Dealing With Encryption In Mobile Application (Android)

By
Hi guys. It's been awhile since I post something. Today I will share some insight on dealing with encryption on mobile application.

As you all know, these days every mobile application have some sort of encryption in order to "secure" it. In most cases, encryption only been used to divert the main issue.

For example, the developer does not practice secure coding that pretty much ends up with a lots of security issue in the application. So, to solve this issue, they simply use encryption to simplify their work instead of fixing the code.  

In some cases, the developer might expose the secret key or hard-coded the key in the application. The secret key can be used to decrypt the data.

Now, lets see some of the example. *Do note that this can only be done if you have the key

1) When dealing with android application (apk file), we can use jadx to decompile the apk and search for the key. Below is the example of the key.


 2) After getting the key, we can decrypt the data. In this case, the application uses JAVA encryption.
You can refer this page for more details.
https://howtodoinjava.com/security/java-aes-encryption-example/
Normally encryption and decryption method is included with the key in the application.


3) Now we just need to copy and paste the encryption and decryption method. Then we will need to create a class that can print out the value so that you can start tampering with the data. Below is the example.


4) Then save it as jar file and we can start tampering with the encrypted data. Below is example of encrypted data.

 5) Run the jar file that can decrypt and tamper the data. Below is the example.



Now we can simply test all the encrypted data. Do note that you will need some programming skills/understanding to pull this off. So go and learn any programming language. It will surely helps in your work.

Credit to my colleague Izz for helping me with this stuff.

That's all from me for today. I will be posting more if I got any interesting knowledge to share.

Cheers.





Comments

Post a Comment

Popular posts from this blog

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

By
Image
Hi All, Today I will share POC on vulnerability found during pentest. As per the title, I recently found SQL Injection vulnerability on a thick client.  To read more about thick client, click here :  https://techterms.com/definition/thickclient Thick clients, also called heavy clients, are full-featured computers that are connected to a network.  While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive.   Exploit Title:   Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Details & Description :   SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL
Read more

Setting up MobSF in Ubuntu 18.04

By
Image
Hi guys, It's been a while since I last updated the blog. Been busy. So, for today I will be giving guide on how to setup MobSF in Ubuntu 18.04 . There is a lot of guide out there about how to setup MobSF. I'm here to give out step by step guide to set it up as per my own experience. The main reason of using Ubuntu 18.04 is because it has a built-in Python 3.6 and pip3 version 9.0.1 which is the requirements to setup MobSF. It's pretty much simplify the process of setting up MobSF. *Note that this is a guide to setup MobSF for static analysis. For dynamic analysis, you can refer to MobSF page in github. MobSF also known as Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing. Can further read about MobSF here:  https://github.com/MobSF/Mobile-Security-Framework-MobSF For Ubuntu 18.04 can be downloaded
Read more

Setting up RMS in Ubuntu 18.04

By
Image
Hi peeps, It's been a while since my last post. Been busy. So, for today I would like to share on how to setup RMS (Runtime Security Mobile) in Ubuntu 18.04. RMS -  https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security "Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime." "You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff." This is a continuation of my post here  https://faudhzanrahman.blogspot.com/2019/09/setting-up-mobsf-in-ubuntu-1804.html  where I did a setup on MobSF.  I'm currently trying to set a box where it contains all sort of testing tools specifically for mobile . Now I have both MobSF and RMS setup in this box which is the Ubuntu 18.04. The same reason of setting RMS in this box is because the requirements fits Ubuntu 18.04. T
Read more