Installing ARM Android apps on Genymotion devices

Hi, this is a quick tip for anyone interested in testing the security of Android apps without using a physical device.

Genymotion is generally recommended over using the Android SDK emulator provided with Android Studio, because it is more performant.
Only Genymotion is x86-based, so if you try to install an app including ARM code on any Genymotion device, you will get this error that you wouldn’t have on a physical device:

An error occured while deploying the file.
This probably means that the app contains ARM native code and your Genymotion device cannot run ARM instructions. You should either build your native code to x86 or install an ARM translation tool in your device.

arm-on-genyotion-error.png

This will prevent you from installing a lot of apps that you may need for bug bounty hunting like Twitter, Netflix, Pinterest, Snapchat, etc.

More …

Conference notes: Practical recon techniques for bug hunters & pen testers (LevelUp 0x02 / 2018)

Hi, these are the notes I took while watching the “Practical recon techniques for bug hunters & pen testers” talk given by Bharath Kumar on LevelUp 0x02 / 2018.

practical-recon-techniques.png

About

This talk is about some practical recon techniques for bug hunters & pentesters. It’s a continuation of Bharath’s talk about niche subdomain enumeration techniques.

More …

The 5 Hacking NewsLetter 23

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 5 to 12 of October.

T5HN23.png

Our favorite 5 hacking items

1. Book of the week

The Art of Subdomain Enumeration by Appsecco

The folks from Appsecco regularly share great information and tools on recon and particularly subdomain enumeration, including two LevelUp talks and now this free book. I highly recommend it, but make sure to take notes and integrate the different techniques into your subdomain enumeration methodology to benefit from it.

More …

List of intentionally vulnerable Android apps

This is just a quick blog post to share a list of intentionally vulnerable Android apps that you can use for training. Some are less known that others and I had to dig a little to find them (especially the new ones), so I’m sharing them in case you want to work on your mobile hacking skills.

They are sorted by “last update” date:

App Last updated Type of app Vulnerabilities (not exhaustive)
SecurityShepherd Oct 01, 2018 Web & mobile app Broken crypto
Insecure data storage
Poor authentication
Untrusted input
Reverse engineering
Weak server-side controls
Client side injection
Content provider leakage
Unintended Data Leakage
owasp-mstg Sep 13, 2018 Reverse engineering
Damn Vulnerable Hybrid Mobile App (DVHMA) Aug 20, 2018 Hybrid (Cordova) Insecure logging
XSS
SQL injection
VulnerableAndroidAppOracle Jul 16, 2018 Native (Java) Flawed Broadcast Receivers
DoS
AdLibraries
Android Javascript
Activities access
Content providers
Insecure data storage
Data sent over HTTP
Intent sniffing
XML info disclosure
Android InsecureBankv2 Jul 15, 2018 Native (Java) Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Emulator Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Purposefully Insecure and Vulnerable Android Application (PIIVA) Feb 4, 2018 Native (Java) Usage of weak Initialization Vector
Man-In-The-Middle Attack
Remote URL load in WebView
Object deserialization
SQL injection
Missing tapjacking protection
Enabled Application Backup
Enabled Debug Mode
Weak encryptionvHardcoded encryption keys
Dynamic load of codevCreation of world readable or writable files
Usage of unencrypted HTTP protocol
Weak hashing algorithms
Predictable Random Number Generator
Exported Content Providers with insufficient protection
Exported Broadcast Receivers
Exported ServicesvJS enabled in a WebView
Deprecated setPluginState in WebView
Hardcoded data
Untrusted CA acceptance
Usage of banned API functions
Self-signed CA enabled in WebView
Path Traversal
Cleartext SQLite database
Temporary file creation
Sieve app Feb 2, 2016 SQL injectionvDirectory traversal
Insecure Content Provider access
Authention bypass
Data leakage
android-test Jan 22, 2016 Native (Java)
Damn Insecure and vulnerable App for Android (DIVA Android) Jan 15, 2016 Native (Java & C) Insecure Logging
Hardcoding Issues
Insecure Data Storage
Input Validation Issues
Access Control Issues
Hardcoding Issues
DodoVulnerableBank Oct 4, 2015 Native (Java)
Digitalbank Aug 15, 2015 Native (Java)
Vulnerable APK Application May 21, 2014

FIY, sieve can be tested with Drozer for automation. They’re from the same authors. And sievePWN provides examples of malicious apps which exploit some of sieve’s vulnerabilities.

Also, I determined each app’s type just by quickly looking at their source code, without testing all of them. If you notice any mistake, please notify me!


Let me know if you have any comments, requests for tutorials, questions, etc.

See you next time!


The 5 Hacking NewsLetter 22

Hey hackers! These are our favorite resources pertaining to pentesting and bug hunting for last week.

It covers the period from 28 of September to 05 of October.

T5HN22.png

Our favorite 5 hacking items

1. Resource of the week

Mobile Security Testing Guide (MSTG) v1.0.1 by OWASP

This is an awesome guide on mobile security testing! I’ve been reading through it because I’m preparing a training on Android hacking and it is very good quality information on hacking Android & iOS apps for both beginners and experienced testers.

More …