Security Research: application of mobile app security in penetration testing

This article was intended to be written since very early last year and has never been available. It was just a short time when a salon talked about such things.
 
In the past, security enthusiasts often studied local app security, such as remote control, application cracking, and information theft,
Most people have not noticed the security issues on the app server, so there are many security vulnerabilities in this section.
 
Mobile apps mostly interact with the server through web api services. This mode binds mobile security with web security. Mobile apps interact with the server in the form of web services. The server is also a website that displays information. Common web vulnerabilities also exist here, for example, SQL injection, file upload, middleware/server Vulnerabilities, etc. However, because some apps are not directly embedded into the web page, they use the api to return josn data, as a result, the scanner crawler cannot crawl the link.
 
It is the complete event list in the encyclopedia. The content field has nothing to do with me-_-|








So I tried to find the vulnerability on the app server. Currently, I think of two methods:
I,Decompile apps
II,Http [s]Packet capture by proxy
 
Some people may ask questions. The links obtained in these two methods are scattered, and it is difficult to find vulnerabilities, I am using this method to submit all the captured links directly to the multi-engine web vulnerability scanner, which can scan SQL Injection in batches. In addition to these vulnerabilities, there is still a lot of information available.
 
I. decompile the APP
There are two decompilation Methods: dex2jar and apktool. The Decompilation effects of the two tools are different. dex2jar decompilers java source code and apktool decompilers java assembly code.
1.Dex2jarDecompilation
Tool: dex2jar + jdgui
Method:
 

• Change apk to zip Extension

B. decompress the classes. dex file.
C. Use dex2jar for decompilation (dex2jar. bat classes. dex)








The decompiled source code is shown in. Although the configuration of partial classification is confused by proguard. cfg, it can still be used.







 
2.ApktoolDecompilation
Tool: apktool
This tool is relatively simple. You can decompile the apk file directly (apktool d apkfile). The decompiled items include the smali disassembly code, res resource file, assets configuration file, and lib library file, we can directly search for smali files and resource files to find links.







Use appSearch for the website's real IP Address
 
In addition to the vulnerabilities on the app server, there is also a more interesting way to use the sub-domain ip addresses in the app to find the real IP addresses of the target website. Based on experience, most app interfaces do not use cdn or other services.






Real IP address of Baishi encyclopedia






Method 2: http [s]Packet capture by proxy
This method sets a proxy on a mobile device to allow the app to interact with the server through manual operations,
 
Steps:
A. Enable proxy on the packet capture machine. You can use burp for testing. You can write a proxy program by submitting scan tasks automatically and set the proxy server for mobile devices.







 
B. Operate the app on a mobile device. The proxy crawls the following.









Summary:
The entire idea has been very clear, so what we need to do is to automate this process. There is a problem after decompilation, the url is not necessarily complete, and many URLs are spliced, I tried to write an analysis engine, automated decompilation, and then analyzed the source code, spliced the complete api url, and then scanned the vulnerability.
It is a simple demo written in 2013. It will be written in python later and put on the server.





You can brainstorm more ways and share some interesting things after some time.