Operation and Maintenance
Safety
Example analysis of static analysis of APK files to discover leakage of hard-coded passwords in APP applications
Example analysis of static analysis of APK files to discover leakage of hard-coded passwords in APP applications
The Writeup I share with you today is a static analysis of Android APP. Due to the problems of insecure storage and hard-coded password leakage in the APP, it is possible to log in to its SMS management system and hijack its SMS interface configuration. The following is relevant analysis and research.
Get started
Since the scope of the public testing project involves a certain Android APP from a relevant manufacturer, I downloaded this APP on my Android phone and put it The APK file is taken out for static analysis. Here are two native and fast APK download URLs recommended:
https://apk.support/apk-downloader
https://apkpure.com/
After obtaining the APK file, we need to decompile it and find the Java class files in it for analysis. You can install the following two tools here:
https://github. com/pxb1988/dex2jar
https://mac.filehorse.com/download-jd-gui-java-decompiler/
After installing the above tools, we put the target APP Put the APK file into another separate folder, change its suffix from .apk to .zip, and then unzip the zip file. After that, we can see some xml documents, path files, template resource files, etc., in these files Our target is the classes.dex file. After decompression, you will usually find one or more classes.dex files. Next, we can convert the dex file into a java file by using the dex2jar tool. The specific command is as follows:
dex2jar classes.dex
If this command does not work, Then you can use another version of dex2jar command:
d2j-dex2jar classes.dex
After running the above command, classes_dex2jar will be generated in the folder. jar's java file. Once we have this file, we have to use another useful tool to decompile it. I personally like to use JD-GUI here, https://github.com/java-decompiler /jd-gui, after using it to open the generated jar file, we can see many java resource files, and we can also save and read these different resource files.
With the saved resource file code, we must try to find some problems from it. Here I recommend a tool - the automated mobile security penetration testing framework: Mobile Security Framework (MobSF) , it is an intelligent, integrated open source mobile application (Android/iOS) automatic penetration testing framework that supports binary files (APK & IPA) and source code compression packages. It can be used for static and dynamic analysis.
Code Analysis
After completing the above work, we can deeply analyze the code of the target Android APP. When I sat down to analyze according to my checklist, I soon found one of the files called Constant.java. It was located in the SMS path of the APP and contained some scattered information, such as Username, Loacation, Password and other hard-coded services. Message and the URL path of the SMS API. The general situation is as follows:
Further analysis found that the APP uses reson8 company’s instant messaging platform for commercial promotion, https://www.reson8.ae/, I browsed the reson8 company website , and found that it has a user login interface, so I thought of the Username and Password information leaked in the above static analysis, and brought it here to log in and use it. Sure enough, as soon as I entered and submitted, I entered the SMS sending management of the target APP company. System:
The management system is an SMS API gateway, through which management operations such as SMS directional sending settings, marketing upgrades and recharges can be implemented, and more importantly It is the mobile phone number of the user that can be downloaded.
Summary
Before doing dynamic and other analysis on the APP, it is recommended to do some static analysis on it. You can do it in sequence according to your own check list, and you may be able to get some unexpected bits and pieces from it. information. For APP application companies, they must avoid storing some password and credential-related information in the APP. Even if necessary, some appropriate encryption processing is required.
