Android Checklist  - Android Penetration Testing 1 - Android Penetration Testing – Attacking through Content Provider

In Last Part, Android Application Penetration Testing Part 7 We have seen about the Insecure external and internal storage and Insecure Communication.

Attacking through :

We recommend reading content provider before starting is useful in cases when an app wants to share with another app.

The Content Provider instance manages access to a structured set of data by handling requests from other applications. All forms of access eventually call Content Resolver, which then calls a concrete method of Content Provider to get access.

Required methods
Query (), Insert (), Update (), Delete (), Get Type (), On Create ()

As this method are same as the database. First, we must try to check injections through URIs

We can use drozer tool to check injections

Run scanner.provider.finduris –a

- Screenshot from 2017 10 28 090119 - Android Penetration Testing – Attacking through Content Provider

Run scanner.provider. -a

- Screenshot from 2017 10 28 090236 - Android Penetration Testing – Attacking through Content Provider

Content query –Uri

- Screenshot from 2017 10 28 090639 - Android Penetration Testing – Attacking through Content Provider

Mitigation – 

If your content provider is just for your app’s use then set it to be android: exported=false in the manifest. If you are intentionally exporting the content provider then you should also specify one or more permissions for reading and writing.

If you are using a content provider for sharing data between only your own apps, it is preferable to use the android: protectionLevel attribute set to “signature” protection.

When accessing a content provider, use parameterized query methods such as query (), update (), and delete () to avoid potential SQL injection from untrusted sources.

INSECURE (weak) Cryptography:

Protecting sensitive data with cryptography has become a key part of most web applications. Simply failing to encrypt sensitive data is very widespread. Applications that do encrypt frequently contain poorly designed cryptography, either using inappropriate ciphers or making serious mistakes using strong ciphers. These flaws can lead to the disclosure of sensitive data and compliance violations.


- 14 10 2017 22 12 00 1 - Android Penetration Testing – Attacking through Content Provider

 

 

 

 

 by base 64 decoding – decoded username

- 28 10 2017 21 45 49 - Android Penetration Testing – Attacking through Content Provider

we get the code from reverse engineering  – algorithm use for authentication

- Screenshot from 2017 10 28 205416 - Android Penetration Testing – Attacking through Content Provider

cracking password with AES-Exploit

- 28 10 2017 23 28 48 - Android Penetration Testing – Attacking through Content Provider

Mitigation:

Do not use weak algorithms, such as MD5 / SHA1. Favor safer alternatives, such as SHA-256 or better.

Generate keys offline and store private keys with extreme care. Never transmit private keys over insecure channels

Ensure that infrastructure credentials such as database credentials or MQ queue access details are properly secured (via tight file system permissions and controls), or securely encrypted and not easily decrypted by local or remote users

Ensure that encrypted data stored on disk is not easy to decrypt. For example, database encryption is worthless if the database connection pool provides unencrypted access.

Hard-coded password in source code:

Hardcoded passwords may compromise system in a way that cannot be easily remedied.

It is never a good idea to hardcode a password. Not only does hardcoding a password allow all of the project’s developers to view the password, it also makes fixing the problem extremely difficult.

Once the code is in production, the password cannot be changed without patching the . If the account protected by the password is compromised, the owners of the system will be forced to choose between security and availability.

Other Parts :



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here