-
Notifications
You must be signed in to change notification settings - Fork 85
/
android
102 lines (79 loc) · 4.35 KB
/
android
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# android
# from https://github.com/sindresorhus/awesome
https://github.com/JStumpp/awesome-android#readme
https://github.com/ashishb/android-security-awesome#readme
# quick analysis
https://github.com/1N3/ReverseAPK
# checklist / cheatsheet
https://github.com/randorisec/MobileHackingCheatSheet
https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet/
https://github.com/carlospolop/hacktricks/tree/master/mobile-apps-pentesting
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
# great blog about android security (michael)
http://nelenkov.blogspot.com.au/2013/09/using-sim-card-as-secure-element.html
# intro android security DC19
http://www.youtube.com/watch?v=GoMgK3om8Vo
http://slandail.net/step-by-step-guide-to-decompiling-android-apps/
# static analysis
smalisca http://nullsecurity.net/tools/scanner.html
APKAnalyzer (http://developer.sonymobile.com/2012/04/13/powerful-tool-to-analyse-your-apks-now-released-open-source/)
# android webviews best practice
https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html
# debug ala gdb (not tested)
https://appsec-labs.com/AppUse
10:39 <michael> https://www.owasp.org/images/d/d6/OWASP_IL_2013_10_Erez_Metula_The_ReFrameworker_Android_runtime_manipulator.pdf
# HIP talk
http://www.youtube.com/watch?v=Tv5bmlPXyFU
http://kaiyou.fr/files/2013/06/main.pdf
https://github.com/sysdream/fino
https://github.com/sysdream/gadget
https://github.com/sysdream/gadget-client
# http://blog.sglan/2013/05/02/dump-files-as-debuggable-app.html
quick test:
$ adb shell
run-as com.boganbank.gr8app ls /data/data/com.boganbank.gr8app
# local root on 4.4.2
http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3%2C-or-fixing-an-old-local-root
# tool which can extract and re-package backup files created with 'adb backup' so they an be restored with 'adb restore'
https://github.com/nelenkov/android-backup-extractor
# help with analyzing inter-app communication but requires to upload apk (so not suitable if app isn't public yet)
http://comdroid.org
# jadx > procyon > CRF > jd-gui https://stackoverflow.com/questions/1249973/decompiling-dex-into-java-sourcecode
jadx blah.apk # then export as gradle project and open in android studio / netbeans / intellij
enjarify -o blah.jar blah.apk; jadx blah.jar # enjarify > dex2jar
# check signed cert
openssl pkcs7 -inform DER -in META-INF/CERT.RSA -text -print_certs
keytool -printcert -file CERT.RSA
# genymotion
burp: 10.0.3.2:8082
adb push path/to/burp_cacert.cer /sdcard/burp.cer
# ida plugins
https://github.com/techbliss/ADB_Helper_QT_Super_version
https://www.youtube.com/watch?v=j6EwCC4mxNQ
# lock screen (password/PINs)
password.key, locksettings.db and device_policies.xml
* android 5.x https://hashcat.net/forum/thread-2202-page-5.html
hashcat -m 110 $(cat password.key|tr A-Z a-z|cut -b -40):$(printf "%x" $(sqlite3 locksettings.db "select value from locksettings where name='lockscreen.password_salt'"))
* android < 5.x https://hashcat.net/forum/thread-2202.html
hashcat -m 5800
# patch apk
apktool d base.apk -o base
..make changes..
apktool b -o base.apk base/
zip -d base.apk 'META-INF/BNDLTOOL.*'
keytool -genkey -v -keystore ~/.debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000
jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.debug.keystore -storepass android base.apk androiddebugkey
zipalign -p 4 base.apk base.apk.ok && mv base.apk.ok base.apk
adb uninstall com.example.Test
adb install base.apk or adb install-multiple -r base.apk split_config.*.apk
# bypass cert pinning
https://blog.it-securityguard.com/the-stony-path-of-android-%F0%9F%A4%96-bug-bounty-bypassing-certificate-pinning/
# certificate pinning based on its public key sha256 fingerprint
openssl s_client -connect blah.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# android instrumentation tools
https://github.com/FrenchYeti/dexcalibur # powered by frida
https://www.shielder.it/blog/2019/02/fridalab-writeup/ https://github.com/mahmutyazici/android-frida # frida, fridalab
https://github.com/nccgroup/house # frida script generator
https://github.com/Project-ARTist/ARTist
https://www.sensepost.com/blog/2016/android-hooking-with-introspy/ # hooking