1
00:00:00,792 --> 00:00:03,060
‫[Instructor] Hi, within this lecture

2
00:00:03,060 --> 00:00:06,030
‫we are going to see how to manipulate our app,

3
00:00:06,030 --> 00:00:07,920
‫how to manipulate our APK

4
00:00:07,920 --> 00:00:10,530
‫so that it will trust the certificates

5
00:00:10,530 --> 00:00:12,240
‫that we have downloaded.

6
00:00:12,240 --> 00:00:14,730
‫The SSL certificates that we have downloaded

7
00:00:14,730 --> 00:00:16,800
‫from Charles Proxy.

8
00:00:16,800 --> 00:00:19,710
‫So this is not only for this purpose,

9
00:00:19,710 --> 00:00:23,940
‫if you know how to do this, you can use it in your

10
00:00:23,940 --> 00:00:25,800
‫other penetration tests as well.

11
00:00:25,800 --> 00:00:27,810
‫So this is very critical.

12
00:00:27,810 --> 00:00:32,460
‫As I said before, developers should actually allow the app

13
00:00:32,460 --> 00:00:34,530
‫to trust the certificates.

14
00:00:34,530 --> 00:00:37,860
‫And most of the developers do not have that intention,

15
00:00:37,860 --> 00:00:40,980
‫because why would they do it in the first place?

16
00:00:40,980 --> 00:00:45,900
‫It's not very safe, if they don't have any specific purpose,

17
00:00:45,900 --> 00:00:47,850
‫they won't do it.

18
00:00:47,850 --> 00:00:50,983
‫But we are going to edit the APK with APKtool

19
00:00:50,983 --> 00:00:54,120
‫and we are going to add our own configuration

20
00:00:54,120 --> 00:00:56,040
‫and we will build it again.

21
00:00:56,040 --> 00:00:59,220
‫So I'm going to open my GitHub page

22
00:00:59,220 --> 00:01:03,030
‫and I believe Charles is stopping us from doing so

23
00:01:03,030 --> 00:01:05,220
‫so I'm going to stop the Charles,

24
00:01:05,220 --> 00:01:07,800
‫so I suggest you do that as well

25
00:01:07,800 --> 00:01:10,980
‫and try to open my GitHub page.

26
00:01:10,980 --> 00:01:14,460
‫Okay, so go to SecureTweet application

27
00:01:14,460 --> 00:01:16,500
‫that you have seen before,

28
00:01:16,500 --> 00:01:21,000
‫and in the app folder, go to source, main,

29
00:01:21,000 --> 00:01:24,510
‫and over here you will see the Android manifest.

30
00:01:24,510 --> 00:01:29,510
‫You will see the network security configuration over here.

31
00:01:29,760 --> 00:01:33,750
‫As you can see, this is a different configuration

32
00:01:33,750 --> 00:01:35,670
‫than we have seen before.

33
00:01:35,670 --> 00:01:38,130
‫And I have edited this

34
00:01:38,130 --> 00:01:42,570
‫so that you can find it when you need it, okay?

35
00:01:42,570 --> 00:01:46,380
‫So you can copy and paste it when you need it.

36
00:01:46,380 --> 00:01:50,640
‫So of course this won't be here generally,

37
00:01:50,640 --> 00:01:53,970
‫and this is the change that we need to do,

38
00:01:53,970 --> 00:01:57,690
‫so in our own app as well.

39
00:01:57,690 --> 00:02:01,290
‫And you can actually debug your app

40
00:02:01,290 --> 00:02:04,380
‫or decompile your app using APKtool

41
00:02:04,380 --> 00:02:09,380
‫and add this line if you want to change the settings

42
00:02:10,050 --> 00:02:14,490
‫of the default network security configuration.

43
00:02:14,490 --> 00:02:17,850
‫And we are going to create this xml file

44
00:02:17,850 --> 00:02:21,000
‫and we will manipulate it in a way

45
00:02:21,000 --> 00:02:23,310
‫that it will trust the certificates

46
00:02:23,310 --> 00:02:27,390
‫that user has downloaded, okay?

