1 00:00:00,790 --> 00:00:06,350 - Hello, and welcome to this new video of Android Security and Exploitation 2 00:00:06,350 --> 00:00:11,630 by Pentester Academy. My name is Aditya, and I am your course instructor for this 3 00:00:11,630 --> 00:00:16,100 entire training series. So in this particular video, we are going to have a 4 00:00:16,100 --> 00:00:21,330 look at the Damn Insecure and Vulnerable Application, which is also known as 5 00:00:21,330 --> 00:00:29,260 DIVA. Now, this is a vulnerable application created by Aseem Jakhar of 6 00:00:29,260 --> 00:00:33,700 Payatu, and made in order to help you understand the different vulnerabilities 7 00:00:33,700 --> 00:00:38,560 in Android applications. Now, a lot of these vulnerabilities is something which 8 00:00:38,560 --> 00:00:43,180 you have already gone through in the Android Security for Pentesters course 9 00:00:43,180 --> 00:00:48,550 by SecurityTube? So, this might act as a learning experience or something 10 00:00:48,550 --> 00:00:53,890 where you can apply what you've already learned in the previous videos into 11 00:00:53,890 --> 00:00:58,960 another vulnerable application? And if you're completely new to Android 12 00:00:58,960 --> 00:01:04,220 security, it is also a good starting point to understand what different kind of 13 00:01:04,220 --> 00:01:10,070 security issues are present in Android applications. Now, apart from DIVA, there 14 00:01:10,070 --> 00:01:15,350 are a couple other vulnerable apps which you can also go through; some of them are 15 00:01:15,350 --> 00:01:22,940 like GoatDroid, InsecureBank, Intrepidus Learner, and so on? So before 16 00:01:22,940 --> 00:01:29,630 moving forward, this entire course is available at securitytube-training.com and 17 00:01:29,630 --> 00:01:38,250 pentester academy.com? So, DIVA is an open-source application and you can 18 00:01:38,250 --> 00:01:44,840 download the source code from this Github URL. Also, you can simply download the 19 00:01:44,840 --> 00:01:51,040 application binary from this shortened URL? So let me just go ahead and 20 00:01:51,040 --> 00:01:58,560 download the application as well as install it on my virtual device. 21 00:01:58,560 --> 00:02:07,795 So this is my Santoku VM. Let me simply SSH into it. 22 00:02:13,290 --> 00:02:22,770 And go to Desktop/PentesterAcademy/. So in this case I have already downloaded the 23 00:02:22,770 --> 00:02:32,110 zip file which contains the DIVA apk. So simply extract it, and I get the apk file 24 00:02:32,110 --> 00:02:44,160 here? Let me also make sure that my Genymotion device is connected. And now 25 00:02:44,160 --> 00:02:48,880 that my Genymotion device is connected, I can go ahead and install the DIVA 26 00:02:48,880 --> 00:02:51,158 apk. 27 00:02:56,074 --> 00:03:01,256 So, this is how the application looks 28 00:03:01,256 --> 00:03:08,410 like. Saying "Welcome to DIVA" and there are a couple of different exercises 29 00:03:08,410 --> 00:03:14,470 ranging from insecure logging to hardcoding issues, insecure data storage, 30 00:03:14,470 --> 00:03:19,410 and input validation, and so on? So there are a bunch of exercises with which 31 00:03:19,410 --> 00:03:27,342 you can play with. So I'll just start with the first one, which is insecure logging. 32 00:03:27,780 --> 00:03:33,730 So, insecure logging actually tells you what different ways in which Android 33 00:03:33,730 --> 00:03:39,710 application logs something sensitive to the Android logcat. Now if you have seen 34 00:03:39,710 --> 00:03:45,070 the videos, you must be knowing that Android maintains a centralized logcat 35 00:03:45,070 --> 00:03:49,830 which is accessible to all the applications on the device. So if an 36 00:03:49,830 --> 00:03:55,590 application developer wants to log something, maybe for debugging purposes, 37 00:03:55,590 --> 00:04:00,000 he can use the Android logcat and log the information over there? 38 00:04:00,000 --> 00:04:07,920 And you as a pentester or security researcher, access that logcat over adb, 39 00:04:07,920 --> 00:04:13,040 or the Android Debug Bridge. Or you can create another application which can read 40 00:04:13,040 --> 00:04:21,850 the logcat? So in this case, let's run this exercise. And it's simply asking 41 00:04:21,850 --> 00:04:28,190 me to run the credit card number. So I'll go in and enter the credit card number. 42 00:04:28,190 --> 00:04:36,060 Obviously this is not my real number. So I can--I've entered the credit card number 43 00:04:36,060 --> 00:04:43,040 over here, and in the meanwhile, I'll just check the logcat for this particular 44 00:04:43,040 --> 00:04:52,205 application. So I can grep for the process ID, and I can do a logcat adding 45 00:04:52,205 --> 00:05:03,440 grep of that particular process ID. So "adb shell ps | grep -i diva", and I get 46 00:05:03,440 --> 00:05:14,879 the process ID of 1676. Now we can do "adb logcat" and grep for 1676. And 47 00:05:14,879 --> 00:05:21,421 try to enter the credit card number. And if you see here, it simply says, "An error 48 00:05:21,421 --> 00:05:29,101 occurred. Please try again later." But if you look in the logcat, you see the entire 49 00:05:29,101 --> 00:05:35,318 message as well as the credit card number. So in this case, the credit card number, 50 00:05:35,318 --> 00:05:41,087 which is a sensitive information, is being leaked through the logcat And this 51 00:05:41,087 --> 00:05:46,370 is what the security vulnerability is. So whenever you build an application, you 52 00:05:46,370 --> 00:05:51,124 should ensure that you're not logging anything sensitive in the production build 53 00:05:51,124 --> 00:05:57,211 of the application. Or if you're using another library, like ProGuard, that 54 00:05:57,211 --> 00:06:03,164 will actually take care of that as well. So that's all for this video, and if you 55 00:06:03,164 --> 00:06:09,503 have any feedback or queries, you can send me email at adi@attify.com and you can 56 00:06:09,503 --> 00:06:13,460 check out the entire course at securitytube-training.com and 57 00:06:13,460 --> 00:06:15,920 PentesterAcademy.com. Thank you.