1 00:00:00,080 --> 00:00:05,620 - Hello all and welcome to the new video of Android Security and Exploitation by 2 00:00:05,620 --> 00:00:11,240 Pentester Academy. My name is Aditya and I'm your course instructor for this entire 3 00:00:11,240 --> 00:00:17,990 training series. So in this particular video we are going to have a look at 4 00:00:17,990 --> 00:00:22,990 Android Hooking and basically we'll get started with Android Hooking as the next 5 00:00:22,990 --> 00:00:27,703 couple of videos will be simply telling about different ways of API Hooking and 6 00:00:27,703 --> 00:00:38,145 what all you can achieve with Android API Hooking. So Android Hooking is typically 7 00:00:38,145 --> 00:00:44,489 essential when you want to analyze an application on the go. So, for example, 8 00:00:44,489 --> 00:00:50,415 let's say you want to analyze an application which is calling some methods 9 00:00:50,415 --> 00:00:54,683 and you want to know what those methods are or you want to know what kind of 10 00:00:54,683 --> 00:01:00,365 arguments are being parsed to that particular method. And also, when the 11 00:01:00,365 --> 00:01:05,931 application might be using some custom protocol for communication and not the 12 00:01:05,931 --> 00:01:14,433 typical HTTP or HTTPS which you can simply analyze using the proxy tool. Right. Or 13 00:01:14,433 --> 00:01:20,162 the application might also be using a kind of cryptographic algorithm which is custom 14 00:01:20,162 --> 00:01:26,587 developed. So you want to know what kind of algorithm it is using, it might also be 15 00:01:26,587 --> 00:01:31,468 leaking the key in maybe one of its arguments, or you can basically find a lot 16 00:01:31,468 --> 00:01:37,418 more information about it. Right. So what do you do in that particular scenario? So 17 00:01:37,418 --> 00:01:43,295 the answer is you can create an API hook and tell the name of the methods or tell 18 00:01:43,295 --> 00:01:48,281 the name of the API calls which you want to hook into and analyze the application 19 00:01:48,281 --> 00:01:53,232 like that. So there are a couple of tools which you can use for API hooking or 20 00:01:53,232 --> 00:01:58,370 simply Android hooking or debugging. And some of the tools are JDB, 21 00:01:58,370 --> 00:02:01,970 which is the Java Debugger, which actually comes along with the Java 22 00:02:01,970 --> 00:02:07,500 installation. And then the other tools are Andbug, which is a nother really nice tool 23 00:02:07,500 --> 00:02:13,720 written on top of JDB. And then you have the Cydia Substrate which is also for iOS, 24 00:02:13,720 --> 00:02:19,970 as well as Android. And then you have Introspy and Xposed Framework. Right. So 25 00:02:19,970 --> 00:02:25,480 we'll be going through each of them one by one in one of the subsequent videos and 26 00:02:25,480 --> 00:02:30,380 the application we'll be taking for example for this entire exercise is the 27 00:02:30,380 --> 00:02:36,160 InsecureBank. So InsecureBank is a wonderful Android application written by 28 00:02:36,160 --> 00:02:41,510 an Android security researcher called Dinesh Shetty. It uses a client-server 29 00:02:41,510 --> 00:02:46,520 architecture so the application communicates with the server running on 30 00:02:46,520 --> 00:02:52,160 your system in order to basically lock in as it has performed some transactions as 31 00:02:52,160 --> 00:02:56,780 it's a vulnerable banking application. Right. So I'll quickly guide you through 32 00:02:56,780 --> 00:03:04,250 how to set up the InsecureBank application. So if you go to your VM 33 00:03:04,250 --> 00:03:12,073 inside the debug folder you'll have the My-Insecure-Bank.zip, so you can simply 34 00:03:12,073 --> 00:03:20,355 unzip it and you go inside the InsecureBank, the extracted one. There 35 00:03:20,355 --> 00:03:26,015 will be an AndroLabServer which is the server component, and the InsecureBank 36 00:03:26,015 --> 00:03:31,970 which contains the source code as well as the APK of the application. Right? So 37 00:03:31,970 --> 00:03:39,450 let's first of all go ahead and install the APK. We'll go inside the bin and here 38 00:03:39,450 --> 00:03:47,820 you have the InsecureBank.apk. Let's do adb install InsecureBank. APK, right? And 39 00:03:47,820 --> 00:03:55,150 if you look in Genymotion, you'll have the InsecureBank over here. Right. 40 00:03:55,150 --> 00:04:00,720 The next thing that you need to do is go inside the Android lab server, 41 00:04:00,720 --> 00:04:08,160 and launch the server which is the app.py, and simply do app.py and restart the web 42 00:04:08,160 --> 00:04:16,200 server, right? So let me also figure out my IP, so that I can put inside the 43 00:04:16,200 --> 00:04:30,855 application. So it's 192.168.161.241. Simply change this 161.241. And also 44 00:04:30,855 --> 00:04:36,827 change the server port to 8080. And now I can basically log in to the 45 00:04:36,827 --> 00:04:49,172 application...dinesh, dinesh@123$. So now I'm able to log inside the application and 46 00:04:49,172 --> 00:04:56,073 I can basically do any transaction I want. So I can transfer from the account 333 to 47 00:04:56,073 --> 00:05:04,622 1234 and the amount is maybe $50,000. So this transaction happened. Right. Also 48 00:05:04,622 --> 00:05:12,078 you'll see all the transactions happening in the logcat. So if you look inside the 49 00:05:12,078 --> 00:05:20,767 logcat, let's just grep it for this particular application shell ps grep 50 00:05:20,767 --> 00:05:33,373 insecure, logcat, grep the process ID. So if you look over here it says the transfer 51 00:05:33,373 --> 00:05:39,543 amount is $50,000 from account 333 to 1234, right? So anything you do in the 52 00:05:39,543 --> 00:05:48,848 application will be basically visible over here. So you can do it again. And if you 53 00:05:48,900 --> 00:05:54,777 look over here it transferred the money. So this is how you set up the InsecureBank 54 00:05:54,777 --> 00:06:00,290 application and the server component, right? 55 00:06:00,290 --> 00:06:07,450 So in the next videos we'll start using the debug tools for Android such as JDB 56 00:06:07,450 --> 00:06:12,470 and Andbug. We'll carry on forward with the other Android Hooking tools. Thanks 57 00:06:12,470 --> 00:06:17,580 for watching the video. If you have any feedback or queries feel free to email me 58 00:06:17,580 --> 00:06:23,000 at adi@attify.com or you can tweet me @adi1391. Thanks a lot.