1
00:00:01,110 --> 00:00:05,510
Another coming class of security vulnerabilities on Android applications.

2
00:00:05,560 --> 00:00:09,240
Are known as hard coding issues with hard coding issues.

3
00:00:09,240 --> 00:00:16,860
They're mostly the the active hard coding information into our source code that is potentially exposing

4
00:00:16,860 --> 00:00:22,050
information about how the application runs or maybe exposing something like a username or password or

5
00:00:22,050 --> 00:00:23,940
some sort of sensitive data.

6
00:00:23,940 --> 00:00:27,950
It's going to take a look at two types of hard coding issues in this video.

7
00:00:27,990 --> 00:00:33,780
The first one is sort of the classic hard coding issue where we've hardcoded a password into some java

8
00:00:33,810 --> 00:00:38,880
file and since we compile it WE FIGURE KNOWN it's going to be able to decode pile it and be able to

9
00:00:38,910 --> 00:00:39,990
get to that password.

10
00:00:39,990 --> 00:00:44,550
However that's not the case as we can see through these compiling and then the other one we'll be a

11
00:00:44,550 --> 00:00:49,980
little bit more complex which will involve actually shared libraries and shared objects and discussing

12
00:00:49,980 --> 00:00:53,490
how we can potentially extract passwords from those as well.

13
00:00:53,610 --> 00:01:00,380
So you'll see in this we need to enter in some sort of vendor key in order to access this this section.

14
00:01:00,450 --> 00:01:04,630
So if we try to access it we'll say access denied if we enter the wrong values.

15
00:01:04,740 --> 00:01:10,830
So in order to extract the password for this we need to find first the activity that corresponds to

16
00:01:10,830 --> 00:01:12,170
this log in page.

17
00:01:12,180 --> 00:01:15,390
And in this case it would be hard code activity.

18
00:01:15,420 --> 00:01:18,420
Now a lot of the times it might not be named exactly like this.

19
00:01:18,420 --> 00:01:23,100
It might not be as easy to find the activity if you need to try to find this as well you can also take

20
00:01:23,100 --> 00:01:28,170
a look at the log messages or the the displayed messages in the alerts.

21
00:01:28,170 --> 00:01:30,990
So as you can see this one has that same access denied message.

22
00:01:30,990 --> 00:01:36,600
So we know that we're probably in the right place now looking at this code we can see that we're taking

23
00:01:36,600 --> 00:01:43,410
a look at the the each C key text field we're getting the text and rechecking if the string equals vendor

24
00:01:43,410 --> 00:01:49,350
secret key says you can see we've hardcoded in the password and this means that it's very easy for someone

25
00:01:49,350 --> 00:01:53,220
to D compile this application and figure out the password for this.

26
00:01:53,220 --> 00:02:00,420
So now from here we can just type in vendor secret key and press access and as you can see access granted

27
00:02:00,450 --> 00:02:01,840
in this case.

28
00:02:01,890 --> 00:02:08,280
So this is one type of very common hardcoded activity problem where we heard code a password in plain

29
00:02:08,280 --> 00:02:14,130
text rather than doing something like obscuring it or encrypting it or hashing it or you know putting

30
00:02:14,130 --> 00:02:16,260
it on a server or something like that.

31
00:02:16,260 --> 00:02:18,880
There's a whole lot of different things that we could be doing that aren't.

32
00:02:18,880 --> 00:02:24,540
This primarily we would be wanting to potentially like hash the password in order to protect it.

33
00:02:24,600 --> 00:02:29,670
But even then someone could get the hashed password and try to brute force it with like an off line

34
00:02:29,670 --> 00:02:30,510
attack.

35
00:02:30,510 --> 00:02:32,650
So that's not really the best way to do it.

36
00:02:32,670 --> 00:02:37,770
Typically what we'd want to do here is sort of verify on server side or place it somewhere that someone

37
00:02:37,770 --> 00:02:40,580
wouldn't be able to access it if they did compiler application.

38
00:02:40,580 --> 00:02:42,930
So be the key idea.

39
00:02:43,140 --> 00:02:49,140
So let's go ahead and discuss the other type of heart coding issue and this one is relatively similar

40
00:02:49,140 --> 00:02:53,820
again we have to enter in a password if we get the wrong password it will give us the access denied

41
00:02:53,910 --> 00:02:59,610
message that if we enter in the correct password let's say access granted when we look at the hard coded

42
00:02:59,610 --> 00:03:05,430
activity which is hard code to activity you'll see that things are slightly different here.

