WEBVTT 00:00.990 --> 00:04.800 Now, apart from declaring the components of an application. 00:05.800 --> 00:12.850 The manifest file is also used to define attributes to enable certain features and to clear permissions 00:12.850 --> 00:14.470 needed by the application. 00:15.680 --> 00:23.300 Developer can leave their application vulnerable if they enable or misuse certain attributes, so we'll 00:23.300 --> 00:29.810 get a copy of the apps database using the debugger able option that we detected in the Android manifest 00:29.810 --> 00:30.220 file. 00:31.070 --> 00:31.930 Let's get into it. 00:33.050 --> 00:38.300 So open up bytecode and click on the Android manifest file. 00:40.260 --> 00:46.380 As I mentioned earlier, if an application is marked as debugger more than an attacker can access the 00:46.380 --> 00:51.270 applications data just by assuming the privileges of that application. 00:52.160 --> 00:54.450 So let's have a look at the connectivity of the device. 00:57.700 --> 00:59.050 Doesn't appear to be a problem. 00:59.650 --> 01:08.050 All right, so run the ATB Shell and Sue Shell command to start a shell on the emulator. 01:10.270 --> 01:17.920 Now we can switch to a non route user using the run as command to view the contents of the packages 01:17.920 --> 01:21.160 directory, where normally I wouldn't have that permission. 01:22.230 --> 01:28.470 Now, we've used the privileges of the insecure Bankcorp, as you remember, every app has a user I.D. 01:28.470 --> 01:29.190 on Android. 01:30.250 --> 01:31.600 So list files. 01:32.800 --> 01:34.210 There's a database folder. 01:35.400 --> 01:38.130 So go to this folder and list the files again. 01:39.500 --> 01:46.520 And look at this, my DB is the database of the application. 01:47.320 --> 01:48.490 Excerpt from the show. 01:50.100 --> 01:56.760 And we can even use the run as command to retrieve files that would normally be stored securely in the 01:56.760 --> 02:07.500 applications data directory, run the ADB exec dash out run dash as combat android insecure bank V2 02:08.010 --> 02:11.460 cat databases slash my be. 02:12.940 --> 02:15.400 Might be dash copy. 02:16.820 --> 02:20.090 So this is the command that gets the copy of the database. 02:21.160 --> 02:22.810 Now, let's list the files. 02:23.810 --> 02:30.290 OK, so we get the copy, the database, and this file is an obscure light file format. 02:31.180 --> 02:38.530 And yeah, so we can't read the file with text editors, but you can always open that file with askew 02:38.530 --> 02:38.860 light.