


Example analysis of static analysis of APK files to discover leakage of hard-coded passwords in APP applications
The Writeup I share with you today is a static analysis of Android APP. Due to the problems of insecure storage and hard-coded password leakage in the APP, it is possible to log in to its SMS management system and hijack its SMS interface configuration. The following is relevant analysis and research.
Get started
Since the scope of the public testing project involves a certain Android APP from a relevant manufacturer, I downloaded this APP on my Android phone and put it The APK file is taken out for static analysis. Here are two native and fast APK download URLs recommended:
https://apk.support/apk-downloader
https://apkpure.com/
After obtaining the APK file, we need to decompile it and find the Java class files in it for analysis. You can install the following two tools here:
https://github. com/pxb1988/dex2jar
https://mac.filehorse.com/download-jd-gui-java-decompiler/
After installing the above tools, we put the target APP Put the APK file into another separate folder, change its suffix from .apk to .zip, and then unzip the zip file. After that, we can see some xml documents, path files, template resource files, etc., in these files Our target is the classes.dex file. After decompression, you will usually find one or more classes.dex files. Next, we can convert the dex file into a java file by using the dex2jar tool. The specific command is as follows:
dex2jar classes.dex
If this command does not work, Then you can use another version of dex2jar command:
d2j-dex2jar classes.dex
After running the above command, classes_dex2jar will be generated in the folder. jar's java file. Once we have this file, we have to use another useful tool to decompile it. I personally like to use JD-GUI here, https://github.com/java-decompiler /jd-gui, after using it to open the generated jar file, we can see many java resource files, and we can also save and read these different resource files.
With the saved resource file code, we must try to find some problems from it. Here I recommend a tool - the automated mobile security penetration testing framework: Mobile Security Framework (MobSF) , it is an intelligent, integrated open source mobile application (Android/iOS) automatic penetration testing framework that supports binary files (APK & IPA) and source code compression packages. It can be used for static and dynamic analysis.
Code Analysis
After completing the above work, we can deeply analyze the code of the target Android APP. When I sat down to analyze according to my checklist, I soon found one of the files called Constant.java. It was located in the SMS path of the APP and contained some scattered information, such as Username, Loacation, Password and other hard-coded services. Message and the URL path of the SMS API. The general situation is as follows:
Further analysis found that the APP uses reson8 company’s instant messaging platform for commercial promotion, https://www.reson8.ae/, I browsed the reson8 company website , and found that it has a user login interface, so I thought of the Username and Password information leaked in the above static analysis, and brought it here to log in and use it. Sure enough, as soon as I entered and submitted, I entered the SMS sending management of the target APP company. System:
The management system is an SMS API gateway, through which management operations such as SMS directional sending settings, marketing upgrades and recharges can be implemented, and more importantly It is the mobile phone number of the user that can be downloaded.
Summary
Before doing dynamic and other analysis on the APP, it is recommended to do some static analysis on it. You can do it in sequence according to your own check list, and you may be able to get some unexpected bits and pieces from it. information. For APP application companies, they must avoid storing some password and credential-related information in the APP. Even if necessary, some appropriate encryption processing is required.
The above is the detailed content of Example analysis of static analysis of APK files to discover leakage of hard-coded passwords in APP applications. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function

SublimeText3 Chinese version
Chinese version, very easy to use

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