47
00:02:27,390 --> 00:02:30,030
‫So we need to decompile our app

48
00:02:30,030 --> 00:02:32,670
‫and we need to edit the manifest

49
00:02:32,670 --> 00:02:36,150
‫and we need to create this xml file

50
00:02:36,150 --> 00:02:40,710
‫and we need to change the content of that xml file.

51
00:02:40,710 --> 00:02:44,670
‫And then we are going to build it one more time

52
00:02:44,670 --> 00:02:49,670
‫and then we will be able to actually trust the app,

53
00:02:50,100 --> 00:02:53,280
‫trust the certificates inside of our app

54
00:02:53,280 --> 00:02:57,570
‫so that it can send the SSL requests

55
00:02:57,570 --> 00:02:59,820
‫within Charles Proxy.

56
00:02:59,820 --> 00:03:01,980
‫So this is what we are going to do,

57
00:03:01,980 --> 00:03:06,980
‫and let me open the app over here in the resources folder

58
00:03:07,650 --> 00:03:09,480
‫and you will see the xml folder

59
00:03:09,480 --> 00:03:13,290
‫and the network security config xml over here as well

60
00:03:13,290 --> 00:03:15,690
‫so that you can take the content

61
00:03:15,690 --> 00:03:19,620
‫and copy and paste it in order to avoid any errors

62
00:03:19,620 --> 00:03:23,310
‫that you may encounter during this process.

63
00:03:23,310 --> 00:03:27,600
‫So this is exactly why I have edited this, okay?

64
00:03:27,600 --> 00:03:28,830
‫So when you need it,

65
00:03:28,830 --> 00:03:31,740
‫you can come over here to my GitHub page

66
00:03:31,740 --> 00:03:34,560
‫and copy and paste the content.

67
00:03:34,560 --> 00:03:36,090
‫And if you look at the content,

68
00:03:36,090 --> 00:03:38,730
‫it's a network security configuration

69
00:03:38,730 --> 00:03:43,020
‫and it actually trusts the certificates.

70
00:03:43,020 --> 00:03:46,890
‫So as you can see, Charles will only run for 30 minutes

71
00:03:46,890 --> 00:03:50,850
‫because we are running on a trial version.

72
00:03:50,850 --> 00:03:54,000
‫So it's not important, just say okay

73
00:03:54,000 --> 00:03:58,800
‫and make sure you open Charles one more time from scratch.

74
00:03:58,800 --> 00:04:03,800
‫And when you open it, it will just run as before

75
00:04:04,320 --> 00:04:08,580
‫and we will be able to see the traffic in Charles.

76
00:04:08,580 --> 00:04:11,220
‫So as you can see, it delays for 10 seconds

77
00:04:11,220 --> 00:04:15,390
‫because it's trial version, it really doesn't matter for us,

78
00:04:15,390 --> 00:04:20,390
‫we can wait for 10 seconds and it will run once we started.

79
00:04:20,730 --> 00:04:24,990
‫So I'm going to open the app debug folder

80
00:04:24,990 --> 00:04:27,990
‫because we have already decompiled it, right?

81
00:04:27,990 --> 00:04:32,880
‫And I'm going to open the Android manifest with a text edit.

82
00:04:32,880 --> 00:04:37,470
‫So I'm going to zoom in a little bit like this.

83
00:04:37,470 --> 00:04:40,350
‫And over here,

84
00:04:40,350 --> 00:04:43,920
‫we are going to add the network security thing.

85
00:04:43,920 --> 00:04:47,520
‫So let me open the manifest over here

86
00:04:47,520 --> 00:04:51,060
‫and as you can see, it's under the application tag.

87
00:04:51,060 --> 00:04:55,920
‫And I'm going to copy it from here, okay?

88
00:04:55,920 --> 00:05:00,920
‫And I'm going to paste it under the application tag.

89
00:05:00,990 --> 00:05:04,110
‫So let me find the application tag,

90
00:05:04,110 --> 00:05:08,490
‫and, here you go, I believe it's over here,

91
00:05:08,490 --> 00:05:10,380
‫yep, application tag.

92
00:05:10,380 --> 00:05:12,090
‫I'm going to leave a space

93
00:05:12,090 --> 00:05:17,090
‫and paste it in this space like this.

