Reversing Android Apps. Looking for Vulnerabilities
In this article, we will continue to explore the topic of reversing Android applications. In previous articles, we looked at the main tools we will need and talked about how to analyze APK files for suspicious activity. Today, we will look at how to find vulnerabilities in an Android application.
As you know, there are several ways to search for vulnerabilities. There are methods based on the analysis of the source code of the application and the dependencies used in it. There are also vulnerability scanners, which also try to identify vulnerabilities in an already compiled file – an artifact – in various ways. There is also fuzzing – a technique based on feeding the application incorrectly constructed data and large data. Here, the detection of potential vulnerabilities is based on the analysis of the application for the supplied data set.
And another method of searching for vulnerabilities is reversing. That is, analyzing a ready-made APK file. This is the method we will use to search for vulnerabilities.
Our goal will be to effectively apply our reverse engineering skills in a DEX tool to find a vulnerability in an Android app. This example is a bit more complex than the previous ones and will introduce us to reversing in different components of the app.
In practice, searching for vulnerabilities in APK may be required, for example, when analyzing banking applications. You are concerned that this application may have a vulnerability that allows you to execute arbitrary commands. Accordingly, we will be interested in program fragments that potentially allow you to execute arbitrary code.
Let's start exploring
For reversing, as in previous articles, we will need a virtual machine Android App, in which we will need to run jadx, and open the file FotaProvider.apk.
First of all, we need to ask ourselves: how can we execute arbitrary commands in an Android application? In addition, it is also important how the application could receive remote commands, because we need to somehow exploit the vulnerability found.
First, let's open the jadx file and look at the contents of the manifest.
So, we have two questions: how can we execute arbitrary commands and how can we pass commands to the application. Let's start with the first question. If you look at the documentation for developing Android applications, there are three API calls that allow you to execute commands: Runtime.exec(), Processbuilder() and using system() in code.
Let's look for calls to these APIs in our application code. To do this, we'll perform a Text search. We found four occurrences of the word Runtime.
The third option is of some interest to us. As you can see, it contains the exec function, which executes the value of a certain variable str. If we examine this code fragment in more detail, we will see the following:
As you can see, Process exec can execute arbitrary code that is passed to it as the str parameter. But we need to understand this parameter, that is, we need to understand what values can be passed in it.
To do this, we will look for calls to ArrayList using Usage search:
The first entry will be the most interesting for us. Here the command shell is called. It seems to be what we need, let's move on to the code fragment that calls ArrayList:
And here we see that the command shell launch we found is not, in essence, a vulnerability and does not allow arbitrary code to be executed.
The program explicitly states that “/system/bin/sh” will be called. This value is hardcoded and cannot be changed in any way. Therefore, we will have to continue our search and look for other API function calls.
Looking for ProcessBuilder
Next on the list we have a call to the ProcessBuilder API.
We got several lines. The first line is of most interest to us here. Let's run a query on this line that will search for code fragments related to this call using Usage search:
The first line, containing return, may be interesting. Let's take a closer look at the code fragment in which it is used.
Here we pass cmd some string value, which the SysService function will then return after the call. Accordingly, to execute arbitrary code, we need to pass SysService in the cmd variable the commands we need for their subsequent execution.
So, we may have found the answer to the first question – how arbitrary code can be executed. Now let's try to find the answer to the second question – how our application can be given the appropriate command.
Broadcast messages
Sometimes, our apps need to receive notifications from the operating system and other apps, such as battery level. Broadcast messages are used for this purpose. By broadcasting events using messages, you open up your app components to third-party apps, and third-party developers can respond to events without having to modify your original app. In your app, you can listen to broadcast messages from other apps, replace or improve the functionality of your own (or third-party) app, or respond to system changes and app events.
But in our case, broadcast messages can be used precisely to transmit arbitrary commands to a vulnerable application.
Let's look for the onReceive procedure in the code. It is the one that receives messages from other applications. And here we see the already familiar cmd line.
Thus, any application or component on the device can receive an arbitrary command executed on behalf of a privileged system user through this application. For example, the Data Provider.apk application exports a broadcast receiver for the write command through our application's action android.intent.action.AdupsFota.operReceiver.
Any device component can send a request with this action and an additional string “cmd”, and this “cmd” will be executed, since our application has a corresponding action.
Conclusion
In this simple example, we looked step by step at how you can examine an application for potential vulnerabilities and errors made by developers.
All current methods and tools for developing applications, including mobile ones, can be mastered in OTUS online courses: in the catalog you can see list of all programsand on the calendar – sign up for open lessons.
