Application of mobile APP security in penetration testing (1)

This article was intended to be written since very early last year and has never been available. It was just a short time when a salon talked about such things.

In the past, security enthusiasts often studied local app security, such as remote control, app cracking, and information theft. Most people have not noticed the security issues on the app server, as a result, there are many security vulnerabilities.

Mobile apps mostly interact with the server through web api services. This mode binds mobile security with web security. Mobile apps interact with the server in the form of web services. The server is also a website that displays information. Common web vulnerabilities also exist here, for example, SQL injection, file upload, middleware/server Vulnerabilities, etc. However, because some apps are not directly embedded into the web page, they use the api to return josn data, as a result, the scanner crawler cannot crawl the link.

The contet field is not related to me-_-|

So I tried to find the vulnerability on the app server. Currently, I think of two methods:

1. decompilation APP 2. http [s] proxy packet capture

Some people may ask questions. The links obtained in these two methods are scattered, and it is difficult to find vulnerabilities, I am using this method to submit all the captured links directly to the multi-engine web vulnerability scanner, which can scan SQL Injection in batches. In addition to these vulnerabilities, there is still a lot of information available.

I. decompile the APP

There are two decompilation Methods: dex2jar and apktool. The Decompilation effects of the two tools are different. dex2jar decompilers java source code and apktool decompilers java assembly code.

1. dex2jar Decompilation

Tool: dex2jar + jdgui

Method:

A. Change apk to zip Extension

 

B. decompress the classes. dex file.

C. Use dex2jar for decompilation (dex2jar. bat classes. dex)

The decompiled source code is shown in. Although the configuration of partial classification is confused by proguard. cfg, it can still be used.

2. decompilation of apktool

Tool: apktool

This tool is relatively simple. You can decompile the apk file directly (apktool d apkfile). The decompiled items include the smali disassembly code, res resource file, assets configuration file, and lib library file, we can directly search for smali files and resource files to find links.

Use the app to find the real IP address of the website

In addition to the vulnerabilities on the app server, there is also a more interesting way to use the sub-domain ip addresses in the app to find the real IP addresses of the target website. Based on experience, most app interfaces do not use cdn or other services.

Real IP address of Baishi encyclopedia