1 00:00:00,090 --> 00:00:07,110 - Hello, and welcome to this new video on Android Security and Exploitation by 2 00:00:07,110 --> 00:00:12,540 Pentester Academy. My name is Aditya and I'm your course instructor for this 3 00:00:12,540 --> 00:00:18,020 particular video series. So this course has been run on securitytube-training.com 4 00:00:18,020 --> 00:00:27,660 as well as on PentesterAcademy.com. So this video will cover the Damn Insecure 5 00:00:27,660 --> 00:00:32,527 and Vulnerable Application which is a deliberately vulnerable app created for 6 00:00:32,527 --> 00:00:38,745 the Android platform. And in this particular video we are going to have a 7 00:00:38,745 --> 00:00:46,100 look of the hard-coding issues. So a lot of Android applications hard-code is 8 00:00:46,100 --> 00:00:50,631 something sensitive inside the source code. So if you somehow reverse the 9 00:00:50,631 --> 00:00:55,852 application you will be able to see what kind of sensitive information is there 10 00:00:55,852 --> 00:01:02,598 inside the App source code. It might be something like a API key or a sensitive 11 00:01:02,598 --> 00:01:10,562 URL or crypto algorithm or anything for that sort. So the first step in order to 12 00:01:10,562 --> 00:01:16,169 analyze the hard-coding issue is to reverse the Android application, and you 13 00:01:16,169 --> 00:01:21,472 can reverse it using different tools. You can either use jadx or dex2jar or any 14 00:01:21,472 --> 00:01:27,181 other tool for that matter. So in this particular video I'll go ahead and use 15 00:01:27,181 --> 00:01:32,931 jadx in order to reverse the application. But before that I'll just show you how the 16 00:01:32,931 --> 00:01:39,940 challenge looks like. This is the hard-coding issue part one and it simply 17 00:01:39,940 --> 00:01:45,165 says, "Find out what is the hard-coded and where," and the hint is given, 18 00:01:45,165 --> 00:01:49,221 "Developers sometime will hard-code sensitive information for ease," and it 19 00:01:49,221 --> 00:01:54,300 asks to enter our vendor key. And if I try to enter something it says, "Access 20 00:01:54,300 --> 00:02:01,100 denied!" and a friendly message called, "See you in hell." So what I'll do now is 21 00:02:01,100 --> 00:02:13,560 I'll reverse the application using jadx. I'll just go to downloads jadx bin, and 22 00:02:13,560 --> 00:02:23,830 copy it from Pentester Academy diva-beta.apk to here. And if I look here 23 00:02:23,830 --> 00:02:32,040 I have the jadx as well as the diva-beta.apk. So let me go ahead and use 24 00:02:32,040 --> 00:02:39,600 jadx. So when you run jadx on any apk, it might show you a bunch of different 25 00:02:39,600 --> 00:02:46,930 errors, and most of the times you don't necessarily need to worry about it. So 26 00:02:46,930 --> 00:03:00,610 let's simply wait for the decompilation to complete. And looks like it got finished 27 00:03:00,610 --> 00:03:07,170 even though with errors, but that is fine. So now we can go over to diva-beta, which 28 00:03:07,170 --> 00:03:14,930 was the name of the file. And here you'll see the AndroidManifest.xml as well as the 29 00:03:14,930 --> 00:03:19,720 different packages that were inside it. And since we know that the application 30 00:03:19,720 --> 00:03:33,920 package is jakhar.aseem.diva, we can simply go to jakar/aseem/diva in order to 31 00:03:33,920 --> 00:03:43,120 check out the application source code. And if you do a ls-la over here, you will 32 00:03:43,120 --> 00:03:47,820 notice that there's a application or sorry, there's a activity that is called 33 00:03:47,820 --> 00:03:56,771 HardcodeActivity.java. Now let's simply look at this activity, extends the 34 00:03:56,771 --> 00:04:03,413 AppCompatActivity has onCreate method and there's a access method which most 35 00:04:03,413 --> 00:04:08,670 probably will get activated or invoked when the button is selected. So when I 36 00:04:08,670 --> 00:04:15,080 click this button, it will be calling this access method, and since I don't have the 37 00:04:15,080 --> 00:04:21,270 correct password, it says the, "Access denied! See you in hell." And if you look 38 00:04:21,270 --> 00:04:28,640 at the line just above it, it compares whatever you have entered inside the text 39 00:04:28,640 --> 00:04:37,000 box to a string which is the vendor secret key. So let's try to enter this particular 40 00:04:37,000 --> 00:04:47,700 string, and it says, "Access granted! See you on the other side." And this is how 41 00:04:47,700 --> 00:04:52,430 you can identify the hard-coded security vulnerabilities. And in most of the 42 00:04:52,430 --> 00:04:58,420 applications you'll find some of the other sensitive information being hard-coded 43 00:04:58,420 --> 00:05:06,870 inside the application code. So that was all for this short video, and if you have 44 00:05:06,870 --> 00:05:12,660 any feedback or queries, feel free to reach out to me at adi@attify.com, or 45 00:05:12,660 --> 00:05:19,000 check out the complete video course at securitytube-training.com. Thanks.