94
00:05:17,580 --> 00:05:21,360
‫So now it will try to find this xml folder

95
00:05:21,360 --> 00:05:24,420
‫and network security config file

96
00:05:24,420 --> 00:05:27,630
‫and it will read the content out of it.

97
00:05:27,630 --> 00:05:32,520
‫But since we don't have this xml, now we have to create it

98
00:05:32,520 --> 00:05:35,700
‫and make sure it's in the right folder.

99
00:05:35,700 --> 00:05:39,420
‫So I'm going to open this text edit

100
00:05:39,420 --> 00:05:42,090
‫and make sure it's over there.

101
00:05:42,090 --> 00:05:43,110
‫Yep, it's over there.

102
00:05:43,110 --> 00:05:45,330
‫I'm going to save it and close it.

103
00:05:45,330 --> 00:05:47,190
‫So far so good.

104
00:05:47,190 --> 00:05:52,190
‫Now we need to go to rest and find if we have xml folder.

105
00:05:52,380 --> 00:05:55,020
‫No, we don't have any xml folder.

106
00:05:55,020 --> 00:05:56,850
‫We can create a folder, right?

107
00:05:56,850 --> 00:06:00,540
‫We can create any folder and call it xml if we want.

108
00:06:00,540 --> 00:06:01,590
‫So I'm going to do that.

109
00:06:01,590 --> 00:06:05,730
‫I'm going to create a new folder here and call it xml.

110
00:06:05,730 --> 00:06:08,790
‫And I'm going to just take this folder

111
00:06:08,790 --> 00:06:11,880
‫and put it inside of res folder.

112
00:06:11,880 --> 00:06:14,400
‫So now we have the xml.

113
00:06:14,400 --> 00:06:17,970
‫So all I have to do is just create an xml file

114
00:06:17,970 --> 00:06:19,620
‫and change the content

115
00:06:19,620 --> 00:06:23,310
‫with the content that you are seeing over here.

116
00:06:23,310 --> 00:06:25,170
‫So this one, yep.

117
00:06:25,170 --> 00:06:27,870
‫So as you can see, it's actually ends

118
00:06:27,870 --> 00:06:32,220
‫with the .xml extension and it has this content.

119
00:06:32,220 --> 00:06:34,350
‫So make sure you copy this

120
00:06:34,350 --> 00:06:38,673
‫and create an xml file and paste the content over there.

121
00:06:39,810 --> 00:06:44,460
‫So you can download the xml file from here if you like

122
00:06:44,460 --> 00:06:49,460
‫but most of the time you won't have to deal with this, okay?

123
00:06:49,710 --> 00:06:52,590
‫And you don't have to download everything

124
00:06:52,590 --> 00:06:55,050
‫over here just for this xml file,

125
00:06:55,050 --> 00:06:58,650
‫you can just get an xml file from here,

126
00:06:58,650 --> 00:07:00,840
‫like from layout for example, okay?

127
00:07:00,840 --> 00:07:04,200
‫This is an xml file, just copy it

128
00:07:04,200 --> 00:07:07,830
‫and just paste it in your xml folder.

129
00:07:07,830 --> 00:07:10,170
‫So I'm going to copy this, okay?

130
00:07:10,170 --> 00:07:12,270
‫I'm going to come over here.

131
00:07:12,270 --> 00:07:16,650
‫I'm going to paste it inside of this folder.

132
00:07:16,650 --> 00:07:18,810
‫And of course I need to change its name

133
00:07:18,810 --> 00:07:23,810
‫to network_security_config, like this.

134
00:07:24,120 --> 00:07:27,170
‫It has to be exactly the same, right?

135
00:07:27,170 --> 00:07:31,590
‫Like in the manifest, like this, network_security_config.

136
00:07:31,590 --> 00:07:33,480
‫Make sure it's the same.

137
00:07:33,480 --> 00:07:38,190
‫And now I'm going to change the content of it.

138
00:07:38,190 --> 00:07:41,550
‫So I'm going to delete everything from here

139
00:07:41,550 --> 00:07:45,390
‫and I need to copy it one more time from there.

140
00:07:45,390 --> 00:07:48,210
‫And I will paste it like this.