The above is the detailed content of Example analysis of static analysis of APK files to discover leakage of hard-coded passwords in APP applications. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to perform real-name authentication on Jingdong Mall APP
Mar 19, 2024 pm 02:31 PM
How to get real-name authentication on Jingdong Mall APP? Jingdong Mall is an online shopping platform that many friends often use. Before shopping, it is best for everyone to conduct real-name authentication so that they can enjoy complete services and get a better shopping experience. The following is the real-name authentication method for JD.com, I hope it will be helpful to netizens. 1. Install and open JD.com, and then log in to your personal account; 2. Then click [My] at the bottom of the page to enter the personal center page; 3. Then click the small [Settings] icon in the upper right corner to go to the setting function interface; 4. Select [Account and Security] to go to the account settings page; 5. Finally, click the [Real-name Authentication] option to fill in the real-name information; 6. The installation system requires you to fill in your real personal information and complete the real-name authentication
How to decrypt app resources in cocos2d-LUA reverse engineering
May 16, 2023 pm 07:11 PM
Let's take the Dashen apk as an example. Through the previous analysis of the app decryption Lua script, we can decrypt the Lua script of the Dashen apk. Now let's decrypt its resources (configuration files and pictures, etc.). Let’s take a more important configuration file as an example. Before decryption: the file header also has a signature value: fuckyou!. Seeing this, we first thought about whether it was also encrypted with xxtea. We used the above method to decrypt it with xxtea first, and then decompressed it. We found that it was still garbled, and an error occurred during the operation. Obviously, we have to deny what we just said. conjecture. We continue to decrypt the configuration file step by step. Think about it for a moment, the file header is: fuckyou! If you want to decrypt files, you will inevitably need to process
Google app beta APK teardown reveals new extensions coming to Gemini AI assistant
Jul 30, 2024 pm 01:06 PM
Google's AI assistant, Gemini, is set to become even more capable, if the APK teardown of the latest update (v15.29.34.29 beta) is to be considered. The tech behemoth's new AI assistant could reportedly get several new extensions. These extensions wi
Steps and precautions for registering a Hong Kong Apple ID (enjoy the unique advantages of the Hong Kong Apple Store)
Sep 02, 2024 pm 03:47 PM
Apple's products and services have always been loved by users around the world. Registering a Hong Kong Apple ID will bring more convenience and privileges to users. Let’s take a look at the steps to register a Hong Kong Apple ID and what you need to pay attention to. How to register a Hong Kong Apple ID When using Apple devices, many applications and functions require using Apple ID to log in. If you want to download applications from Hong Kong or enjoy the preferential content of the Hong Kong AppStore, it is very necessary to register a Hong Kong Apple ID. This article will detail the steps on how to register a Hong Kong Apple ID and what you need to pay attention to. Steps: Select language and region: Find the "Settings" option on your Apple device and enter
How to cancel the data package on China Unicom app How to cancel the data package on China Unicom
Mar 18, 2024 pm 10:10 PM
The China Unicom app can easily meet everyone's needs. It has various functions to solve your needs. If you want to handle various services, you can easily do it here. If you don't need it, you can unsubscribe in time here. It is effective. To avoid subsequent losses, many people sometimes feel that the data is not enough when using mobile phones, so they buy additional data packages. However, they don’t want it next month and want to unsubscribe immediately. Here, the editor explains We provide a method to unsubscribe, so that friends who need it can come and use it! In the China Unicom app, find the "My" option in the lower right corner and click on it. In the My interface, slide the My Services column and click the "I have ordered" option
How to Conduct Authorized APK Penetration Testing
May 20, 2023 pm 12:29 PM
As a penetration testing novice, the purpose of this article is to provide some testing ideas for those novices like me. The content involved may be relatively basic, cousins, please forgive me. After unpacking the APK and getting the apk, use 7-Zip to unzip it directly to get several folders, an AndroidManifest.xml file, and a dex file. Use dex2jar https://sourceforge.net/projects/dex2jar/ to decompress this dex file to generate a jar file, and then use jd-gui to view the java source code. Of course, you can find loopholes in the code from the source code, but there is usually confusion, so we won’t discuss it in depth here.
How to issue invoices with multipoint app
Mar 14, 2024 am 10:00 AM
As a shopping voucher, invoices are crucial to our daily lives and work. So when we usually use Duodian app for shopping, how can we easily issue invoices in Duodian app? Below, the editor of this website will bring you a detailed step-by-step guide for opening invoices on multi-point apps. Users who want to know more must not miss it. Come and follow the text to learn more! In the [Invoice Center], click [Multi-Point Supermarket/Free Shopping], select the order that needs to be invoiced on the completed order page, click Next to fill in the [Invoice Information], [Recipient Information], and click Submit after confirming that they are correct. After a few minutes, enter the receiving mailbox, open the email, click on the electronic invoice download address, and finally download and print the electronic invoice.
How to use deep linking to backdoor Facebook APP
May 19, 2023 pm 02:49 PM
Recently, the author discovered a deep link vulnerability in the Facebook Android APP. Using this vulnerability, the Facebook Android APP installed on the user's mobile phone can be converted into a backdoor program (Backdoor) to achieve backdooring. In addition, this vulnerability can also be used to repackage the Facebook APP and send it to specific target victims for installation and use. Let’s take a look at the author’s discovery process of this vulnerability, and how to construct it through Payload and finally transform it into a security risk in the actual production environment of Facebook APP. When I usually do public testing when discovering vulnerabilities, I will first carefully understand the application mechanism of the target system. In my last blog, I have shared how to parse Face
