Shulou(Shulou.com)05/31 Report--

Static analysis of APK files found that APP application of hard-coded password leakage example analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

The Writeup shared with you today is a static analysis of Android APP. Due to the problems of unsafe storage and disclosure of hard-coded passwords in the APP, you can log in to its SMS management system and hijack its SMS interface configuration.

Start. Start.

Since the scope of the public test project involves an Android APP from the relevant manufacturer, I downloaded the APP app on my Android phone and took out its APK file for static analysis. Here we recommend two native and fast APK download sites:

Https://apk.support/apk-downloader

Https://apkpure.com/

After we have obtained the APK file, we need to decompile it to find the Java class file in it for analysis. Here we can install the following two tools:

Https://github.com/pxb1988/dex2jar

Https://mac.filehorse.com/download-jd-gui-java-decompiler/

After installing the above tools, we put the APK file of the target APP into a separate folder, change its suffix from .apk to .zip, and then extract the zip file, after which we can see some xml documents, path files, template resource files, etc., in these files our target is classes.dex files, decompression will usually find one or more classes.dex files. Next, we use dex2jar to convert the dex file to the java file, using the following command:

Dex2jar classes.dex

If this command does not work, you can use another version of the dex2jar command:

D2j-dex2jar classes.dex

Run the above command will be generated in the folder such as classes_dex2jar.jar java file, with the file, we have to use another good tool to decompile it, here I personally like to use is JD-GUI, https://github.com/java-decompiler/jd-gui, use it to open the generated jar file we can see a lot of java resource files, but also these different resource files to save to read.

With the saved resource file code, we should try to find some problems. Here I recommend a tool-dynamic Mobile Security Penetration testing Framework: Mobile Security Framework (MobSF), which is an intelligent, integrated open source mobile application (Android/iOS) automatic penetration testing framework that supports binaries (APK & IPA) and source code compression package, which can be used for static and dynamic analysis.

Code analysis

With the above work done, we can carefully analyze the code in Android APP and return to our target APP. When I sat down and analyzed my checklist, I soon found one of the files called Constant.java, which is located under the SMS path of APP and contains piecemeal information, such as Username, Loacation, Password and other hard-coded service information, as well as the URL path of the SMS sending interface (SMS API). The general situation is as follows:

Further analysis found that the APP used reson8's instant messaging platform for commercial promotion. Https://www.reson8.ae/, I visited the reson8 company's website and found that it had a user login interface, so I thought of the Username and Password information leaked in the above static analysis and directly logged it here to have a look. Sure enough, as soon as I entered and submitted it, I entered the SMS sending management system of the target APP company:

The management system is a SMS API gateway, through which it can achieve management operations such as SMS directed sending settings, marketing upgrade and recharge, and more importantly, it can download users' mobile phone numbers.

Summary

Before doing dynamic and other analysis of APP, it is recommended to do some static analysis, which can be carried out according to your own checklist, from which you may be able to get some unexpected piecemeal information. For APP application companies, it is important to avoid storing some information about password credentials in APP, and some appropriate encryption processing is needed even if necessary.

After reading the above, have you mastered the method of static analysis of APK files to find examples of hard-coded password leaks in APP applications? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.