So i will be using a Xposed Framework and JustTrustMe which is an xposed framework module.

• First download Xposed Installer apk from here and install on your device.

• Now download JustTrustMe apk from here and install it on your device.

• Then open up your Xposed Installer App from your device and open modules in it. Then click on the checkbox to activate that module.
  

• Now go to the framework section and choose Soft Reboot to reboot and activate that module.
  

Now if you would try to intercept using your Burp Proxy then you would be able to see the traffic of every apps.

• Switch ON your Genymotion Device.
• Download Google Apps from Cynogenmod
• Drag and Drop the downloaded zip file to Genymotion Device. It will ask for confirmation,confirm it.Then it will start showing some error’s, ignore for the time being and follow the next steps without opening any installed apps now.
• Go to Settings
  
• Tap on Add Account
• Tap on Google
  
• If you have an existing account then click on existing otherwise you can make a new account.
  
• Signin your google account and then allow google update. You will see now your Google account has been linked to this device. Now you easily operate Google Play Store and install other apps through it.
  

• Tap on the build number until it says ” You are now a developer”
  

• Go to the Developer Options.
  

• Tap on USB Debugging .
  

• Connect your Phone with the USB cable and you will see this notification on your Screen .

• Now you can also install Drozer agent on your phone or can also get a shell. Note you will be prompted on your phone while connecting using adb.

• First install Hotspot Shield Free VPN Proxy from Google Play Store.
  

• Now connect using it and choose your required country.
  

• Now go to Settings >> Apps >> Google Play Store and then tap on Force Stop and then on Clear Data.
  

• Open up Google Play Store and now you will be able to search and install the application which is only available in that country.
  

If you would go through Login Activity then you will find that there is a Backdoor. There is a Username-Password combination which turns on some Admin Options.

From the above image we can figure out that

Username: customerservice
Password: Acc0uNTM@n@g3mEnT

If you would login with the credentials given above then you will see a similar Interface given below.

How to check for debuggable flag ?

I will use Sieve to demonstrate this issue.

• Decompile .apk file using apktool then open up the AndroidManifest.xml file.

• Look for android:debuggable value in the AndroidManifest.xml file.
  

Now to see which application are connected to debugging socker(@jdwp-control), type adb jdwp in the console. It will list the PIDs(Process Identifiers) of the applications which can be debugged.

In order to figure out which PID belong to our application, type adb jdwp before running the application you wanted to test.

Now again type adb jdwp after opening the application and you will see that there are PIDs added to last result, so among those PIDs there is one PID which belong to our application. In my case there is only one PID 3894 which is added .

Now check whether or not this PID belong to this application, in case you have got more than one PID. It should output name of the application at the end of result like com.mwr.example.sieve in my case.

Now to simply demonstrate what an debuggable application can do, i will extract data from application private directory.

Now with the help of run-as binary we can execute commands as com.mwr.example.sieve application.

Note: Above is the shell access of my personal phone which is not rooted.

Now you can extract the data or run an arbitary code using application permission like shown below.

But if you would try to access any other directory using this method, it won’t allow you because com.mwr.example.sieve doesn’t have access to it.

How To Fix

Fix is very simple, just set android:debuggable flag to false in AndroidManifest.xml of the application.

• Javascript Injection: The mobile browser is vulnerable
  to javascript injection as well. Android default Browser has also access
  to mobile applications cookies. If you have your Google account attached to device
  then you can use your Google account in Android Browser without authentication.

• Several application interfaces or language functions can accept data and can be fuzzed to make applications crash. While most of these flaws do not lead to overflows because of the phone’s platforms being managed code, there have been several that have been used as a “userland” exploit in an exploit chain aimed at rooting or jailbreaking devices.

• Mobile malware or other malicious apps may perform a binary attack against the presentation layer (HTML, JavaScript, Cascading Style Sheets ) or the actual binary of the mobile app’s executable. These code injections are executed either by the mobile app’s framework or the binary itself at run-time.

How To Fix

• SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
• JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (usually the default).
• Local File Inclusion: Verify that File System Access is disabled for any WebViews (webview.getSettings().setAllowFileAccess(false);).
• Intent Injection/Fuzzing: Verify actions and data are validated via an Intent Filter for all Activities.

Reference

OWASP Top 10 2014 – M7

Session handling is very important part after authentication has been done. Session Management should also be done in secure way to prevent some vulnerable sceanarios. Most of the application have secure mechanism for authentication but very insecure mechanisms for session handling, below i will be describing some of the common scenarios.

No session destruction at server side

I have seen this one most of the times, most of the applications just send a null cookie when user opt for logout but still that session cookie is valid on server side and is not destroyed after user opted for logout feature.

Cookie not set as Secure

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.

Above is the exported broadcast receiver.

If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these parameters in drozer accordingly.

I have also decompiled the FourGoats apk using dex2jar and opened it with Jd-Gui. Below is the snap of this particular Broadcastreceiver sourcecode.

So basically from the above code we can tell that while passing the intent we have to give two inputs “phoneNumber” and “message”.

The above command will try to send the messgae to the number 1234 with message It’s me Aditya.But from Android 4.2 further control has been added on the use of SMS. Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.

But when i modify the phoneNumber to 123456789 it will not show this confirmation dialog because Android doesn’t conider that number as a Premium Number.

So in this way an mailicious app can take advantage of some exported BroadcastReceiver of another app.

You can use Drozer to find all the activities in an application or you could also see the listed activities in AndroidManifest.xml file.

If the appplication is not obfuscated then you can reverse engineer it and see it source code.

Note: It is not necessary that you will see activities listed like above in case of other application. That is dependent on developer of the application.

Exported Activities

Exported Activities are those activities which can be accessed by other application on the same device.
Most of the time after authentication on an Android Application, it shift to a new activity which basically users are aware off(like music playlist after your music player login). But developers keep those activities exported and even without custom permissions.

• If you would see in the HerdFinancial Application then you will find that org.owasp.goatdroid.herdfinancial.activities.Main is exported and also it doesn’t even have any custom permissions.

• You can simply pass an intent through Drozer to start that particular activity.
  

• After that you will see that Herfinancial Application has been started with default account i.e with the account number 1234567890 and now you can do sort of stuff like transfer the money to someone else account. How scary it would be if something like this exist for our Banking apps!
  

If you are an android developer then you can also make a proof of concept application to demonstrate this behaviour.