Debug Flag
In Android you can set a flag in the manifest file to tell the OS whether or not an application can be debugged. This flag is commonly set to true during the development process, if the flag is still set to true in production then this can be dangerous and can lead to insecurities such as sensitive file exposure
The attribute in the <application> element in the manifest file will look like this -
android:debuggable["true"|"false"]
Checking Application Debug Flag
During a security review it is important to check if the application has debuggable="true". Fortunately, there is a module in drozer that will do the work for us. In order to check all the application packages on the device run the command below. As you can see the insecure bank application has debuggable on.
To see which applications are active and connected to the debugging socket (@jdwp-control) you can run the 'adb jdwp' command below.
The jdwp command gives us a list of PIDs of processes that can be debugged. We can find out what packages the PIDs are mapped to by using ps and grep commands. You can see below that we can debug the insecure bank application.
Exploiting Debuggable Applications
So what can we do now? We know that the application is debuggable but we don't have root on the device. You may or may not know that if the device is not rooted then you cannot access the private data of the application. If you do try and root the device and it has an MDM policy applied preventing root exploitation then the device may get quarantined.
No problem ;). We can use run-as, this binary allows you to execute commands in the shell with the same permissions owned by the app, basically you are placed inside the applications private data directory.
It is now possible to run any command to view or query the data. The command below shows the databases in insecure bank.
So lets pull back some data from the insecure bank application. Using run-as and sqlite3 we can query the applications database. We can use .tables to list all of the available tables
Now lets dump the data in the names table, you can use .dump. You can also use "select * from names" instead of .dump to query the table.
Hopefully this demonstrates why it is important to set debuggable="false" before deploying to production.
No comments:
Post a Comment