Exploiting Debuggable Android Applications

最新推荐文章于 2019-07-21 10:48:14 发布
转载 最新推荐文章于 2019-07-21 10:48:14 发布 · 634 阅读 · 0
文章标签:

#Android Security #JDB #动态调试

本文展示了如何通过注入自定义代码来利用可调试的Android应用程序,包括检查应用是否可调试、设置断点、注入代码以及修改应用行为等步骤。重点在于通过远程调试在运行时修改应用的输出。

In the previous article, we have seen how to debug Java applications using a little tool called JDB. In this article, we will apply the same logic to exploit Android apps, if they are flagged as debuggable. If an application is flagged as debuggable, we can inject our own code to execute it in the context of the vulnerable application process.

Background

To make this article more interesting, I have developed a vulnerable application for demonstration purposes, which has a “button” and a “textview“.

Fill out the form below to download the code associated with this article.

InfoSec File Download

If we launch the application, it shows the message “Crack Me“.

Figure 1

If we click the button, it says “Try Again“. Now, our goal is to change the message “Try Again” to “Hacked” without modifying the application’s source code. To be precise, we have to change it at runtime.

Required Tools

  • Emulator
  • adb – Android Debug Bridge
  • jdb – Java Debugger

    In my case, to make the installations easier, I am using Android Tamer since all the above required tools are pre-installed.

    Topics Involved

    • Checking for Vulnerability.
    • Getting Ready with the Setup.
    • Runtime Code Injection.

    Let’s begin the game.

    Checking for Vulnerability

    In fact, this is the easiest part of the entire article.

    1. Decompile the application using APKTOOL to get the AndroidManifest.xml file using the following command.

    apktool d <vulnerableapp>.apk

    2. Inspect Androidmanifest.xml file for the following line.

    android:debuggable=”true”

    If you find the above line in the AndroidManifest.xml file, the application is debuggable and it can be exploited.

    Note: We used APKTOOL to see whether the app is debuggable or not. We won’t touch or modify any piece of code as mentioned earlier.

    Getting Ready with the Setup

    In this step, we will set up all the required things to inject code in to the app during its execution. As mentioned in the previous article, we will use remote debugging in this article.

  1. Start Your Emulator
  2. Install the vulnerable application
  3. Open up your terminal and run the following command to see the Dalvik VM ports listening on the emulator.

    adb jdwp

    The above command displays all the ports on which we can connect and debug as shown below.

    Figure 2

    Note: JDWP stands for Java Debug Wire Protocol. If an application running in its VM is debuggable, it exposes a unique port on which we can connect to it using JDB. This is possible in Dalvik Virtual Machines with the support of JDWP.

  4. Now, launch our target application and run the same command to see the listening port associated with our target application. It looks as shown below.

    Figure 2

    If we observe the difference between Figure 2 and Figure 3, there is one extra port 543 listening after launching the target application in Figure 3. We will attach JDB to the application using this port, since this is our target.

  5. Before attaching to the application, we need to port forward using adb since we are using remote debugging. This is shown in Figure 4.

    Figure 4

  6. Now, let’s attach JDB to the application as shown in the following figure.

    Figure 5

Runtime Code Injection

In this step, we will actually exploit the vulnerable application by modifying its behavior at runtime.

To modify the application’s behavior at runtime, we need to set up breakpoints and control the flow. But, we don’t know what classes and methods are used in the application. So, let’s use the following commands to find out the classes and methods used in the application.

To find the classes: “classes

Figure 6.1

Since I have too many classes listed, I am listing only a few classes. But if you still scroll down, you will see some interesting user defined classes as shown in the figure below.

Figure 6.2

Now, let us see the methods associated with MainActivity$1 class using the following command.

methods com.example.debug.MainActivity$1

This is shown in figure 7.

Figure 7

Now, let’s set up a breakpoint at onClick method and control the execution of the app as shown in Figure 8.

“stop in com.example.debug.MainActivity$1.onClick(android.view.View)”

Figure 8

To hit the breakpoint, we will have to manually click the button in the application. Once after clicking the button, the breakpoint will be hit and it appears as shown in Figure 9.

Figure 9

From here onwards, we will be able to control and see the sensitive values, method arguments, etc. using various commands.

Just to understand what’s happening in the background, I am following the code associated with the onClick method, which is shown in Figure 10.

Figure 10

Before proceeding further, let’s see if there are any local variables at this point in time using the command “locals“.

Figure 11

As we can see, there is no interesting information for us.

So, let’s execute the next line using the “next” command as shown below.

Figure 12

Let’s again try executing the command “locals” to see what happened in the previous command.

Figure 13

It’s pretty clear that TextView has been loaded into method arguments. If we look at the source code provided in Figure 10, the line associated with TextView instantiation has been executed.

Let’s now execute the next lines by executing the “next” command, and check the local variables as shown in the figure below.

Figure 14

As we can see, all the local variables have been displayed. The string “secret” looks interesting. The value “Try Again” is what is going to be printed when we click the button.

