Android App Hacking - Black Belt Edition
- Descrição
- Currículo
- FAQ
- Revisões
In this course you will learn absolutely everything about android app hacking. This course teaches you the ethical principles and enables you to become the top expert of your company regarding to app security. We learn really complex attacks in the most funny way that’s possible, by hacking a mobile game.
Legal note:
The game we are going to hack is licensed under the GNU GPL, which means, we are allowed to perform such modifications. Hacking apps without having the permission of the author is strongly forbidden! The things you learn are related to security research. I am teaching you all of this in a legal and ethical way.
Course – Structure:
In the installation chapter we will analyze different smartphone setups, their strength and their weaknesses. We unlock our device and use certain features to already start hacking our first apps. We will learn how to analyze bluetooth low energy connections and get familiar with the Android Debug Bridge (ADB).
We move on to the android app structure. Here we gain a rock solid understanding about the key components of an android app. We will analyze the AndroidManifest.xml and learn how to exploit activities, broadcast receiver and content provider. We will write our own small apps to exploit SQL injections and path traversals.
Afterwards we take a deep dive into reverse engineering. We will learn how to decompile an android app and reconstruct the Java code. We will have a look at different decompilers and create flow- and call graphs to deal with highly obfuscated apps. Finally a nice application is waiting for us to practice all the things we have learned so far.
Then we have the treasure of this course, the SMALI chapter. SMALI is like an assembly language of an android application and gives us unlimited power in hacking them. We practice our skills by modifying our mobile game to have infinite lives, become invisible or invincible. We add multiple player shots, manipulate the fire rate and many more.
In the man-in-the-middle chapter we will learn how to analyze the network traffic of a mobile app. We will gain an understanding about HTTPS and how to analyze these connections. We will learn how certificate pinning works and bypass several different types of it.
The last thing that is missing is FRIDA, which is an amazing framework to perform runtime manipulations within an app. We will hook into the pseudorandom number generator (PRNG) to modify a dice application. We will learn how to scan the memory for certain instances and how to interact with the UI thread of an app. We will create new objects and practice all of this by writing our own trainer for a gaming application. The cherry on top will be the analysis of a native c function with Ghidra and the manipulation and modification with FRIDA.
After getting through all these chapters you will be the top expert in android app security of your company. Therefore, what you are wainting for? 🙂
-
1
Setup - TheoryWe will discuss the concept (setup) of this course. How we can interact with a device and we also talk about the advantages and disadvantages of an real smartphone vs an emulator / virtual machine.
-
2
Installation (System & Android Studio)
This video covers the core setup of an Ubuntu VM together with the installation of Android Studio. We will set our environment variables and get ready for this course :)
-
3
Emulator - Installation
We will have a look into the installation process of an android emulator. We will also find out, which images directly gives us root access and which not.
-
4
Emulator - Usage (Secret Features)
In this video, we will learn more about the emulator and the really amazing options it provides. We will also have a look into some secret interfaces, which helps us location spoofing. It is not the mocking feature in the developer options ;)
-
5
Androidx86 Virtual Machine - Setup
We will setup a virtual machine which is based on an android image. This can be faster if we have to deal with nested virtualization. You will find more information about this in the concept video (beginning).
-
6
ConceptLet's do a quick recap about the concept and different options we have, because this might be a little bit confusing :).
-
7
Developer Options
Just a quick look into some useful developer options. Some of them are really underrated like the "bluetooth hci snoop log".
-
8
Developer Options - Secrets ( Game Hacking )
This video covers automating processes like inserting text or performing clicks on the device. This can be turned into playing games, without playing them :)
You will find two versions of this game. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
-
9
Developer Options - Bluetooth Low Energy Hacking
We will learn how to create and dump the bluetooth log of a smartphone. Afterwards we will have a look into the connection parameters with wireshark.
-
10
Bluetooth Low Energy - Furby App Hacking
We move on with capturing and analyzing the traffic and start sending our own modified packages, without requiring the android application.
-
11
Android Debug Bridge - Theory
We will get a better understanding of the Android Debug Bridge (ADB) and it's components. This is very helpful to perform more advanced attacks, that also requires port forwarding.
-
12
Android Debug Bridge (ADB) - HandsOn (White - Belt)
The final video of this chapter will cover useful adb commands and shows some interaction with the device.
-
13
Scrcpy for Android version 14
The scrcpy version has been updated regarding to certain vendors. Some things have changed in Android version 14 and therefore, the old scrcpy version does not work anymore. This only affects real devices. Within the emulator I do not have encountered any issues.
In this video we will have a look into installing the new version to fix the problem for real devices :)
-
14
Filestructure of an APK
In this video we will get familiar with the app structure of an android app.
-
15
Dalvik / Dex
You smartphone is using the ARM architecture. You Java application bytecode is therefore being transfered into the "Dalvik Executable" (dex) format. Here we will learn more about this process.
-
16
Classes.dex
This video gives a deeper view into the "Dalvik Executable" (.dex) format and also shows ways, analyzing it.
-
17
Decompiling - Preperation
If we want to modify an android application, we need to decompile it. We will find out how this process works, in this video here.
-
18
Decompiling - HandsOn
In this video we will decompiling an android application.
-
19
AndroidManifest.xml
The AndroidManifest.xml is the most important configuration file of an android application. In this video we will learn more about the strucutre.
You will find two versions of this game. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
-
20
App - Permissions
Android apps are being sandboxed. We have a look into the permission model, how it works and also get some impression, how to attack it.
-
21
Activities
In this video we will have a look into activities.
*Update: Just flashed the information that contentProvider do not have intent filters. That's all :)
-
22
Activities - Hacking
Some practical exercises on interacting with activites
-
23
Activity - Bonus (Bypassing Login - Own Application)
Some practical exercises in exploiting misconfigured activties.
