Helakuru pen-testing

ishan.fdo

Well-known member
  • May 1, 2012
    1,430
    224
    63
    Me dawas wala Helakuru gana loku kathabahak yana nisa mama helakuru app eka decompile karala debug + mitm intercept karanna puluwan widiyata patch kala. One ekek innawanam kiyapan apk eka share karanna.. Karapu widiyath one nam kiyanna share karanna..

    Thama nam mukuth loku data logging/ keylogging scene ekak dakke na.. habai app eka hena unsecured. Aduma gane APIs https wath nemei. APIs use karanne hardcoded API token ekak.

    lk.bhasha.sdk.util.AppHandler class eke define karala thiyenne
    Code:
    hashMap.put("api-key", "bgrdj56097htys86");

    Danata API call ekakata dakke mechcharai.
    Code:
    http://bhasha.lk/api/core/2.1/auth/AppAuthentication

    CDN eken assetsnam gannawa.
    Code:
    http://cdn.bhashalanka.com/helakuru/modules

    Shared-prefs files inspect kalama penawa developersla amateurlsa wage. Copy paste coding pattern ekak thiyenawa.. Shared preferences files 3k thiyenawa tutorial walin ussapu names ekka.
    Code:
    myAppPrefs.xml
    my_preference.xml
    my_preferences.xml

    Shared preferences wala plain/text save karanne. No encryptions.

    XML:
    <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
    <map>
        <long name="com.facebook.appevents.SessionInfo.sessionStartTime" value="unix_epoch_time" />
        <long name="com.facebook.appevents.SessionInfo.sessionEndTime" value="unix_epoch_time" />
        <boolean name="com.facebook.appevents.SourceApplicationInfo.openedByApplink" value="false" />
        <int name="com.facebook.appevents.SessionInfo.interruptionCount" value="0" />
        <string name="com.facebook.appevents.SessionInfo.sessionId">guid</string>
        <string name="com.facebook.appevents.SourceApplicationInfo.callingApplicationPackage"></string>
    </map>

    Firebase API token eka app ekata restrict karala na wage.

    Third party services
    Google Admob
    Giphy
    Firebase services
    Remote-configs
    Crashlytics
    Storage
    Cloud Messaging
    Facebook Graphs API
    Twitter advertising

    Keyboard eka use karaddi kisima API call ekak dakke na

    Normal app usage ekedi nam tracking API calls yanawa ambanakata.

    Facebook tracking
    Code:
    Form data:
    format:                       json
    sdk:                          android
    custom_events_file:           [{"_eventName":"fb_mobile_deactivate_app","_eventName_md5":"92255b491a4e25b5d809edcf3665affe","_logTime":"1612852327","_ui":"DashboardActivity","_session_id":"ac5caafe-9d6e-4e5a-920a-ce2d83ecb7ef","_valueToSum":84,"fb_mobile_time_between_sessions":"session_quanta_0","fb_mobile_launch_source":"Unclassified()","fb_mobile_app_interruptions":"0"}]
    event:                        CUSTOM_APP_EVENTS
    advertiser_id:                147f9c4c-528d-447f-bfae-10fe9aa6f741
    advertiser_tracking_enabled:  true
    anon_id:                      XZ3ce54016-15ac-4c6f-8bc3-4cc55186a76b
    application_tracking_enabled: true
    extinfo:                      ["a2","lk.bhasha.helakuru",261,"6.0.48","10","SM-A115F","si_","GMT+11:00","",720,1411,"1.75",8,23,19,"Australia\/Sydney"]
    application_package_name:     lk.bhasha.helakuru

    Google analytics
    Code:
    v=1&_v=j87&a=753743776&t=pageview&_s=1&dl=https%3A%2F%2Fflo.uri.sh%2Fvisualisation%2F2440123%2Fembed&dr=https%3A%2F%2Fhkmodules.bhashalanka.com%2F&dp=%2Fvisualisation%2F2440123&ul=si&de=UTF-8&dt=%E0%B6%85%E0%B7%80%E0%B7%83%E0%B7%8F%E2%80%8B%E0%B6%B1%20%E0%B6%AF%E0%B7%92%E0%B6%B1%2014%20%E0%B6%AD%E0%B7%94%E0%B7%85%20%E0%B6%B1%E0%B7%80%20%E2%80%8B%E0%B6%BB%E0%B7%9D%E0%B6%9C%E0%B7%93%E0%B6%B1%E0%B7%8A&sd=24-bit&sr=412x892&vp=362x280&je=0&_u=YEAAAAAB~&cid=286765613.1612852790&tid=UA-44635456-19&_gid=1842440891.1612852790&cd1=visualisation%2F2440123&cd2=2021-02-09T06%3A39%3A48.541Z&z=1621274008