43
00:03:05,850 --> 00:03:09,840
You see it's grabbing D J and I got access.

44
00:03:09,840 --> 00:03:17,730
So this is this is a method from the DIY are the D.J. and I object which is this one here.

45
00:03:17,730 --> 00:03:23,160
So what we're going to do is we want to find this class to determine what the access method is actually

46
00:03:23,160 --> 00:03:24,330
doing.

47
00:03:24,360 --> 00:03:31,560
So if I go into this class here which I have here diva J and I you'll see that there's a static load

48
00:03:31,770 --> 00:03:38,290
that happens so it's a learning a shared library and the S.O. name is diva J and I.

49
00:03:38,370 --> 00:03:44,520
So as we discussed we can find shared objects in the under resources under library and you'll see that

50
00:03:44,520 --> 00:03:46,790
it's compiled for every different type of processor.

51
00:03:46,800 --> 00:03:48,690
But each of these shared objects are going to be the same.

52
00:03:48,690 --> 00:03:52,040
The main difference being the assembly language that it's targeting.

53
00:03:52,080 --> 00:03:55,350
So really any of these are going to be able to give us information.

54
00:03:55,800 --> 00:04:00,990
So these shared object libraries as we discussed they can't really be compiled in the traditional sort

55
00:04:00,990 --> 00:04:01,320
of way.

56
00:04:01,320 --> 00:04:04,380
We can't go from a shared object to source code.

57
00:04:04,380 --> 00:04:08,520
However what we can do is we can search these shared objects for strings.

58
00:04:08,520 --> 00:04:13,560
So what I mean by this is that any sort of like statically text we're able to extract from these shared

59
00:04:13,560 --> 00:04:15,090
object libraries.

60
00:04:15,090 --> 00:04:16,990
There's a number of different ways to do it.

61
00:04:17,010 --> 00:04:23,850
I like to use a utility called strings and what strings does is that essentially allows us to search

62
00:04:23,850 --> 00:04:29,300
the whole library for these static strings so you can see here I've grabbed the copy of the library.

63
00:04:30,380 --> 00:04:36,500
If you wanna grab a copy of the library what you can do is you can change this HBK to a zip folder and

64
00:04:36,510 --> 00:04:41,550
then once you do this you can open up this app and then you can go into the libraries folder like before

65
00:04:41,580 --> 00:04:44,700
and then extract the value from there.

66
00:04:44,730 --> 00:04:48,750
So that would be the way that you would be able to extract it if you're looking to extract it onto your

67
00:04:48,750 --> 00:04:54,840
device and then utilizing strings were able to search it for any sort of text that may exist.

68
00:04:54,870 --> 00:04:57,460
So let's go ahead and open up command line.

69
00:04:57,480 --> 00:05:01,980
I got to go out and see to this the rectory and then the way that it works is if you just go strings

70
00:05:01,980 --> 00:05:05,690
die EMC and then we type in the name of the file that we want to search.

71
00:05:05,700 --> 00:05:07,480
So it would be the live diva.

72
00:05:07,590 --> 00:05:09,430
Jan I thought so.

73
00:05:09,920 --> 00:05:16,010
And you can see here we get all the text strings that are existing inside of that dot so file.

74
00:05:16,020 --> 00:05:21,420
Now from here we have to do a little bit of thinking to be able to extract out the ones that are important

75
00:05:21,420 --> 00:05:22,780
to us.

76
00:05:23,010 --> 00:05:25,820
You'll notice all these dot ones here.

77
00:05:26,160 --> 00:05:31,410
If you have some familiarity with them with assembly languages you'll know that these dots will typically

78
00:05:31,410 --> 00:05:35,100
correspond to labels or points to jump to.

79
00:05:35,100 --> 00:05:41,700
So these dots don't like text files and are sorry like text to text data.

80
00:05:41,850 --> 00:05:48,190
These are early as important to us because they're just like sort of like divisions of the file itself.

81
00:05:48,270 --> 00:05:50,520
So we aren't really interested in those.

82
00:05:50,720 --> 00:05:55,200
We could see that these genuine GCSE are probably telling us what this was compiled with.

83
00:05:55,220 --> 00:05:59,850
So this information again isn't necessarily relevant or interesting.

