Android App Hacking - Black Belt Edition

We will discuss the concept (setup) of this course. How we can interact with a device and we also talk about the advantages and disadvantages of an real smartphone vs an emulator / virtual machine.

This video covers the core setup of an Ubuntu VM together with the installation of Android Studio. We will set our environment variables and get ready for this course :)

We will have a look into the installation process of an android emulator. We will also find out, which images directly gives us root access and which not.

In this video, we will learn more about the emulator and the really amazing options it provides. We will also have a look into some secret interfaces, which helps us location spoofing. It is not the mocking feature in the developer options ;)

We will setup a virtual machine which is based on an android image. This can be faster if we have to deal with nested virtualization. You will find more information about this in the concept video (beginning).

Let's do a quick recap about the concept and different options we have, because this might be a little bit confusing :).

Just a quick look into some useful developer options. Some of them are really underrated like the "bluetooth hci snoop log".

This video covers automating processes like inserting text or performing clicks on the device. This can be turned into playing games, without playing them :)

You will find two versions of this game. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

We will learn how to create and dump the bluetooth log of a smartphone. Afterwards we will have a look into the connection parameters with wireshark.

We move on with capturing and analyzing the traffic and start sending our own modified packages, without requiring the android application.

We will get a better understanding of the Android Debug Bridge (ADB) and it's components. This is very helpful to perform more advanced attacks, that also requires port forwarding.

The final video of this chapter will cover useful adb commands and shows some interaction with the device.

The scrcpy version has been updated regarding to certain vendors. Some things have changed in Android version 14 and therefore, the old scrcpy version does not work anymore. This only affects real devices. Within the emulator I do not have encountered any issues.

In this video we will have a look into installing the new version to fix the problem for real devices :)

In this video we will get familiar with the app structure of an android app.

You smartphone is using the ARM architecture. You Java application bytecode is therefore being transfered into the "Dalvik Executable" (dex) format. Here we will learn more about this process.

This video gives a deeper view into the "Dalvik Executable" (.dex) format and also shows ways, analyzing it.

If we want to modify an android application, we need to decompile it. We will find out how this process works, in this video here.

In this video we will decompiling an android application.

The AndroidManifest.xml is the most important configuration file of an android application. In this video we will learn more about the strucutre.

You will find two versions of this game. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

Android apps are being sandboxed. We have a look into the permission model, how it works and also get some impression, how to attack it.

In this video we will have a look into activities.

*Update: Just flashed the information that contentProvider do not have intent filters. That's all :)

Some practical exercises on interacting with activites

Some practical exercises in exploiting misconfigured activties.

Intents are some sort of messaging objects. We will learn more about them in this video.

This video shows the "arming" and "disarming" process of an alarm system, based on an intent.

Here you will find different versions. The "alarmPin.apk" is the apk which I have used in this video. One participant mentioned, that this application does not work for him. Therefore I have added an additional check which is "alarmPin_updated.apk". In case if you are using an android device version >= 12, I have also added the "alarmPin_androidVersion12.apk" for you. I hope we should be good to go right now :)

This quiz is about the things we have learned so far about activites and intents.

We will find out how deep- web- and app-links work and what vulnerabilities they offer.

BroadcastReceiver are some sort of notifcations for applications. They can be used for various tasks. We will find out how they work and also have a look into exploiting them.

In this video we learn, how to hunt for vulnerable BroadcastReceiver within an android app and also start exploiting them, with the adb shell.

You will also find a version of this app for android devices >= 12 (SDK31).

In case if a customer demonstration is required, it might be required to write our own application to demonstrate an exploit. This topic will be covered in this video.

Services are being used for all kind of background tasks. We will learn the differences between "bind" and "intent" services and also get a better understanding of, how they work.

ContentProvider is a very interesting topic. They simply "provide content" to other applications which can be sometimes be abused to trigger SQL injections or Path-Traversal attacks. In this video we will find out, how they work.

SQL injection attacks are not related to web applications. They can be used to bypass security features of an android application. An attacker might be able to access sensitive information of your app. We will find out how such an attack look like.

Equipped with the theory about the attack, we are now performing some practical one. We will gain access to a protected database table, through a vulnerable ContentProvider. Hands On!

Path-Traversal attacks are still common in android applications and could lead to a complete breach of the app. We will learn how they work and more important - how to exploit it.

Another recap. After this quiz, you are absolute ready to exploit your first applications. As already mentioned, we have some challenges in the reversing section for this.

Android applications needs to be signed. We will learn more about this process and why it is necessary.

This video covers some additional information about the signing process and the corresponding files of it. Knowledge about it might be required if there are some anti tamper actions: "has the app been modified?". We will learn how we can verify if an android app has been modfied and also, how to bypass it again :)

The "Bluebox Master Key" vulnerability is an issue within the signature verification of an android app. It has been patched a couple of years ago but it is still very interesting and might be useful regarding to the other platforms / checks.

This video gives an introduction into the reversing tool dex2jar and its corresponding features.

This video gives an introduction into the reversing tool jadx-gui and its corresponding features.

An exercise on how to get back the Java code of an android application. It is not the original code but regarding to the functionality, pretty close to it. This Java code cannot be dirctly modified and compiled back again. If we want to modify an android application, we have to do this in SMALI (see SMALI chapter).

This tool has some really amazing features and the switiching between different decompilers sometimes allows us, to restore back the Java code of hard obfuscated applications.

Some practical view into Androguard.

This video shows, how to create a call graph of an android application. It can come handy if we have to deal with high obfuscated android apps.

IMPORTANT

In the video I mentioned using the networkx library in a certain version. This step is not necessary anymore. Androguard did remove this library and it should work right now out of the box.

