1
00:00:00,090 --> 00:00:05,970
- Hello, and welcome to the new video of
Android Security and Exploitation training

2
00:00:05,970 --> 00:00:11,860
series by Pentester Academy. My name is
Aditya, and I'm your course instructor for

3
00:00:11,860 --> 00:00:16,780
this entire training series. You can also
check out certifications at

4
00:00:16,780 --> 00:00:19,130
securitytube-training.com.

5
00:00:19,130 --> 00:00:23,180
So in this particular video, we are going
to start off with a new set of

6
00:00:23,180 --> 00:00:27,950
vulnerability that is called backup based
vulnerability. Now backup is a recent

7
00:00:27,950 --> 00:00:33,190
feature introduced in Android, where you
can take the backups of any application

8
00:00:33,190 --> 00:00:38,640
and you can also restore it back. This
entire process happens without the root

9
00:00:38,640 --> 00:00:44,740
privileges, right. So what an attacker can
do over here is if you can take a backup

10
00:00:44,740 --> 00:00:49,800
of an application which has some security
restrictions, you can basically modify the

11
00:00:49,800 --> 00:00:54,650
backup contents, and you can restore it
back. So this was same vulnerability that

12
00:00:54,650 --> 00:00:59,740
was discovered in Lastpass by Chris John
Riley which is patched now. And the same

13
00:00:59,740 --> 00:01:04,420
vulnerability was also discovered in Box
by me. And the recent version of Box is

14
00:01:04,420 --> 00:01:07,670
going to be patched against this kind of
vulnerability, right.

15
00:01:07,670 --> 00:01:14,980
So if you have a look at the Box
application, it looks something like this.

16
00:01:14,980 --> 00:01:22,480
And if you go to the settings, you can set
in a passcode which you can use in order

17
00:01:22,480 --> 00:01:27,640
to access Box, right. So if come back to
the application after one minute, it will

18
00:01:27,640 --> 00:01:30,630
need a passcode to enter the
application.

19
00:01:30,630 --> 00:01:37,610
So let's close it. Let's go back, right.
Okay, so now you can take the backup of

20
00:01:37,610 --> 00:01:43,730
the application using custom methods which
is you can take the backup using adb

21
00:01:43,730 --> 00:01:50,950
backup specifying the package name storing
to any file.ab. And you can use dd to copy

22
00:01:50,950 --> 00:01:56,200
the first 24 bytes into like skipping the
first 24 bytes and then copying the rest

23
00:01:56,200 --> 00:02:01,860
into app.tar as the first 24 contains the
header. And then you specify the contents

24
00:02:01,860 --> 00:02:07,120
of a tar in a file called app.list and
then you extract the tar. And once you

25
00:02:07,120 --> 00:02:12,050
have extracted and modified the content of
the tar, you can again star it to combine

26
00:02:12,050 --> 00:02:17,550
it back into a box_new.tar. And now you
create the app_new.ab again by putting

27
00:02:17,550 --> 00:02:22,420
back the header and then the contents of
the tar. And then you restore it back. So

28
00:02:22,420 --> 00:02:27,100
this is a bit more complicated process and
there's also an automated tool which can

29
00:02:27,100 --> 00:02:30,620
perform a few of this actions
automatically which is called ABE or the

30
00:02:30,620 --> 00:02:37,740
Android Backup Extractor which you can
download from sourceforge with this

31
00:02:37,740 --> 00:02:43,980
particular link. So in this, you just have
to take the backup and you can unpack it

32
00:02:43,980 --> 00:02:50,590
using java -jar abe.jar, and then you can
again pack it back using java -jar abe.jar

33
00:02:50,590 --> 00:02:56,290
pack.
So let's see by going back into Box, it

34
00:02:56,290 --> 00:03:00,970
asks us for a passcode now, and unless I
enter the correct passcode it won't let us

35
00:03:00,970 --> 00:03:08,500
in, right. So let's try to take a backup
of the Box application. So for that we'll

36
00:03:08,500 --> 00:03:16,710
need the package name of box. For that let
me just connect to the device...adb

37
00:03:16,710 --> 00:03:27,370
disconnect, then connect. So, let's do a
ps and grep for Box. So this is the

38
00:03:27,370 --> 00:03:35,220
package name. So now I can do an adb
backup package name -f box.ab. Right. So

39
00:03:35,220 --> 00:03:40,130
once you do this it will ask you to unlock
your device and confirm the backup. So you

40
00:03:40,130 --> 00:03:45,650
just have to click on backup my data. You
might not specify a passcode or if you

41
00:03:45,650 --> 00:03:50,700
want you can specify a passcode. In this
case we'll go without a passcode and click

42
00:03:50,700 --> 00:03:56,030
on backup my data. So the backup is
starting, and now the backup has been

43
00:03:56,030 --> 00:03:57,000
finished.