    Articles serve karanne nam https endpoint ekakin
    https://hkmodules.bhashalanka.com

    Final verdict
    Keyboard ekak widiyata use karanna nam awlak na wage. Suggestions save wenawa sqlite db ekaka. Eka generate une kohomada hoyaganna bari una. Dictionary json file ekak embed karala thiyenawa.. samaharawita first run ekedi eka sqlite db ekakata convert karanawa athi.

    Meka kale research ekak widiyata. Mata idea ekak thiyenawa open source sinhala keyboard ekak develop karanna.
    supiri mnchn.. pleae inbox
     

    ishan.fdo

    Well-known member
  • May 1, 2012
    1,430
    224
    63
    Use karapu tools
    APKTool - https://ibotpeaches.github.io/Apktool/
    Android SDK - https://developer.android.com/studio
    JadX-GUI - https://github.com/skylot/jadx - meken kelinma apk file eka read karanna puluwan. Smali to java converter ekak wage

    Steps
    1. APK file eka download karaganna
    Methods 2k thiyenawa..
    1. App eka device eke install karalanam thiyenne adb use karala save karaganna puluwan. APK ekak nathuwa AAB widiyata app eka deploy karalanam poddak watha case ekak meka. Me tika mage github page ekakin copy paste karanne.

    • Code:
      adb shell pm list packages
      - get all packages, find package_name for the relevant app
    • Code:
      adb shell pm path package_name
      - get apk_path
    • Code:
      adb pull apk_path destination_path
    2. https://apkcombo.com/en-au// https://www.apkmirror.com/ wage website ekak use karala download karaganna eka. Meka lesiy

    2. apktool eka run karala decompile karaganna
    Code:
    apktool d /path/to/apk

    3. decompile karapu folder eke AndroidManifest file eka inspect kala. networkSecurityConfig eka configure karalada baluwa application tag eke. config karalanam res/xml/network_config file ekata gihin debug overrides add kala. Meken karanne user installed CA certificates trust karana eka. Android wala security setting ekak thiyenawa unknown intermediate CAs trust karanne nathi wenna.. Meka debug override ekak. Meken karanne https traffic decrypt karanna MITM certificate ekak passe install karanawa.. Ape app ekata e certificate ekath trust karanna kiyala kiyana eka.
    Code:
            <debug-overrides>
            <trust-anchors>
                <certificates src="user" />
            </trust-anchors>
        </debug-overrides>

    Me tag eka manifest eke naththan add karala e dena file name eken file ekak res/xml folder eke hadanna thiyenne.

    4. APK eka rebuild karanawa. Meka karanne apktool eken. Eeta passe apk file eka align karala debug keystore eken sign karanna one. Mama mekata bash script ekak use karanawa

    Code:
    ##Repack
    
    Folder=$1
    NewApkName=$2
    
    apktool b -d $1 -o "$2.apk" #--use-aapt2
    
    path_to_android_sdk/build-tools/29.0.3/zipalign -p 4 "$2.apk" "$2.aligned.apk"
    path_to_android_sdk/build-tools/29.0.3/apksigner sign --ks "/Users/asiri/.local/share/Xamarin/Mono for Android/debug.keystore" --ks-pass pass:android --ks-key-alias androiddebugkey --key-pass pass:android --min-sdk-version 21 --max-sdk-version 29 "$2.aligned.apk"
    path_to_android_sdk/platform-tools/adb install "$2.aligned.apk"

    Me script ekata first argument eka widiyata decompile karapu apk folder eke path ekai generate wenna one apk name eka (extension eka nathuwa) dunnama rebuild karala, align karala, sign karala attach karala thiyena device ekata install karanawa.

    apahadili than thiyenawanam ahanna..
    check inbox