Android

application
exploitation
By Kyle B3nac
@b3nac
Android Attack Vectors Xmind Map
Overview

Reconnaissance Phase Preparation Phase Attack Vectors

Detecting Native, Flutter, and Using Objection for SSL Webview XSS
React Apps Pinning Bypasses ● Native vs Flutter
● AndroidManifest.xml ● No root ● Native Webview ex.
Third Party SDK and API ● Split apks ● Flutter Webview ex.
Exploitation ● Flutter SSL pinning Deep Links
● Demo bypass
apps/Documentation ● Native and Flutter
● Third party apis ● Deep link to XSS
● “RCE” and command
injection in a webview
Unicode Collisions
● toLower()
● toUpper()
Validation Bypass via Flutter
Ecosystems

Native Flutter React Native

● Code base will be mostly ● Uses Dart ● Written with mostly
Java or Kotlin with Shared Javascript then rendered
Object files if NDK is in ● Created with with Native Activities
use cross-platform
compatibility in mind ● A lot of plugins under the
● Easier to decompile most com directory
of the time ● Production binaries not
easy to reverse engineer
● Easier to read and
statically analyze ● Uses official and
non-official plugins
● Imports androidx libraries
● Apks tend to be bulkier
Detecting Native, Flutter, and React Applications

FLUTTER NATIVE

REACT
● Usually a lot of AndroidManifest.xml entries ● The entry com.facebook.react and in
● Most of the activities are easy to find in the AndroidManifest.xml
com directory ● The activity
com.facebook.react.devsupport.DevSettingsAc
● Has flutter.embedding in tivity
AndroidManifest.xml (Modules)
● assets/index.android.bundle
● The folder io.flutter
● Shared object files in the lib directory
● Creates a native Shared Object in the lib
libflutter.so

NDK & JNI

directory
● Release:
/resources/lib/arm64-v8a/libflutter.so ● Will find JNI calls in the Shared Object file
○ /resources/lib/arm64-v8a/libapp.so after decompiling to assembly
● Debug:
/resources/assets/flutter_assets/kernel_blob
.bin
Using Objection for SSL Pinning Bypasses
Use adb to pull the apk off of your device after install from Google Play

Demo time!

Use Objection to patch the apk and bypass SSL

objectionapk=${1%.apk}
/home/b3nac/.local/bin/objection patchapk --source $1 --skip-resources --ignore-nativelibs --gadget-version 12.7.25
adb install $objectionapk.objection.apk

Use patch-apk.py to patch split apks

python3 ~/patch-apk/patch-apk.py $1 --save-apk $2

Works on React Native and Native apps, but not Flutter

Bypassing Flutter SSL Pinning
Flutter uses mostly the Dart programming language which has its own keystore. The SSL
libraries are also completely different from most Native implementations. BoringSSL
handles all of the SSL related functions for Flutter.

There are two main ways to bypass ssl pinning locally:

1. Find the ssl verification function in libflutter.so and change the response to true with
Frida

1. If a Flutter plugin is used hook the plugin’s verification method with Frida
○ This method is a lot easier, as there are less steps involved
Flutter SSL Pinning Plugin Bypass
Thank you, Jeroen Beckers, for creating the Frida script and finding the Java method
being used for pinning.

Running this command with the Frida script waits until the pinned certificate method is
called and changes the result to true.

frida -U -f com.flutterb3nacapp -l flutter-plugin-ssl.js --no-pause

Demo time!
Technical Details of the Frida Script
Frida api calls include Java.use and Java.perform.

Java.use wraps the library in an object that can be used to modify calls to that library during
runtime and return what is specified in the function.

Java.perform ensures the call is attached to the current running thread for the function
disablePinning.
Third Party SDK and API Exploitation
Cannot emphasize enough the importance of reviewing third party documentation to discover
potential bugs!

● Demo apps make great PoCs

○ Almost all third party services have demo apps
○ Saves time creating a proof of concept
○ The demo app should check if the request is from the official app when handling sensitive
data
● Mobile endpoints are sometimes on separate apis from web
○ Translate okhttp to a web request (proxying usually discloses needed parameters too)
○ Curl requests can validate findings quickly
○ Differences between a mobile API and a web API may include:
■ Server headers
■ No CSRF tokens
■ One authentication header for all calls
● S3 bucket keys in strings.xml or source code
○ Try accessing S3 bucket with AWS cli and check api key permissions
External File Storage (Public)
The following calls outline the insecure storage possibilities. These file paths can be chained with
other vulnerabilities to exfiltrate data on user’s devices.

Android apps only delete files from the apps internal storage directory.

Environment.getExternalStorageDirectory() /storage/sdcard0
Environment.getExternalStoragePublicDirectory(DIRECTORY_ALARMS) /storage/sdcard0/Alarms
Environment.getExternalStoragePublicDirectory(DIRECTORY_DCIM) /storage/sdcard0/DCIM
Environment.getExternalStoragePublicDirectory(DIRECTORY_DOWNLOADS) /storage/sdcard0/Download
Environment.getExternalStoragePublicDirectory(DIRECTORY_MOVIES) /storage/sdcard0/Movies
Environment.getExternalStoragePublicDirectory(DIRECTORY_MUSIC) /storage/sdcard0/Music
Environment.getExternalStoragePublicDirectory(DIRECTORY_NOTIFICATIONS) /storage/sdcard0/Notifications
Environment.getExternalStoragePublicDirectory(DIRECTORY_PICTURES) /storage/sdcard0/Pictures
Environment.getExternalStoragePublicDirectory(DIRECTORY_PODCASTS) /storage/sdcard0/Podcasts
Environment.getExternalStoragePublicDirectory(DIRECTORY_RINGTONES) /storage/sdcard0/Ringtones

*Note external storage behavior changes in API 29+. External storage is scoped per app and shared storage has to be
specified in order for files and data to be truly public.
Native Webview XSS

Webview XSS can be chained with deep links. The identifiers for vulnerable WebViews are similar
between Native and Flutter apps. By default, Native and Flutter apps aren’t susceptible to XSS
unless javascript is enabled.