From Figure 10, it is very clear that the method setText is getting executed to print the value “Try Again“. So, let’s use the “step” command to get into the definition of the “setText” method and dynamically modify the text to be printed.

Figure 15

Let’s see the local variables inside the definition using “locals“.

Figure 16

Now, let’s change the value of “text” from “Try Again” to “Hacked” using “set” command.

Figure 17

We cannot see any changes in the application, since we haven’t executed the modified code.

So, let’s run the application using the “run” command as shown below, and see the application’s output on its screen.

Figure 18

Let’s look at the application running in the emulator.

Figure 19

We have successfully modified the output of the application at runtime. This is just an example to show how an application’s behavior can be modified if the application is debuggable. We can perform various other things including “Getting a shell” on the device in the context of the vulnerable application.

Conclusion

In this article, we have demonstrated how one can exploit an Android application if it is left debuggable when moving it to the production. Pentesters should always look for this vulnerability during their Android app pentests.


原文地址: http://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article

JDB调试Android程序(通过JDB进行代码注入)
至淡以消忮心
08-23 7038
本文主要是通过JDB对存在漏洞的Android程序进行调试,并利用这些漏洞对APP进行代码注入,通过这样的行为来提醒安卓开发人员来规避这些漏洞。
2.SDL规范文档
weixin_30872337的博客
02-27 2798
01.安全设计Checklist 输入验证 校验跨信任边界传递的不可信数据(策略检查数据合法性,含白名单机制等)格式化字符串时,依然要检验用户输入的合法性,避免可造成系统信息泄露或者拒绝服务 禁止向Java Runtime.exec()方法传递不可信、未净化的数据(当参数中包含空格,双引号,以-或者/符号开头表示一个参数开关时,可能会导致参数注入漏洞),建议如果可以禁止JVM...
移动安全-jeb gdb ida三大动态调试方法
iamsongyu的博客
02-10 5225
很多时候在对apk分析时,静态调试显得苍白无力,需要我们手动算很多东西,而动态调试则可以直接观察结果,一般的方法都需要再手机端运行服务才可以进行调试,下面我们就来学习一下三个调试方法 jeb动态调试 使用jeb打开我们的22.apk文件 见名知意,Certificate:证书,Bytecode:字节码,Resources:资源文件。 双击Bytecode,会打开两个窗口,Bytecod...
获取application debuggable模式
03-16 3861
当我们想在程序debug时打印log,反则不打印log的时候 就需要获取这个debug属性了,但是在sdk中没有找到对应的get方法,于是找到一个老外的方法如下: boolean isDebuggable = (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)); 这样额可以获取。记录一下,以后也会用到。
关于不修改android:debuggable进行动态调试
weixin_33774308的博客
03-06 1228
有时候手动修改导致程序再打包失败其他的方法又局限性,所以采用buildprop插件来完成https://repo.xposed.info/module/com.jecelyin.buildprop 转载于:https://blog.51cto.com/13652962/2358860...
Android :测试apk是否是 debuggable="false" 版本
Rocy
02-08 565
在apk文件进行发布的时候,需要确认 android:debuggable="false" 是否设置为了false。而打包的时候有时候会忘记设计为false。   测试过程中打印出所有的为 android:debuggable="false" 的所有应用,然后确认下是否有自己开发的那个应用就可以。     Set&lt;String&gt; debuggableApps = new Ha...
AndroidDebuggable设置问题
热门推荐
王丽君同学的专栏
12-29 3万+
Android中的AndroidManifest.xml文件中可以设置很多属性,其中有一项是debuggable属性,意为“可调试”,有true和false两种模式。 默认情况下我们都是需要设置的,如果打包的是debug版本的apk文件,那么这个debuggable属性就自动设置为true,反之,如果打包的是release版本的apk文件,那么这个debuggable属性就自动设置为false
使用 JDB 调试 Android 应用程序
forlong401的专栏--有问题上:http://www.androidren.com
04-17 1839
http://www.tinylab.org/use-jdb-to-debug-android-application/ 目录 [隐藏] 1 前言 2 JDWP 协议介绍 3 JDB 的使用方式 4 JDB 的使用示例 5 JDB 的命令列表 6 参考资料 前言 自从有了各种 IDE 工具,程序猿调试工作轻松了不少,只要在 ID
使用正式签名打包APK,打开debug模式报错的问题解决方法
