Mobile Application Penetration Testing Guide
In my previous write-up I explain the React Native reverse engineering technique. Again I have found a bug in Xamarin based application that was found by a different approach instead of old reverse engineering methodology.
Xamarin is a free and open source mobile app platform for building native and high-performance iOS, Android, tvOS, watchOS, macOS, and Windows.
Old-fashioned way of Android Reverse Engineering
Typically, when reversing an Android application, it is de-compiled using apktool, dex2jar and then analyzed using JD-GUI. When dealing with Native applications, this can be useful if the application has any native code that you would like to analyze.
But most of the time, the core logic of the application lies in the “.dll” that can be obtained without needing to use dex2jar.
Reverse Engineering Process: Xamarin application
Step-1: Let’s confirm whether the application was built on Xamarin framework.
To check this, rename the APK with zip extension and then extract the APK to a new folder using the following command
cp com.example.apk example-apk.zip
unzip -qq example-apk.zip -d unzipped-apk
Browse to the newly created
unzipped-apk folder, and find the
assemblies folder. Inside this folder, it contains several
dll binaries. So it means that the application was build on the Xamarin framework.
Step-2: Now we have to find appropriate
dll file which contains the core logic of the application. It is easy to find the correct dll file. Typically the
dll file named with package name or application name.
Step-3: de-compile the
dll file using the dnSpy tool.
Step-4: search for sensitive credentials and endpoints
In this phase, you have to identify the sensitive keywords to analyze the de-compiled code. A pattern that is popular with android applications, is the use of a third party services like such as Firebase,Azure, AWS s3 service endpoints, private keys etc.,
After a long deep analysis of code review I was able to find sensitive hard-coded credentials in the commented section of code.
Now its time to exploit the disclosed keys
Whenever I found any API key I primarily go and refer the Keyhacks GitHub repository. But there no valid approach related to the disclosed keys.
Future analysis of the Azure blob storage API documentation and some tutorials about the Azure CLI. I got to know the use these credentials via azure CLI. Please find the process below to exploit the disclosed keys
Install azure CLI on your local machine and then set the below environment variable by replacing the values with the disclosed keys
C:\Users\admin>az storage blob list –container-name <container_name>
The Reverse Engineering process of the android applications should be conducted based on the build framework. You should identify the application build technology at the initial stage of the information gathering.
Thanks for spending your time to read this blog. If you want to learn the android hacking please do follow me and stay tune for interesting hacking techniques and view my profile to read interesting BugBounty write-ups.