugs that involve the exposure of sensitive information such as usernames, passwords, private API keys, as well as vulnerabilities that can be exploited through logs. I aim to deliver this update by the upcoming weekend, specifically by June 18th.