44
00:03:57,000 --> 00:04:04,360
Right. So here we have a file called
box.ab. So now if you look at the file

45
00:04:04,360 --> 00:04:11,640
box.ab, you'll see that first 24 bytes
actually contain the Android backup.

46
00:04:11,640 --> 00:04:18,360
Right. So this is indeed a backup file
which has a lot of data. Let's try to make

47
00:04:18,360 --> 00:04:24,580
sense of this data using ab.jar. So once
you download the Android backup extractor

48
00:04:24,580 --> 00:04:32,150
and extract it, it will create these bunch
of files, and now I can do java -jar

49
00:04:32,150 --> 00:04:43,090
abe.jar unpack box.ab into box.tar. So it
says the file has been created, right.

50
00:04:43,090 --> 00:04:54,530
Also at the same time, let's create a list
of it using tar -tf. So tar -tf box.tar to

51
00:04:54,530 --> 00:05:02,410
box.list. And now let's extract it,
xvf.box.tar. So it extracts into a folder

52
00:05:02,410 --> 00:05:08,680
called apps where it has the folder called
com.box.android which is also the package

53
00:05:08,680 --> 00:05:16,530
name and inside that we'll have a few
folders with their characters of like f is

54
00:05:16,530 --> 00:05:20,875
for files, db is for the database, sp is
for the shared preferences.

55
00:05:20,875 --> 00:05:28,040
All right, so let's go inside apps,
com.box.android inside the shared

56
00:05:28,040 --> 00:05:38,340
preferences. Let's see which file contains
something like a pin. So if you look for

57
00:05:38,340 --> 00:05:43,103
pin, we see that there's a mention of pin
in myPreference.xml. So let's open up the

58
00:05:43,103 --> 00:05:50,207
myPreference.xml, and here you see there's
a line called string name equals pinCode,

59
00:05:50,207 --> 00:05:56,880
and which actually contains an encrypted
value of the pin code. So we can simply

60
00:05:56,880 --> 00:06:15,250
remove this particular line and this looks
like the new file, let's just save it. And

61
00:06:15,250 --> 00:06:22,450
now let's go back and compile this into an
abe file again. So we'll use s tar for

62
00:06:22,450 --> 00:06:34,214
this -c -v -f and box_new.tar, which will
be our new file, -no-dirslash

63
00:06:34,214 --> 00:06:50,628
list=box.list. And now we have a new.tar,
and now we can simply do java -jar back

64
00:06:50,628 --> 00:07:08,163
box_new.tar to box_new.ab. So there is
some issue over here. Jar abe.jar pack.

65
00:07:08,163 --> 00:07:25,734
Let's have a look, pack box_new.tar
box_new.ab. Okay, looks like it worked

66
00:07:25,734 --> 00:07:38,066
this time. Let's try to do a hexdump -c of
box_new.ab. So a backup of this program

67
00:07:38,066 --> 00:07:50,303
everything looks good. Not sure if this
will work. Oh, we missed the abe.jar

68
00:07:50,303 --> 00:08:02,745
earlier. Okay, so now let's try to restore
this particular file, box_new.ab. Restore

69
00:08:02,745 --> 00:08:11,438
my data, the restore is starting, and now
let's try to exit Box. Whoa, so if you see

70
00:08:11,438 --> 00:08:16,149
now the Box has been opened without any
passcode, and you can verify it by going

71
00:08:16,149 --> 00:08:21,084
into settings and says require passcode
never which we set earlier to require

72
00:08:21,084 --> 00:08:25,960
passcode. Right.
So this is how you can identify a backup

73
00:08:25,960 --> 00:08:30,670
based vulnerability and you can also
exploit it, and one of the ways to secure

74
00:08:30,670 --> 00:08:36,510
against it is to specify
android:allowbackup equals to false in the

75
00:08:36,510 --> 00:08:38,590
AndroidManifest.xml.

76
00:08:38,590 --> 00:08:42,980
Now, that's all for this video. If you
have any more feedback or queries, feel

77
00:08:42,980 --> 00:08:48,470
free to reach out to me at adi@attify.com,
or you can also send out a tweet to me

78
00:08:48,470 --> 00:08:51,000
@adi1391. Thanks a lot.