Java Kotlin Flutter

WebView flagWebView = new WebView(this); val vulnWebView = WebView(this) @override

Widget build(BuildContext context) {
flagWebView.getSettings().setJavaScriptEnabled(true); vulnWebView.settings.javaScriptEnabled = true return WebviewScaffold(
flagWebView.setWebChromeClient(new vulnWebView.webChromeClient = WebChromeClient() url: url,
WebChromeClient()); vulnWebView.loadData(postText, "text/html", "UTF-8") withJavascript: true, // javascript enabled
withZoom: false,
hidden: true ,
 Flutter Webview XSS via Plugin
The official Flutter Webview plugin doesn’t support alert(), prompt(), etc.
https://github.com/flutter/flutter/issues/30358

Demo time!
The way values are handled is slightly different because Flutter uses the Dart programming
language. Javascript needs to be enabled in the Webview just like it does in the Native Webview.

1 2 3
Form value is transferred to a Javascript is enabled in the The user input value isn’t
WebView. WebView plugin. escaped and executed with the
javascript enabled webview.

Navigator.push( @override String runMyFuture(String stringValue) {

context, Widget build(BuildContext context) { getStringValuesSF().then((stringValue) {
MaterialPageRoute( return WebviewScaffold(
builder: (context) => MyHomePage(test: url: url, return
usernameKey.currentState.value,), withJavascript: true, // javascript flutterWebviewPlugin.evalJavascript(string
)); enabled Value);
withZoom: false,
hidden: true , });
return stringValue;
}
Native Deep Links
Specified in AndroidManifest.xml with a custom or web schema. There has to be at least a schema
specified for a deep link to work. It’s valuable to search the source code for the schema flag13:// or
:// in order to find other parameters.

Test command: adb shell am start -W -a android.intent.action.VIEW -d "flag13://rce"

Flutter Deep Links
Implemented via Flutter plugin uni_links. Deep links work the same way with Flutter just
implemented differently in the app. Deep links in Flutter can be tested with adb.

adb shell 'am start -W -a android.intent.action.VIEW -c android.intent.category.BROWSABLE -d "flag11://"'

After the deep link is specified in the Flutter app’s AndroidManifest.xml it’s programmatically
intercepted. This is an example from the plugin documentation.
Native Deep Link to Reflected XSS
Chaining a couple vulnerabilities together increases impact. There are a
couple preconditions here:

● Custom schema, Android activity needs to accept user provided data, and
● The Android Webview needs to have javascript enabled.

Demo time!
Native Deep Link to LFI
Depending on how the activity attached to the deep link in AndroidManifest.xml is
implemented, LFIs may be possible. FileProviders and pdf readers may open any file that
exists at a file path provided. With the example below any asset file provided as a
parameter can be streamed to a TextView.

Demo time!
More fun with deep links

Possible Go binary command execution via deep links in a webview:

Demo time!
Unicode Collisions
Android applications programmed with Java and Koltin are susceptible to unicode collisions.
This can lead to account takeovers via collisions that result from the usage of toLowerCase()
and toUpperCase().
Unicode Collision Example in Kotlin
This code is taking the post string value and converting it to all uppercase
characters. Databases sometimes toUpperCase or toLowerCase values to keep
data consistent.

Unicode collisions can effect mobile to web interactions .

Authentication Bypasses via Insecure Flutter
MaterialPageRoute
Navigator.push MaterialPageRoutes behave similarly to deep links except if not implemented
correctly will bypass application logic and validations. This is an example of using Navigator.push
correctly.
Insecure Implementation of Flutter
MaterialPageRoute
This implementation will bypass validation, the location of MaterialPageRoute’s can introduce
unexpected behavior that could leak sensitive data.

Demo time!
Easily Bypassable and Broken Encryption

Plugins for Cordova and Flutter. Any CBC cipher with a static IV and
hardcoded key. Hardcoded XORs or XOR bitwise operators that can be
found in assembly also make encrypted data vulnerable. This is an example of
a plugin that promotes hard coded keys and initialization vectors.

Analyzing this class discloses the type of cipher used.

Decryption Example from Java to Python
Static source code analysis may reveal the encryption keys then you can leverage them to
decrypt potentially sensitive data with a Python script or another programming language of
your choice.
Reversing an XOR Example
There’s only two steps in the process of reversing XOR encryption.

1. The XOR key.

2. Apply the XOR key again to get the original data.
Resources

Thank you!

https://github.com/OWASP/owasp-mstg
https://github.com/flutter/flutter/issues/30358
https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/
https://github.com/google/boringssl
https://gist.github.com/granoeste/5574148
https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/
https://github.com/sensepost/objection
https://github.com/NickstaDB/patch-apk
https://github.com/frida
https://github.com/B3nac/InjuredAndroid