Please update your current androguard with the following command:

1. git pull

2. pip3 install -r requirements

In case if you have not downloaded it yet, please follow the instruction on the installation page of the wiki. I cannot link external sources here.

Info:

You will find two versions of the "reverseme.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

This video shows, how to create a flowgraph of an android application. It helped me solving really hard CTF challenges. This approach is of course also useful for real world applications. Really hard obfuscated android apps.

Let's recap everything we have learned so far by hacking a "banking app". This of course a training application but many findings we cover here, are also out there and waiting for you to be discovered (... and reported!:) ).

IMPORTANT:

Please install the following version of sqlalchemy if you encounter an error. Thanks Kyle! :)

$ pip3 install sqlalchemy==1.4.32

Let's try to bypass the login screen of the insecureBank application. 

Let's play around with the databse entries of the logging table.

Changing the password of this application, without even knowing it? Not a big deal because we know how to hack a BroadCast receiver.

Modern applications are now a days encrypting many of their data. We will find out how the password of this application is being encrypted and more importantly, how to decrypt it :)

Let's do a quick recap of the things we have learned so far.

We take our first step into the SMALI chapter and have a look into the code structure of our first application.

You will find two versions of the "smaliOne_Simple.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

If we want to modify an android application we need to do it in SMALI. We will learn more about this process in this video. We will also have a look into our first challenge, which is increasing the power level to be over 9000!

You will find two versions of "smaliOne.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

This video covers the solution of increasing the power level. It is over 9000!

In this video we will learn more about registers in SMALI.

You will find two versions of the "registers.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

In this video will cover certain types in SMALI and how to identify them.

The p0 register is sometimes a little bit special. It is acting as the "this" operator. We will learn more about this registers in this video.

This video covers the structure of a SMALI line and also gives an introduction into certain operations.

In this video we will learn more about the file structure of SMALI. This provides us a better understanding of the code itself.

After all this theory, we need to practice the things we have learned. So let's do a quick recap.

You will find two versions of the "practice_smali.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

In this video we will insert some real values into the function we have reversed before. We will verify if our reversing process was correct by running the application with the given parameters on our device.

This is our first real world challenge and it is about increasing the player lives of our spacepeng application. Start slow and try to increase it more and more.

This video covers the solution of patching the player lives in the spacenpeng application. We will also learn more about the width of a register.

This is just a short introduction for the upcoming if - content.

In this video we will learn how to write simple android application to simulate a certain task. In this case, the structure of an if statement.

If statements have a huge impact on the control flow of an android application. In this video we will get familiar with the structure of an if statement.

You will find two versions of the "smaliTwo.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

In this video we will have a look into the different comparisons / conditions of an if statement.

In this video we will practice everything we have learned so far and translate an if statement in SMALI back to Java code.

We will practice our SMALI skills by changing the logic of the applications.

The file "SmaliTwo_designed.zip" contains the applications with the nicer layout. The file "SmaliTwo.zip" the basic version. It does not really matter which one you pick because the logic is the same :)

The

Beside changing the logic, we can also get rid of it. This is exactly what we learn here :)

You will find two versions of the "app-debug.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

One thing that is missing, is manipulating the jump instructions itself. In this video we will learn how to change the control flow by manipulating the jumps.

You will find two versions of the "smaliTwo" app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions. Same for the solution here.

One common security feature is a rooting detection. It i s a client based check to verify that the application is not running on a rooted smartphoned. There is a controversial discussion about this feature. We simply want to get rid of it in this video :)

The solution video is showing multiple ways to bypass a common rooting detection. All of this of course in SMALI ;)

Bonus content showing additional ways to bypass the rooting detection.

You will find two versions of this app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

In this video we will learn how methods are being called in SMALI. We also make ourself more familiar with the syntax regarding to objects.

You will find two versions of every app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

Static methods are the most easiest methods in SMALI. We will find out how we can call them.

You will find two versions of the "static"-apps. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

Finally we can talk about a "hello world" implementation in SMALI :)

You will find two versions of this app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

We recap everything by patching an XOR encryption method in SMALI. We are going to write our own code to print out the secret message. This is a huge milestone.

You will find two versions of the "XorEncryption.apk" and the "solution.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

In this video we will extend our knowledge about the XOR encryption from the last example. We will also figure out additional ways to manipulate it.

You will find two versions of the "solution". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

AES is a very common encryption / decryption method. It is fast and also secure if the parameter have been chosen correctly. In this video we want to recap everything we have learned so far and start analyzing an AES encryption method in Java and SMALI.

You will find two versions of the "AES.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

In this video we will have a look into understanding new instructions and structures. At this point we are already able to learn completely unknown things in SMALI without even looking them up. We have a really solid understanding and can adapt this knowledge to new things.

In this video we perform the practical exercise and transfering the SMALI code back to the Java code. Line by line.

You will find two versions of the "out.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

Finally we will have a look into writing our own code and inserting it into an existing application. You can insert as much code as you want.

You will find two versions of the "solution.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

We are writing our own code to print out the AES secrets and perform the decryption of the message.

You will find two versions of the app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.

Alright, we are ready to perform the heavy lifting. In this video we want to add more shots on top of our player object. We want to create a quadro/penta/octa shot. As many as you want :) This is the intro for this challenge and I am also providing some hints here.

This challenge is really rough, therefore I start analzying the application and explaining the behaviour behind a player shot. These are some additional hints to solve the task :)

This is the solution, showing, how to add multiple player shots on top of our player. This is really advanced SMALI patching and if you have solved it, you absolutely deserve your blue belt here!

In this video we will have a look into debugging an android application, without having access to the source code.