1 00:00:00,240 --> 00:00:04,190 - Hello, and welcome to the new video of Android Security and 2 00:00:04,190 --> 00:00:09,830 Exploitation by Pentetser Academy. I am Aditya and I am your course instructor for 3 00:00:09,830 --> 00:00:13,980 this entire training series. So if you're watching the video, you can go 4 00:00:13,980 --> 00:00:19,550 check out the certifications at securitytube-training.com. You can also 5 00:00:19,550 --> 00:00:25,186 subscribe to the videos at PentesterAcademy.com. So in this 6 00:00:25,186 --> 00:00:29,940 particular video, we are going to have a look at the Damn Insecure and Vulnerable 7 00:00:29,940 --> 00:00:34,877 Application, also known as "DIVA." And we'll have a look at the hardcoding 8 00:00:34,877 --> 00:00:40,078 issues, the second part. So, in the previous hardcoding issues, if you 9 00:00:40,078 --> 00:00:45,665 remember, we had a look at the application source code and we were able to figure out 10 00:00:45,665 --> 00:00:52,512 the vendor secret key, right? But if you look at the hardcoding issue in this case, 11 00:00:52,512 --> 00:01:00,233 you will notice that the JNI is used to perform validation. And what I mean by 12 00:01:00,233 --> 00:01:09,680 this is if you open up the source code, "jakhar/aseem/diva", and you go inside the 13 00:01:09,680 --> 00:01:19,270 hardcode 2 activity, you notice that the djni.access is actually getting a text 14 00:01:19,270 --> 00:01:26,238 from somewhere using the JNI and it is checking it whether it is valid or not, 15 00:01:26,238 --> 00:01:35,280 right? Now, the way in which you can check it is by doing an "adb shell," 16 00:01:35,280 --> 00:01:44,138 going inside the application directory, and looking at the "lib" folder. If you 17 00:01:44,138 --> 00:01:51,818 notice, we have a "libdivajni.so" over here. And all you need to do is pull out 18 00:01:51,818 --> 00:01:58,360 that ".so" file and analyze it using "objdump" or "readelf" or any other 19 00:01:58,360 --> 00:02:08,538 disassembler for that matter, right? So we just exit this and do an "adb pull," 20 00:02:08,538 --> 00:02:20,587 and the location I'll use is "/data/data /jakhar.aseem.diva/lib/libdivajni.so". 21 00:02:20,587 --> 00:02:31,578 And now once I have the, this particular file, which is "libdivajni.so" I can go 22 00:02:31,578 --> 00:02:37,165 ahead and analyze it. And one of the ways to analyze it is by simply running 23 00:02:37,165 --> 00:02:44,113 strings on this particular ".so" files. So a lot of times the vendor or the 24 00:02:44,113 --> 00:02:49,701 manufacturer of the application actually hardcode the keys inside the ".so" files, 25 00:02:49,701 --> 00:02:54,313 so if you run a strings you'll be able to see all the different constants, or 26 00:02:54,313 --> 00:02:59,943 strings, inside the ".so" file. So you see a lot of different sections, like the 27 00:02:59,943 --> 00:03:06,263 data, the bss. And you also see some weird-looking characters, or strings, such 28 00:03:06,263 --> 00:03:13,333 as this one, or the "dotdotdot" string, right? And this could possibly be the 29 00:03:13,333 --> 00:03:20,038 secret key, right? Now, another way to check is whether the vender would have 30 00:03:20,038 --> 00:03:27,635 declared this particular key inside the ".rodata" section. And the ".rodata" 31 00:03:27,635 --> 00:03:33,894 section is simply a segment which stores the constant data in a binary, right? So 32 00:03:33,894 --> 00:03:38,445 if you want to look deeper inside any binary, or any ".so" file for that matter, 33 00:03:38,445 --> 00:03:44,783 you can check out the ELF structure at this particular URL. So once you go 34 00:03:44,783 --> 00:03:48,766 to this URL, you'll be able to figure out the different sections that are there 35 00:03:48,766 --> 00:03:53,154 in a binary and what does exactly ".rodata" means, right? 36 00:03:53,200 --> 00:04:00,120 But for now, we'll simply use "objdump", along with showing the full content using 37 00:04:00,120 --> 00:04:08,020 "-s" and printing out the section ".rodata" specified by "-j". So let's try 38 00:04:08,020 --> 00:04:15,620 this out. So we'll use "objdump" in order to extract the ".rodata" section. So let's 39 00:04:15,620 --> 00:04:25,740 go ahead and use it. Let's specifiy... And if you notice, it has printed out the 40 00:04:25,740 --> 00:04:32,580 contents of the ".rodata" section. And in this case, it simply is this entire 41 00:04:32,580 --> 00:04:38,510 string, right? So this might be one of the strings and this could be another string, 42 00:04:38,510 --> 00:04:45,240 right? So let's go ahead and try this out on the Access Control Issues, and find the 43 00:04:45,240 --> 00:04:54,440 Hardcoding Issues - Part 2. So let me just go ahead and copy this, and paste it. And 44 00:04:54,440 --> 00:04:59,090 if you click on "Access" it says, "Access granted! See you on the other side." So 45 00:04:59,090 --> 00:05:04,170 this was indeed the key which the hardcoding issues challenge was looking 46 00:05:04,170 --> 00:05:10,362 for. Now, another way to get the same information is using the "readelf" 47 00:05:10,362 --> 00:05:21,730 utility. So you can do a "readelf -x .rodata" and the "libdivajni.so" filename. 48 00:05:21,730 --> 00:05:27,490 And it will print out the same ".rodata" section. And for futher information, you 49 00:05:27,490 --> 00:05:32,290 can also look for the source code for this particular exercise which is in the 50 00:05:32,290 --> 00:05:42,020 "diva-android/app/src/main/jni/". And if you look at "divajni.c", you can see that 51 00:05:42,020 --> 00:05:47,480 vendor key is one of the constants that is defined and this is the value. And later 52 00:05:47,480 --> 00:05:53,810 on, the vendor gives the key that it is comparing it against, right? 53 00:05:53,810 --> 00:06:01,400 So this was the hardcoding issue part two, and this pretty much is everything about 54 00:06:01,400 --> 00:06:08,420 "DIVA". Now there is another exercise which is "Part 13 Input Validation Issues 55 00:06:08,420 --> 00:06:16,010 - Part 3". And I highly recommend you to go ahead and try it out as a challenge. 56 00:06:16,010 --> 00:06:23,450 So you can check out the complete training at securitytube-traning.net and you can 57 00:06:23,450 --> 00:06:28,010 check out the subscription videos and pentesteracademy.com. And feel free to 58 00:06:28,010 --> 00:06:36,150 reach out to me at adi@attify.com or tweet it to me @adi1391. So hope you enjoyed the 59 00:06:36,150 --> 00:06:41,000 video, and looking forward to seeing the other course videos.