WEBVTT 00:00.500 --> 00:08.750 The next vulnerability in the login mechanism of insecure bank is the forgotten and hidden button for 00:08.750 --> 00:09.710 admin users. 00:10.940 --> 00:18.520 So we'll change the source code to display this button, rebuild, resign and reinstall it to the device. 00:19.480 --> 00:20.440 All right, let's get started. 00:23.280 --> 00:28.710 So let's make sure, first of all, that the Android emulator and application server are running. 00:30.460 --> 00:36.760 What I'll do is I'll merge the two screens together so you can see the changes instantly cuz. 00:38.790 --> 00:45.330 So now let's check to see if the Wi-Fi EDB is enabled and connect the emulator to Carly. 00:49.320 --> 00:50.760 All right, so it looks like we're ready. 00:51.540 --> 00:56.790 So first up, I want to show you the piece of code that has this vulnerability, so. 00:58.060 --> 01:00.070 Let's go to the bytecode viewer. 01:01.260 --> 01:02.880 And search for log in. 01:04.780 --> 01:06.940 Find that method in a log in activity. 01:16.060 --> 01:19.260 OK, here it is in the uncreate method. 01:21.000 --> 01:29.720 So here, a check is performed to determine if a resource string called is admen set to know. 01:30.120 --> 01:38.670 So if it's true and the set visibility eight method is used to set the button invisible without taking 01:38.670 --> 01:40.800 any space for layout purposes. 01:41.920 --> 01:48.970 So we can alter this value just by patching the application and changing the value from no to yes. 01:50.770 --> 01:57.070 So let's open up terminal screen and change directory where the APK file is. 01:59.620 --> 02:05.080 And we'll use something called a tool to decompiled the eight piqué. 02:06.540 --> 02:13.380 So we'll run the APK Tool D Command and add the epic file. 02:15.540 --> 02:18.120 OK, let's go to the decompiled APIC folder. 02:21.040 --> 02:25.930 And the file that will change is in the values folder, under the resources folder. 02:27.260 --> 02:30.650 Over the strings XML file with nanotech senator. 02:32.950 --> 02:34.090 Scroll down. 02:38.520 --> 02:43.890 Yes, it's here, we'll just switch no to yes, and that'll make it visible. 02:44.820 --> 02:46.440 That's the hidden button, remember? 02:47.830 --> 02:49.600 So we'll say the file and exit. 02:51.560 --> 02:53.270 Now go back to the main directory. 02:55.140 --> 02:57.620 And now we need to rebuild the RPK. 02:58.650 --> 03:02.190 So run the ABCDE, who'll be command? 03:04.340 --> 03:05.630 And now it's built. 03:07.440 --> 03:14.790 So the mobile app will not allow you to install the rebuilt RPK on your emulator or phone without signing 03:14.790 --> 03:19.830 it first, so to achieve this, we need to create a key store. 03:22.840 --> 03:28.000 Give these parameters to generate a key and a password must be specified when creating the key store, 03:28.390 --> 03:30.070 which will be needed later. 03:31.830 --> 03:33.690 And here we can skip these steps. 03:35.360 --> 03:37.760 Now in this step, right, yes. 03:39.040 --> 03:43.480 OK, so see how that generates a RSA key pair. 03:48.020 --> 03:55.010 And now it's in the current directory, so let's sign the APK with this key using Jaris Sinar. 03:59.040 --> 04:06.180 The same one we used to sign the APK file is not secure, of course, but we've especially said it so 04:06.180 --> 04:07.350 that we can exploit it. 04:08.360 --> 04:12.020 So add the key store and the rebuilt APK file. 04:13.140 --> 04:16.920 And place it under the desk folder after rebuilding. 04:18.780 --> 04:22.230 Now we can finally add the alias and Aitor. 04:24.500 --> 04:28.920 Now, enter the password that we used to creating my key store earlier. 04:29.600 --> 04:32.240 All right, resigning is complete. 04:33.730 --> 04:38.200 So let's verify that the APK has been signed using Zha Sinar. 04:39.270 --> 04:45.420 So run Jah Seiner Dasch, verify, dash verbose dash certs. 04:46.400 --> 04:49.100 And add the rebuilt APK file. 04:51.810 --> 04:54.120 OK, so it's now verified. 04:56.100 --> 05:02.130 So finally, the APK is aligned for optimal loading using a tool called Zippel Line. 05:04.170 --> 05:09.450 So we'll install it quickly with a pseudo Apte install zip line command. 05:11.140 --> 05:12.280 All right, so I already have it. 05:13.560 --> 05:20.280 And to align the APK file and just run zip line with the dash V parameter, add four numbers. 05:22.240 --> 05:26.780 So the four numbers define the bite alignment boundaries. 05:27.280 --> 05:36.250 Now, it's always got to be four because that provides 32 bit alignment or else it basically does nothing. 05:38.300 --> 05:41.270 So then you can add the existing APIC file. 05:42.860 --> 05:47.240 If a full path and a name for the new APK file. 05:49.630 --> 05:53.940 OK, so the AK is now aligned and ready to install onto the device. 05:54.910 --> 06:02.170 Now, before installing the new APIC, we need to uninstall the old one from the device, so we'll go 06:02.170 --> 06:02.830 to Yapp. 06:05.010 --> 06:09.840 So just click and hold on the app info. 06:10.880 --> 06:12.680 And uninstalling. 06:13.760 --> 06:14.330 All right. 06:15.280 --> 06:21.490 Now we can install the new APIC to the device with ADB, so first let's check the device will go to 06:21.490 --> 06:22.120 the directory. 06:24.530 --> 06:27.200 And this is where you created the new APIC. 06:28.590 --> 06:32.880 Run, ADB install and new APK file. 06:37.000 --> 06:42.250 As you can see in the screen, there is a warning because we installed the older version of the app. 06:43.270 --> 06:51.160 After Android six Dotto Marshmallow Google Play, Protech started warning users when they try to install 06:51.160 --> 06:53.800 apps targeting older Android versions. 06:55.960 --> 07:03.190 But for you and for me right now will continue and disregard it because we want to test this AP Kaifa. 07:05.430 --> 07:12.780 All right, so as you can see, we have a success message and the new APK file is now installed. 07:14.570 --> 07:21.800 So Google Play Protect also asks us to scan the app, so we'll assume that the user didn't send an app 07:21.800 --> 07:26.150 for scanning, let's open the insecure bank application. 07:28.350 --> 07:34.920 And like I said before, the version of Android 10 will ask us to access these files. 07:35.990 --> 07:43.490 Prior Android six, you could reasonably assume that if your app is running, it will grab all of the 07:43.490 --> 07:46.700 permissions that it will declare in the app manifest. 07:48.040 --> 07:53.890 And for security testing, we will assume that the user has granted full access permissions for these 07:53.890 --> 07:54.370 files. 07:58.090 --> 07:59.260 And what are you looking at? 08:00.760 --> 08:03.130 We made the hidden button visible. 08:04.880 --> 08:10.150 So when he click on the button, you'll see that no function has been defined for this button yet. 08:11.070 --> 08:16.170 And it doesn't actually allow us to create a user, but. 08:17.560 --> 08:23.410 It could also have been defined and you could pose a great risk, you get it. 08:24.740 --> 08:31.570 The important thing here in this test is that we can statically change the function of the application.