Skip to main content

Apk Bug Boundy Guide

 

Note*: To install & run the tools mentioned in this blog, check my blog in the above video description.

Most Android applications are written in Java. Instead of the Java code being run in Java Virtual Machine (JVM) like desktop applications, in Android, the Java is compiled to the Dalvik Executable (DEX) bytecode format. For more recent versions of Android, the Android Runtime (ART) is used.

Smali is the human readable version of Dalvik bytecode. SMALI is like the assembly language. Smali Instruction set.

To get the Smali from DEX, you can use the baksmali tool (disassembler)

Check List:

1. Run apkleaks to find leaked credentials, and validate the credentials using nuclei token-spray.

2. Use apktool to reverse-engineer the apk. And check the following things:

3. Check: /assets and /res/raw

4. Check: Manifest, (it is like the table of contents): for “External storage”, “intents”

5. Use “ls -a”, to view hidden files when browsing directories.

6. Inotify (inode notify) is a Linux kernel subsystem that monitors file system changes and reports them to applications.

7. Check all the imports.

8. Frida (Dynamic analysis):
allows you to modify, hook, and dynamically interact with applications, hook methods, inspect class variables, and more.

Exploring Frida: A Dynamic Instrumentation Tool Kit

Explore Frida, the open-source toolkit for app security and why its detection is crucial for fraud prevention.

fingerprint.com

9. dex2jar:
converts .dex files into .jar files. It is relatively easy to decompile a .class and .jar file back to source code.

GitHub - pxb1988/dex2jar: Tools to work with android .dex and java .class files

Tools to work with android .dex and java .class files - pxb1988/dex2jar

github.com

10. JADX:
apk reverse engineering tool. You can instruct jadx do this by using the “ — deobf” flag in combination with “ — deobf-min”.

Example: ./jadx — deobf — deobf-min 3 …

For example take an app with multiple “a.java” files, and output them as unique class names like “C1234a.java”. As a result, you don’t have to sort through all the different uses of “a.java”, and instead, you can just search for uses of “C1234a.java”.

11. A common decompilation flow looks like this:

  1. Use apktool to extract APK and decompress resource files
  2. Use jadx to decompile.

12. aapt dump badging <my_app.apk> :
dump things like the AndroidManifest.xml tree from an APK without needing to decompile or extract anything.

13. Proxying Android Over USB:
Here’s how to set it up:

  1. Make sure your device is connected via ADB
  2. adb reverse tcp:8080 tcp:8080
  3. Settings -> WiFi -> Long Press Network -> Manage Network -> Advanced -> Proxy -> Manual
  4. Proxy Host: 127.0.0.1
  5. Proxy Port: 8080
  6. Press Save

Now your device should send all traffic to 127.0.0.1:8080 which is then proxied over USB to port 8080 on your host machine. No more spotty connections or wondering if your router is blocking proxy connections.

14. Logcat is a command-line tool that dumps a log of system messages including messages that you have written from your app with the Log class.

15. Install genymotion in desktop & do Dynamic analysis of apk in mobsf

APK Dynamic Analysis in MobSF in Linux

Download Genymotion .bin file Type command: chmod +x filename.bin ./filename.bin Create an account in Genymot...

adithyakrishnav.blogspot.com

CTF’s to practice:

  1. Intro to Android Exploitation

RESOURCES:

  1. HackerOne Blog
  2. Smali Instruction set.
  3. Android App Reverse Engineering 101

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Bug Boundy Methodology, Tools & Resources

Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective. Use the target as how a normal user would, while browsing keep these questions in mind: 1)How does the app pass data? 2)How/where does the app talk about users? 3)Does the app have multi-tenancy or user levels? 4)Does the app have a unique threat model? 5)Has there been past security research & vulnerabilities? 6)How does the app handle XSS, CSRF, and code injection?
Post a Comment
Read more

Install & set up mitmweb or mitmproxy in Linux

Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Post a Comment
Read more

pip error in Kali Linux: error: externally-managed-environment : SOLVED

 error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try apt install     python3-xyz, where xyz is the package you are trying to     install.     If you wish to install a non-Kali-packaged Python package,     create a virtual environment using python3 -m venv path/to/venv.     Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make     sure you have pypy3-venv installed.     If you wish to install a non-Kali-packaged Python application,     it may be easiest to use pipx install xyz, which will manage a     virtual environment for you. Make sure you have pipx installed.     For more information, refer to the following:     * https://www.kali.org/docs/general-use/python3-external-packages/     * /usr/share/doc/python3.12/README.venv note: If you believe this is a mistake, please contac...
Post a Comment
Read more