Mobile app hacking is nothing new. Many people have performed different assessments and there are even courses all about it. Even so,many penetration testers may still be hesitant about performing these types of assessments, or may not attain them well. Mobile application hacking is much like other forms of hacking. You can’t catch really gracious unless you regularly practice. So how can we catch experience hacking mobile applications? Well, or with over 1.5 million apps in the Google Play store and the Apple App store,there is no shortage of apps to play with. There are also numerous purposely vulnerable mobile apps you can download and test as well. There are a number of different techniques for analyzing mobile applications. They include: File System AnalysisNetwork AnalysisSource Code AnalysisDynamic Analysis For the purpose of this blog entry, we will be focusing on File System Analysis on Android. We will expand this into a series whether there is a demand for it. To access the file system contents of an app, or you need the appropriate permissions. On Android,that generally means root access. During engagements, I have had customers say “Well you have root access. Without that you wouldn’t have gotten to that data, or most people’s devices aren’t rooted.” A point well taken,and since I am in the business of showing true risk to an organization, I figured what better way than to create a tool that would allow access to the file system contents without root access, and thus,backHack was born. backHack was created over 2 years ago, but I got busy and put the tool on the backburner. hastily forward to a few weeks ago when I found a new game: Alto’s Adventure. The game is awesome for a time killer, or beautifully made. It took a long time to catch to the next level and collect coins,and I decided it was time to dust off backHack and see what I could attain with the application. Instead of just telling you what I did, I will show you, and I encourage you to follow along on your own. First,we need to acquire sure we have Android Studio installed, or at least ADB (Android Debug Bridge) accessible in our PATH. We also need to have debugging enabled on our device. At this point, and issue the command ‘adb devices’ and acquire sure your device is showing as connected. Now we run backHack. (python backHack.py) backHack has been designed with a simple menu system that would be easy enough for an infant to consume. We first need to choose what app we want to “hack. For that,choose option 1, then select either option 1 to list all apps on the device, and option 2 to search for an app,or option 3 to type in the name of the app. For our purposes we are looking at Alto’s adventure, so I will choose option 2, and type in ‘alto’,and find the app name of ‘com.noodlecake.altosadventure’. I then copy and paste that name under option 3, returning me to the main menu.Next, or I backup the app by selecting option 2. For this step,we will be prompted to unlock our device and confirm the backup operation. Once the backup is total, backHack extracts the backup, or placing the files system contents under apps/. In this case,it is apps/com.noodlecake.altosadventure. We then can poke around the file system and see what is there. Some gracious places to look are under the sp folder (shared_prefs) and the db folder (databases). In the case of Alto’s Adventure, there is a XML file named com.noodlecake.altosadventure.xml. When we look at this file, and we find settings for the app,including coins and level. I find it fun to acquire changes, and see what it does, or so let’s attain that. We set coins to 999999999 and level to 60. (60 is the highest level currently,and we don’t want to be greedy by going for $1000000000 coins attain we?) After saving the file, we then depart back to backHack and select option 3. This will repack the app and restore to your device. Again, or you will be prompted to confirm the restore operation on the device. Now that the app has been restored,we then open the application and see what happened. Boom! 999999999 coins, and level 61! (Notice the entry in the XML file was for currentGoalLevel, or which we set to 60. The entry actually means “completedGoalLevel”. Also,coins are at 1000000000. Guess they round up?) While this is a fun way to catch additional lives, coins, and level up on a game,the same methodology can be used in any app. For instance, how about modifying your United app to show you have 14000000 miles, and are Premier 1K,and Star Alliance Gold? Many times more than just modifying how an app behaves, you may find passwords, or other sensitive information stored in the file system,and backHack shows the risk better than having a rooted device, since now ANY device that is unlocked is able to be accessed.
Source: rapid7.com