Security Audit of Attify’s Vulnerable App - Learning Pentesting for Android Devices (2014)

Learning Pentesting for Android Devices (2014)

Security Audit of Attify's Vulnerable App

1. Introduction

1.1 Executive Summary

Attify Labs was contracted to perform a penetration test of the Android application "Attify's Vulnerable App" by XYZ Corporation. The purpose of this penetration testing audit was to identify the security vulnerabilities in the Android application, as well as the web services it communicated with.

Care was taken during testing to ensure that no damage was caused to the backend web server while carrying out the audit. The assessment was performed under the leadership of Aditya Gupta with a team of three in-house penetration testers.

During the audit, a number of security vulnerabilities were discovered in the XYZ Android application and the backend web services. Overall, we found the system to be insecure and at high threat risk from attackers.

The results of this audit will help XYZ Corporation make their Android applications and web services secure from the security threats posed by attackers, which could cause damage to reputation and income.

1.2 Scope of the Work

The penetration testing performed here was focused on the Android application of XYZ Corporation named "Attify’s Vulnerable App". The penetration test also included all the web services that the Android application communicates with in the backend.

1.3 Summary of Vulnerabilities

The Android application "Attify's Vulnerable App" was found to be vulnerable, with much vulnerability in the application itself as well as due to the third-party library used within the application. The library was successfully exploited, giving us access to the entire application's data stored on the device.

Also, a webview component found in the application made the application vulnerable to the manipulation of JavaScript responses, giving us access to the entire JavaScript interface in the application. This ultimately allowed us to exploit the application on insecure networks leading to application behavior control, and also allowed us to install further applications without user knowledge, make unintended calls and send SMS, and so on.

Other vulnerabilities discovered in the application included insecure file storage, which gave us access to sensitive user credentials stored in the application once the device had been rooted.

Also, it was noted that the web services that the application communicated with didn't have proper security for authentication by the user, and sensitive information stored on the web server could be accessed with an SQL Authentication Bypass attack.

2. Auditing and Methodology

2.1 Tools Used

Following are some of the tools used for the entire application auditing and penetration testing process:

· Test Platform: Ubuntu Linux Desktop v12.04

· Device: Nexus 4 running Android v4.4.2

· The Android SDK

· APKTool 1.5.2: To decompile the Android application into Smali source files

· Dex2Jar 0.0.9.15.48: To decompile the Android application source to Java

· JD-GUI 0.3.3: To read the Java source files

· Burp Proxy 1.5: The proxy tool

· Drozer 2.3.3: The Android Application Assessment Framework

· NMAP 6.40: To scan web services

2.2 Vulnerabilities

Issue #1: Injection vulnerabilities in the Android application

Description: An injection vulnerability was found in the Android application in the DatabaseConnector.java file. The parameters account_id and account_name were passed to the SQLite query inside the application, making it vulnerable to SQLite injection.

Risk Level: Critical

Remediation: The user input should be properly sanitized before passing into the database commands.

Issue #2: Vulnerability in the WebView component

Description: The WebView component in the Android application specified in the WebDisplay.java file allows JavaScript to be executed. An attacker could intercept the traffic on an unsecured network, create custom responses, and take control over the application.

Risk Level: High

Remediation: If JavaScript is not required in the application, set setJavascriptEnabled to False.

Issue #3: No/Weak encryption

Description: The Android application stores the authentication credentials in a file named prefs.db, which is stored in the application's folder on the device, namely /data/data/com.vuln.attify/databases/prefs.db. With root privileges, we were able to successfully view the user credentials stored in the file. The authentication credentials were stored in Base64 encoding in the file.

Risk Level: High

Remediation: The authentication credentials should be stored with proper and secure encryption if they have to be stored locally.

Issue #4: Vulnerable content providers

Description: The Android application's content providers were found to be exported, which makes it usable by any other application existing on the device as well. The content provider is content://com.vuln.attify/mycontentprovider.

Risk Level: High

Remediation: Use exported=false, or specify permissions in AndroidManifest.xml when mentioning the content provider.

3. Conclusions

3.1 Conclusions

The application was found to be vulnerable overall, with vulnerabilities relating to the content providers, SQLite databases, and data storage techniques.

3.2 Recommendations

The application was found to be vulnerable with some critical and some high severity vulnerabilities. With a little effort and secure coding practices, all the vulnerabilities can be remediated successfully.

For the application to remain secure, regular security auditing is required to assess the security of the application before every major upgrade.