Mobile app hacking is nothing new. Many people have performed different assessments and there are even courses all about it. Even so, many penetration testers may still be hesitant about performing these types of assessments, or may not do them well. Mobile application hacking is much like other forms of hacking. You can't get really good unless you regularly practice. So how can we get experience hacking mobile applications? Well, with over 1.5 million apps in the Google Play store and the Apple App store, there is no shortage of apps to play with. There are also numerous purposely vulnerable mobile apps you can download and test as well.
There are a number of different techniques for analyzing mobile applications. They include:
- File System Analysis
- Network Analysis
- Source Code Analysis
- Dynamic Analysis
For the purpose of this blog entry, we will be focusing on File System Analysis on Android. We will expand this into a series if there is a demand for it.
To access the file system contents of an app, you need the appropriate permissions. On Android, that usually means root access. During engagements, I have had customers say “Well you have root access. Without that you wouldn't have gotten to that data, and most people's devices aren't rooted.” A point well taken, and since I am in the business of showing true risk to an organization, I figured what better way than to create a tool that would allow access to the file system contents without root access, and thus, backHack was born.
backHack was created over 2 years ago, but I got busy and put the tool on the backburner. Fast forward to a few weeks ago when I found a new game: Alto's Adventure. The game is awesome for a time killer, and beautifully made. It took a long time to get to the next level and collect coins, and I decided it was time to dust off backHack and see what I could do with the application.
Instead of just telling you what I did, I will show you, and I encourage you to follow along on your own. First, we need to make sure we have Android Studio installed, or at least ADB (Android Debug Bridge) accessible in our PATH. We also need to have debugging enabled on our device. At this point, issue the command ‘adb devices' and make sure your device is showing as connected.
Now we run backHack. (python backHack.py)
backHack has been designed with a simple menu system that would be easy enough for an infant to use. We first need to select what app we want to “hack”. For that, choose option 1, then select either option 1 to list all apps on the device, option 2 to search for an app, or option 3 to type in the name of the app. For our purposes we are looking at Alto's adventure, so I will choose option 2, type in ‘alto', and find the app name of ‘com.noodlecake.altosadventure'. I then copy and paste that name under option 3, returning me to the main menu.
Next, I backup the app by selecting option 2. For this step, we will be prompted to unlock our device and confirm the backup operation.
Once the backup is complete, backHack extracts the backup, placing the files system contents under apps/<APPNAME>. In this case, it is apps/com.noodlecake.altosadventure.
We then can poke around the file system and see what is there. Some good places to look are under the sp folder (shared_prefs) and the db folder (databases). In the case of Alto's Adventure, there is a XML file named com.noodlecake.altosadventure.xml.
When we look at this file, we find settings for the app, including coins and level. I find it fun to make changes, and see what it does, so let's do that. We set coins to 999999999 and level to 60. (60 is the highest level currently, and we don't want to be greedy by going for $1,000,000,000 coins do we?)
After saving the file, we then go back to backHack and select option 3. This will repack the app and restore to your device. Again, you will be prompted to confirm the restore operation on the device.
Now that the app has been restored, we then open the application and see what happened. Boom! 999,999,999 coins, and level 61! (Notice the entry in the XML file was for currentGoalLevel, which we set to 60. The entry actually means “completedGoalLevel”. Also, coins are at 1,000,000,000. Guess they round up?)
While this is a fun way to get extra lives, coins, or level up on a game, the same methodology can be used in any app. For instance, how about modifying your United app to show you have 14,000,000 miles, are Premier 1K, and Star Alliance Gold?
Many times more than just modifying how an app behaves, you may find passwords, or other sensitive information stored in the file system, and backHack shows the risk better than having a rooted device, since now ANY device that is unlocked is able to be accessed.