84
00:05:59,850 --> 00:06:05,800
The good one point one looks to me like a version number of something and we can see here and you called

85
00:06:05,880 --> 00:06:06,740
hyphen version.

86
00:06:06,750 --> 00:06:09,360
So this is probably just a version number.

87
00:06:09,360 --> 00:06:11,430
So that's not necessarily important.

88
00:06:11,460 --> 00:06:14,340
You can see these are other shared objects that are being used.

89
00:06:14,340 --> 00:06:17,480
So again these aren't really particularly important.

90
00:06:17,520 --> 00:06:19,970
These again are mostly of labels.

91
00:06:20,010 --> 00:06:23,080
So it's indicate the end OBSS start the data.

92
00:06:23,220 --> 00:06:26,670
So those aren't really something that's going to be interesting.

93
00:06:26,670 --> 00:06:32,460
Similar with these here for the same reasons as to your copy is a C function that's likely being used

94
00:06:32,460 --> 00:06:33,950
inside of here.

95
00:06:34,020 --> 00:06:41,640
These appear to be just like information about the the actual library itself which will leave us with

96
00:06:41,730 --> 00:06:46,000
these three pieces of information as well as this.

97
00:06:46,080 --> 00:06:53,440
So when we're taking a look at these we sort of want to extract which ones are relevant to us so from

98
00:06:53,440 --> 00:06:57,490
these we can we can sort of essentially just trial and error rhythm to see which one is the correct

99
00:06:57,970 --> 00:06:59,510
inputs.

100
00:06:59,530 --> 00:07:03,490
There are some other ways that we can sort of like look at these and be able to decode information from

101
00:07:03,490 --> 00:07:03,990
them.

102
00:07:04,030 --> 00:07:07,960
Usually when they have like the dollar sign character inside of them it means that there's some sort

103
00:07:07,960 --> 00:07:13,330
of scripting thing related to them potentially could be like an argument and a bash script or something

104
00:07:13,330 --> 00:07:14,130
like that.

105
00:07:14,290 --> 00:07:19,960
A lot of the time these will correspond to like code lines for instance which means that this is probably

106
00:07:19,960 --> 00:07:22,750
the only one that's just general text.

107
00:07:22,750 --> 00:07:27,370
So if we think that this one is the right one then we can bring it over here and try to put it in and

108
00:07:27,370 --> 00:07:28,300
see what will happen.

109
00:07:28,300 --> 00:07:36,600
So all of us d f g h t semicolon LH We try to access you'll see that we get access granted.

110
00:07:36,630 --> 00:07:40,190
So obviously this is the proper password for it.

111
00:07:40,530 --> 00:07:45,810
So you can see from here that even though we can't necessarily Deacon pilotless shared objects we can

112
00:07:45,810 --> 00:07:48,620
still search them for the strings that exist in them.

113
00:07:48,750 --> 00:07:53,910
And if we have a hard coded string inside of there we're going to be able to extract that string and

114
00:07:53,910 --> 00:07:56,370
potentially weak information such as the password.

115
00:07:57,450 --> 00:08:03,900
So this video it gives you a bit of an idea behind how hard coded text is able to be utilized to potentially

116
00:08:03,900 --> 00:08:06,060
expose data about Android applications.

117
00:08:06,060 --> 00:08:11,730
So these sort of vulnerabilities do happen every so often and a lot of times the shared object ones

118
00:08:11,730 --> 00:08:16,710
are maybe a bit more common because people are a bit less careful when they think that the thing can't

119
00:08:16,710 --> 00:08:17,660
be compiled.

120
00:08:17,670 --> 00:08:24,660
But also if they obscure the files at all if we can sort of like manage to an untapped skewer the code

121
00:08:24,930 --> 00:08:28,230
or unencrypted code we can potentially figure out these passwords.

122
00:08:28,230 --> 00:08:35,370
So not only are plaintext information necessarily a bad idea but also even just like putting hashes

123
00:08:35,400 --> 00:08:40,950
into the code could be dangerous because then you can do like password based attacks to try to decrypt

124
00:08:40,950 --> 00:08:41,280
them.

125
00:08:41,280 --> 00:08:45,390
So this gives you a general idea of the sort of things that you can look out for for these types of

126
00:08:45,390 --> 00:08:48,990
vulnerabilities so now you can take a look for these in any applications.