VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delhi 2019)
2 likes443 views
Vyapi is a cloud-based vulnerable Android app designed for security enthusiasts to practice hacking. The document outlines the setup process, technology stack, and key vulnerabilities as per OWASP's Mobile Top 10 for 2016. It also provides links to further resources for users to explore and understand the underlying technologies involved.
VyAPI - A Modern Cloud Based Vulnerable Android App (Presented at BSides Delhi 2019)
- 2. About MeAbout Me 1. Creator of "VyAPI – A Modern Cloud Based Vulnerable Android App" 2. Application Security Analyst at Appsecco (@appseccouk) 3. Chapter Leader at null Bangalore (@nullblr) 4. Serjeant-at-arms at Garden City Toastmasters Club, Bangalore (@Toastmasters)
- 4. The GoalThe Goal To provide Android security enthusiasts a platform to practice hacking a cloud-based vulnerable Android app
- 5. Your TakeawaysYour Takeaways 1. What is VyAPI 2. Technology stack in use 3. How to setup your personal VyAPI test environment 4. OWASP - Mobile Top 10 2016 in VyAPI 5. Built-in features for you to explore 6. Reference materials
- 6. What is VyAPI?What is VyAPI?
- 7. VyAPIVyAPI 1. VyAPI is a hybrid Android app that's vulnerable by design. We call it VyAPI, because its flaws are pervasive and it communicates not just via IPC calls but API calls, too. 2. It's a modern cloud based vulnerable Android app
- 8. What technologiesWhat technologies have been used?have been used?
- 9. The Building BlocksThe Building Blocks 1. AWS Amplify CLI 2. AWS SDK for Android 10 3. Amazon Cognito 4. OpenJDK 1.8.0_152-release 5. Glide v4 6. Room Persistence Library 7. Gradle 5.1.1
- 10. AWS AmplifyAWS Amplify 1. Development framework + Development services 2. It's fast and easy 3. Build mobile and web applications on AWS Further Reading: https://aws.amazon.com/amplify/faqs/
- 11. Amazon CognitoAmazon Cognito 1. A simple user identity and data synchronization service 2. Provides authentication, authorization and user management 3. i.e., user sign-up, sign-in and access control Further Reading: 1. https://aws.amazon.com/cognito/ 2. https://gorillalogic.com/blog/java- integration-with-amazon-cognito/
- 13. Glide v4Glide v4 Loading images with Glide is easy and in many cases requires only a single line: Further Reading: https://bumptech.github.io/glide/doc/getti ng-started.html
- 14. Room Persistence LibraryRoom Persistence Library Provides an abstraction layer over SQLite to allow fluent database access while harnessing the full power of SQLite. Further Reading: https://www.slideshare.net/Reinvently/dat a-persistence-in-android-with-room-library
- 15. How to setup yourHow to setup your personal VyAPI testpersonal VyAPI test environmentenvironment
- 16. 7 Steps7 Steps 1. Install Required Softwares 2. Configure Amazon Cognito 3. Create Android Emulator 4. Run VyAPI 5. Register a user 6. Login 7. Start Hacking
- 17. #1. Software Requirements#1. Software Requirements 1. Node.js 2. NPM 3. Amplify CLI 4. AWS CLI 5. Android Studio 6. Android Emulator Note - For more details visit https://github.com/appsecco/VyAPI
- 18. #2. Amazon Cognito#2. Amazon Cognito $ git clone $ cd VyAPI/ git@github.com:appsecco/VyAPI.git
- 19. #3. Android Emulator#3. Android Emulator
- 20. How to create an emulatorHow to create an emulator
- 21. #4. Run VyAPI#4. Run VyAPI
- 22. #5. Register a user#5. Register a user
- 25. #7. Start Hacking#7. Start Hacking
- 26. Hint: Look for data in...Hint: Look for data in... 1. Internal Storage 2. External Storage 3. Content Provider What type of storage is it? 1. File storage 2. SQLite database 3. Cloud storage In what form is the data stored? Plaintext data Encrypted data
- 27. OWASP - Mobile TopOWASP - Mobile Top 10 2016 in VyAPI10 2016 in VyAPI
- 28. M1-Improper Platform UsageM1-Improper Platform Usage
- 29. A Vulnerable ActivityA Vulnerable Activity dz> run app.activity.start --component com.appsecco.vyapi com.appsecco.vyapi.MainActivity
- 30. A Vulnerable ServiceA Vulnerable Service dz> run app.service.start --component com.appsecco.vyapi com.appsecco.vyapi.service.PlayMusi
- 31. SQL Injection Through ContentSQL Injection Through Content ProviderProvider dz> run app.provider.query content://com.appsecco.vyapi.ContactDBProvider/contacts/ --projec
- 32. M2-Insecure Data StorageM2-Insecure Data Storage
- 33. M3-Insecure CommunicationM3-Insecure Communication Can you intercept the secret SMS?
- 35. M5-Insufficient CryptographyM5-Insufficient Cryptography Where is the encryption key?
- 36. M6-Insecure AuthorizationM6-Insecure Authorization 1. Find a Cognito Identity Pool ID 2. Check if access to unauthenticated identities is enabled in AWS for this identity pool? 3. Use Boto 3 script to fetch credentials (i.e., Access Key, Secret Key, and Session Token) for an identity pool ID 4. Enumerate permissions associated with obtained AWS credentials Can unauthenticated users access sensitive AWS services? E.g., useast1:f0e6168e4865489097e5489cd6106g83
- 37. Is access to unauthenticatedIs access to unauthenticated identities enabled?identities enabled?
- 39. Use Use Boto 3Boto 3 to fetch credentialsto fetch credentials for an identity pool IDfor an identity pool ID
- 40. Access Key, Secret Key, andAccess Key, Secret Key, and Session TokenSession Token
- 42. Which of the AWS servicesWhich of the AWS services could be accessed bycould be accessed by unauthorized users?unauthorized users?
- 43. M7-Poor Code QualityM7-Poor Code Quality
- 44. Vulnerable Broadcast ReceiverVulnerable Broadcast Receiver dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name d dz> run app.broadcast.send --action com.appsecco.vyapi.Broadcast --extra string new_file_name
- 47. Sensitive File in APK BundleSensitive File in APK Bundle
- 48. M10-Extraneous FunctionalityM10-Extraneous Functionality What's Visible What's NOT Visible
- 49. Built-in features forBuilt-in features for you to exploreyou to explore
- 56. SummarySummary VyAPI is a cloud-based vulnerable Android app for Android security enthusisats. To get started, you need to 1. Setup Amazon Cognito login using Amplify 2. Explore security misconfigurations in cloud setup 3. Explore Android app specific vulnerabilities 4. Use your favorite tools to exploit the identified vulnerabilities
- 57. ReferencesReferences VyAPI Codebase - https://github.com/appsecco/VyAPI Android Hacking in 7 Steps - https://slides.com/riddhishreechaurasia/breaking-an-android- app-in-7-steps#/ Android Pentesting Training - https://android-pentesting-at- appsecco.netlify.com/ Internet-Scale analysis of AWS Cognito Security - https://andresriancho.com/internet-scale-analysis-of-aws- cognito-security/ OWASP - Mobile Top 10 2016 - https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 Amplify CLI - https://aws-amplify.github.io/docs/cli- toolchain/quickstart
- 58. ReferencesReferences Boto 3 - https://boto3.amazonaws.com/v1/documentation/api/lat est/reference/services/cognito-identity.html Amplify - https://aws.amazon.com/amplify/faqs/ Amazon Cognito - https://aws.amazon.com/cognito/ Glide - https://bumptech.github.io/glide/doc/getting- started.html