-
24
Intents
Intents are some sort of messaging objects. We will learn more about them in this video.
-
25
Intents - Examples
This video shows the "arming" and "disarming" process of an alarm system, based on an intent.
Here you will find different versions. The "alarmPin.apk" is the apk which I have used in this video. One participant mentioned, that this application does not work for him. Therefore I have added an additional check which is "alarmPin_updated.apk". In case if you are using an android device version >= 12, I have also added the "alarmPin_androidVersion12.apk" for you. I hope we should be good to go right now :)
-
26
Activities and Intents
This quiz is about the things we have learned so far about activites and intents.
-
27
DeepLinks (Theory - 2024)
We will find out how deep- web- and app-links work and what vulnerabilities they offer.
-
28
DeepLinks (Examples - 2024)
We will take a practical view on deep- and weblinks and how they work. We will cover different android versions - up to 14 - and we will also see how to manipulate the application behavior by viewing them :)
-
29
BroadcastReceiver
BroadcastReceiver are some sort of notifcations for applications. They can be used for various tasks. We will find out how they work and also have a look into exploiting them.
-
30
BroadcastReceiver - Hacking (Alarm App)
In this video we learn, how to hunt for vulnerable BroadcastReceiver within an android app and also start exploiting them, with the adb shell.
You will also find a version of this app for android devices >= 12 (SDK31).
-
31
BroadcastReceiver - Hacking via own App
In case if a customer demonstration is required, it might be required to write our own application to demonstrate an exploit. This topic will be covered in this video.
-
32
Services
Services are being used for all kind of background tasks. We will learn the differences between "bind" and "intent" services and also get a better understanding of, how they work.
-
33
ContentProvider
ContentProvider is a very interesting topic. They simply "provide content" to other applications which can be sometimes be abused to trigger SQL injections or Path-Traversal attacks. In this video we will find out, how they work.
-
34
ContentProvider - SQL Injection
SQL injection attacks are not related to web applications. They can be used to bypass security features of an android application. An attacker might be able to access sensitive information of your app. We will find out how such an attack look like.
-
35
ContentProvider - Database Attacks (SQLi - Permission / Bypass)
Equipped with the theory about the attack, we are now performing some practical one. We will gain access to a protected database table, through a vulnerable ContentProvider. Hands On!
-
36
ContentProvider - PathTraversal Attack
Path-Traversal attacks are still common in android applications and could lead to a complete breach of the app. We will learn how they work and more important - how to exploit it.
-
37
ContentProvider - Path Traversal -
38
Broadcast Receiver and Content Provider
Another recap. After this quiz, you are absolute ready to exploit your first applications. As already mentioned, we have some challenges in the reversing section for this.
-
39
Application Signing
Android applications needs to be signed. We will learn more about this process and why it is necessary.
-
40
Application Signing - Deep Dive
This video covers some additional information about the signing process and the corresponding files of it. Knowledge about it might be required if there are some anti tamper actions: "has the app been modified?". We will learn how we can verify if an android app has been modfied and also, how to bypass it again :)
-
41
BlueBox Master Key Vulnerability (Signing)
The "Bluebox Master Key" vulnerability is an issue within the signature verification of an android app. It has been patched a couple of years ago but it is still very interesting and might be useful regarding to the other platforms / checks.
-
42
Yellow Belt - Challenge
-
43
Dex2Jar
This video gives an introduction into the reversing tool dex2jar and its corresponding features.
-
44
Jadx-Gui
This video gives an introduction into the reversing tool jadx-gui and its corresponding features.
-
45
Jadx-Gui HandsOn
An exercise on how to get back the Java code of an android application. It is not the original code but regarding to the functionality, pretty close to it. This Java code cannot be dirctly modified and compiled back again. If we want to modify an android application, we have to do this in SMALI (see SMALI chapter).
-
46
Secret Super Weapon
This tool has some really amazing features and the switiching between different decompilers sometimes allows us, to restore back the Java code of hard obfuscated applications.
-
47
Reversing Apps
Some practical view into Androguard.
-
48
Creating a CallGraph (CG)
This video shows, how to create a call graph of an android application. It can come handy if we have to deal with high obfuscated android apps.
IMPORTANT
In the video I mentioned using the networkx library in a certain version. This step is not necessary anymore. Androguard did remove this library and it should work right now out of the box.
Please update your current androguard with the following command:
git pull
pip3 install -r requirements
In case if you have not downloaded it yet, please follow the instruction on the installation page of the wiki. I cannot link external sources here.
Info:
You will find two versions of the "reverseme.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
-
49
Creating a FlowGraph (FG)
This video shows, how to create a flowgraph of an android application. It helped me solving really hard CTF challenges. This approach is of course also useful for real world applications. Really hard obfuscated android apps.
-
50
Challenge - Intro
Let's recap everything we have learned so far by hacking a "banking app". This of course a training application but many findings we cover here, are also out there and waiting for you to be discovered (... and reported!:) ).
IMPORTANT:
Please install the following version of sqlalchemy if you encounter an error. Thanks Kyle! :)
$ pip3 install sqlalchemy==1.4.32
-
51
Challenge - Hacking Activities
Let's try to bypass the login screen of the insecureBank application.
-
52
Challenge - Hacking Content Provider
Let's play around with the databse entries of the logging table.
-
53
Challenge - Hacking BroadCast Receiver
Changing the password of this application, without even knowing it? Not a big deal because we know how to hack a BroadCast receiver.
-
54
Challenge - Password (Decryption)
Modern applications are now a days encrypting many of their data. We will find out how the password of this application is being encrypted and more importantly, how to decrypt it :)