whorus1的专栏
01-07 3978
SDK Tools Revision 8以后,如果在AndroidManifest.xml中直接设置打开debug模式: 1 android:debuggable="true" 则在使用正式签名打包APK时,Eclipse会报错如下: Avoid hardcoding the debug mode; leaving it out allows deb
如何测试APK是否设置android:debuggable="false"
JackieGemini
10-11 1万+
在准备发布应用之前要确保关闭debug属性,即设置AndroidMainifest.xml中android:debuggable="false",但是有时候会忘记关掉这个属性。   所以在发布之前最好进行测试,使用aapt工具:   aapt list -v -a myfil
Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis
weixin_30693183的博客
07-21 160
http://www.cnblogs.com/LittleHann/p/3992778.html 转载于:https://www.cnblogs.com/cybertitan/p/3999011.html
android studio 提示 no debuggable process或者 no debuggable applications
@#%$#^%^
04-13 6345
解决方法: Tools-Android-Enable ADB Integration
关于AndroidManifest.xml中的android:debuggable
libeyond_的专栏
02-01 1万+
AndroidManifest.xml中,可以设置attribute android:debuggable,其值为“true”或“fasle”。在官方文档中对它的说明如下:Whether or not the application can be debugged, even when running on a device in user mode — “true ” if it can be,
Lua非空判断方法[源码]
11-24
本文详细介绍了在Lua中进行非空判断的几种方法,特别是针对table类型的变量。首先,文章指出了直接对nil值进行索引会导致异常的问题,并给出了一个简单的例子来说明如何避免这种情况。接着,文章讨论了如何判断一个table是否为空,指出不能简单地使用`#table == 0`的方式,而是应该使用`next(t) == nil`的方法。此外,文章还提到了`next`指令在LuaJIT中的优化问题,建议在非必要情况下少用。最后,文章简要介绍了如何判断一个字符串是否全部由空格组成,使用了正则匹配的方法。这些内容对于Lua开发者来说非常实用,能够帮助他们避免常见的错误。
JS表格转Excel实现[可运行源码]
11-24
该文章详细介绍了如何使用JavaScript将HTML表格数据导出为Excel文件。内容涵盖了针对不同浏览器的兼容性处理,包括IE和非IE浏览器的不同实现方式。对于IE浏览器,使用ActiveXObject进行导出;对于非IE浏览器,则通过base64编码和数据URI方案实现。文章还提供了完整的代码示例,包括表格数据的处理、格式化和导出功能,支持文本和图片类型的数据导出。
图片转bin文件存储[项目代码]
11-24
本文介绍了在OpenCV项目中如何将大量图片数据转换为二进制(bin)文件进行高效存储和读取的方法。作者在项目中遇到需要处理大量图片数据的问题,尝试了多种格式(如.mat、.txt、.yml)后发现效率较低。通过使用二进制文件存储,显著提升了读写速度。文章详细展示了使用OpenCV将图片写入二进制文件的代码示例,以及从二进制文件读取图片数据的实现方法。虽然该方法需要提前知道图片的尺寸和数量,但读写速度极快,适合处理大量图片数据。作者还提到可以通过换行符或终止符优化读取过程,但未深入探讨。
ROS视觉处理与色彩识别[项目源码]
最新发布
11-24
本文详细介绍了在ROS环境下进行视觉处理的基础步骤,特别是针对色彩识别的实现方法。内容涵盖了从摄像头驱动的安装与配置(如usb_cam驱动和image_view工具的使用),到创建功能包和编写图像处理节点(包括RGB图像回调函数、HSV色彩空间转换、二值化处理及形态学操作)。此外,还演示了如何在仿真环境中获取图像,并通过OpenCV实现红色和绿色物体的识别与追踪。最后,文章提供了完整的代码示例和编译运行步骤,帮助读者快速上手ROS视觉处理项目。
Exploiting Shared Representations for Personalized Federated Learning
12-31
### 利用共享表示进行个性化联邦学习 在个性化联邦学习中,利用共享表示的方法旨在通过模型间的信息交换来提升各客户端本地模型的表现,同时保持一定程度的个性化。这种方法通常涉及两个主要方面:全局模型参数更新和个人化调整。 #### 全局模型训练与个人化调整 为了实现这一目标,在每轮迭代过程中,服务器会收集来自不同客户的梯度信息并计算平均值作为新的全局权重向量[^1]。随后,这些更新后的参数会被分发给各个客户机用于下一轮局部优化过程中的初始化设置。然而,由于数据分布差异较大以及隐私保护需求的存在,直接采用统一策略可能无法满足特定应用场景下的性能要求。 因此,研究者们提出了多种基于元学习框架下的解决方案,允许每个参与者根据自身特点自适应地微调其内部结构而不影响其他成员的学习进度。例如,可以通过引入额外的任务无关特征映射层或将某些神经网络组件设为固定不变等方式增强跨域泛化能力的同时保留个体特性。 #### 技术细节与算法设计 具体来说,一种常见的做法是在标准Federated Averaging (FedAvg)基础上加入正则项约束条件以鼓励相似样本之间形成更紧密关联;另一种则是借助于生成对抗网络(GANs),让多个代理机构共同构建一个虚拟空间内的公共表征库供后续迁移使用。此外还有些工作探索了如何结合强化学习机制动态调整参与方贡献比例从而达到更好的协作效果。 ```python def fed_avg_with_regularization(models, regularization_lambda=0.01): global_model = sum([model * (1 / len(models)) for model in models]) # Add L2 Regularization term to encourage similarity among local updates reg_term = sum([(global_model - m).norm() ** 2 for m in models]) * regularization_lambda optimized_global_model = global_model - reg_term return optimized_global_model ```
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值