141
00:07:48,210 --> 00:07:51,090
‫So I'm going to save this and close this down.

142
00:07:51,090 --> 00:07:54,120
‫Here you go, now we have the configuration file

143
00:07:54,120 --> 00:07:57,810
‫and it actually complies with the system

144
00:07:57,810 --> 00:08:02,810
‫and user certificates inside of the Android phone right now.

145
00:08:02,910 --> 00:08:07,770
‫So now we are ready to build this APK from scratch,

146
00:08:07,770 --> 00:08:10,470
‫and I'm going to delete this older APK

147
00:08:10,470 --> 00:08:12,900
‫because we are going to build it one more time

148
00:08:12,900 --> 00:08:15,810
‫and I'm going to open my terminal to do so

149
00:08:15,810 --> 00:08:20,670
‫because we are going to use the APK tool like before, okay?

150
00:08:20,670 --> 00:08:23,100
‫So maybe if you're on Windows

151
00:08:23,100 --> 00:08:26,490
‫you may need to just send this folder

152
00:08:26,490 --> 00:08:29,790
‫to your Kali Linux and do it from there.

153
00:08:29,790 --> 00:08:30,900
‫And you need to go

154
00:08:30,900 --> 00:08:34,650
‫to the file folder that your file resides in.

155
00:08:34,650 --> 00:08:39,650
‫And when you see that folder like this, you can run AK tool,

156
00:08:39,960 --> 00:08:43,380
‫and this time, rather than d, I'm going to call it b

157
00:08:43,380 --> 00:08:47,753
‫because we are building it and I'm going to say app debug.

158
00:08:48,660 --> 00:08:51,570
‫This is the folder name that I have over here

159
00:08:51,570 --> 00:08:53,940
‫and I'm going to hit enter.

160
00:08:53,940 --> 00:08:57,840
‫So it will create a new APK for us

161
00:08:57,840 --> 00:09:02,160
‫and we're going to build the APK with the manifest,

162
00:09:02,160 --> 00:09:05,460
‫with the xml that we have created.

163
00:09:05,460 --> 00:09:09,120
‫And since I haven't specified any output file

164
00:09:09,120 --> 00:09:12,570
‫it should have put the new APK

165
00:09:12,570 --> 00:09:14,910
‫inside of this app debug folder.

166
00:09:14,910 --> 00:09:19,650
‫Now we can use it to get the traffic

167
00:09:19,650 --> 00:09:23,370
‫from our emulator, from our app.

168
00:09:23,370 --> 00:09:26,040
‫Okay, so I'm going to open this

169
00:09:26,040 --> 00:09:30,690
‫and it should be in the distribution or build folder.

170
00:09:30,690 --> 00:09:32,913
‫Let me see, yep, here you go.

171
00:09:33,900 --> 00:09:35,610
‫Not this one.

172
00:09:35,610 --> 00:09:39,210
‫Maybe we can go for the distribution folder.

173
00:09:39,210 --> 00:09:40,830
‫Yep, here you go.

174
00:09:40,830 --> 00:09:44,400
‫So app debug APK is over here

175
00:09:44,400 --> 00:09:47,220
‫so I'm going to take this, okay,

176
00:09:47,220 --> 00:09:49,680
‫and I'm going to use this APK from now on.

177
00:09:49,680 --> 00:09:53,580
‫So make sure you find your own and use it.

178
00:09:53,580 --> 00:09:58,580
‫So I'm going to open this APK in my emulator like this.

179
00:09:59,910 --> 00:10:03,870
‫And as you can see, it gives me an error because why?

180
00:10:03,870 --> 00:10:07,080
‫Because we haven't signed it yet, right?

181
00:10:07,080 --> 00:10:08,850
‫We need to use jarsigner

182
00:10:08,850 --> 00:10:13,410
‫and the other tools that we need to sign it for.

183
00:10:13,410 --> 00:10:15,090
‫So we're going to do it again

184
00:10:15,090 --> 00:10:16,560
‫and we are going to install it,

185
00:10:16,560 --> 00:10:19,560
‫then we can actually capture the traffic.

186
00:10:19,560 --> 00:10:22,743
‫So let's do that within the next lecture.