1 00:00:01,530 --> 00:00:02,880 I thought it's a funny kind of video. 2 00:00:02,880 --> 00:00:09,690 I could walk you through a general process of trying to do some bug hunting and Android to sort of show 3 00:00:09,690 --> 00:00:13,190 how I would generally go about looking into an application. 4 00:00:13,200 --> 00:00:19,000 If I were doing some research into one so the very first thing is before I compile an EPA I'm going 5 00:00:19,000 --> 00:00:21,870 to install Roser and I'm going to try the following things. 6 00:00:21,870 --> 00:00:27,690 I'm going to run the attack surface command against the application to see what different attack services 7 00:00:27,690 --> 00:00:28,770 exist. 8 00:00:28,770 --> 00:00:33,150 If I see that they're activities that are exported and that there are scanners that are exported or 9 00:00:33,240 --> 00:00:39,270 rather content providers that are export it I'm going to try to start every activity to see what that 10 00:00:39,270 --> 00:00:40,260 gives me. 11 00:00:40,410 --> 00:00:47,130 If that gives me something that looks to be vulnerable or looks to be a problem then I've already found 12 00:00:47,130 --> 00:00:48,180 some problems right. 13 00:00:48,500 --> 00:00:53,930 And then I'm going to also run this injection command to see if any sequel injections exist. 14 00:00:53,940 --> 00:00:56,190 If they do exist then we've already found a problem. 15 00:00:56,210 --> 00:00:56,490 Right. 16 00:00:56,520 --> 00:01:01,440 So these are some very good low hanging fruits that we can try to pick off when they're available. 17 00:01:01,440 --> 00:01:02,570 Right. 18 00:01:02,610 --> 00:01:07,560 So then aside from this we can also try D compiling the HBK and there are a few things that you should 19 00:01:07,560 --> 00:01:11,180 generally be looking for when you compile an EPA. 20 00:01:11,610 --> 00:01:17,100 There's actually one other thing that I'm going to adhere to the end so that we can remember to discuss 21 00:01:17,100 --> 00:01:19,020 it which would be lowered. 22 00:01:20,610 --> 00:01:27,070 But starting with these ones X execute sequel right query raw query. 23 00:01:27,090 --> 00:01:32,010 These three functions are always typically going to be used to execute sequel. 24 00:01:32,010 --> 00:01:37,440 We should always look at them with great scrutiny to determine if they're using pressurised queries 25 00:01:37,770 --> 00:01:39,500 or if they're doing something unsafe. 26 00:01:39,510 --> 00:01:43,140 If we see something unsafe that we can potentially reach with the user input. 27 00:01:43,140 --> 00:01:45,660 This gives us a place to potentially try to attack. 28 00:01:45,660 --> 00:01:49,440 So these are really great to try to search for. 29 00:01:49,530 --> 00:01:54,360 In general most applications are going to have some form of database query if we can find this database 30 00:01:54,360 --> 00:01:54,810 queries. 31 00:01:54,810 --> 00:02:00,450 We could potentially do something harmful which is important to be able to determine in an application. 32 00:02:00,450 --> 00:02:03,360 The next thing is gonna be to look for a log dot something. 33 00:02:03,390 --> 00:02:09,030 So it's usually a log dot D log dot e if you just type in log dot you'll be able to find anything that 34 00:02:09,030 --> 00:02:12,810 has the log being extended with some form of method. 35 00:02:13,470 --> 00:02:17,100 These are really important because they can tell us what sort of information is being logged by the 36 00:02:17,100 --> 00:02:17,930 application. 37 00:02:17,940 --> 00:02:23,130 This will be able to let us like easily pick off any sort of like debug messages or error messages that 38 00:02:23,130 --> 00:02:24,780 could expose something sensitive. 39 00:02:24,780 --> 00:02:29,130 We just need to determine how to get down that branch of code and then we'll be able to expose those 40 00:02:29,130 --> 00:02:31,500 log values easily. 41 00:02:31,590 --> 00:02:33,660 The next thing is going to be to search for a password. 42 00:02:33,690 --> 00:02:38,010 In general most people aren't going to code passwords but just in case that they do password could be 43 00:02:38,010 --> 00:02:38,840 a good thing to search for. 44 00:02:38,840 --> 00:02:43,280 If you see password equals something in plain text then you've obviously found some sort of problem. 45 00:02:43,290 --> 00:02:48,590 So that's always a good one to search for shared preferences is a really good thing to look forward. 46 00:02:48,590 --> 00:02:50,800 This will be any of the shared preferences files. 47 00:02:50,800 --> 00:02:54,110 If we're writing to shared preferences odds are that data is not going to be secure. 48 00:02:54,330 --> 00:02:58,050 If we can see what kind of data is being written and we see that it's something that should be treated 49 00:02:58,050 --> 00:03:03,170 with security shared preferences is going to be a good way to show that right. 50 00:03:03,180 --> 00:03:08,040 Smith create temp file is something being created in the temp file that again has some sort of data 51 00:03:08,040 --> 00:03:09,800 in it that's supposed to be secure. 52 00:03:09,870 --> 00:03:12,250 Then we could potentially expose that. 53 00:03:12,250 --> 00:03:12,560 Right. 54 00:03:12,570 --> 00:03:17,670 So this is a good thing to look for as well to see what kind of data gets put into temp files exact 55 00:03:17,670 --> 00:03:23,610 as a general sort of command that's used by Java to execute command line type arguments and there's 56 00:03:23,610 --> 00:03:28,160 a few different ones that exist some that exist specifically for Android as well. 57 00:03:28,230 --> 00:03:33,960 If you ever see command line being run with the user input you might be able to get command injection 58 00:03:33,990 --> 00:03:36,440 which is a very severe vulnerability. 59 00:03:36,470 --> 00:03:41,710 So I typically look for these and look for any instances where user input is being allowed in them. 60 00:03:41,760 --> 00:03:46,140 If that ever happens we want to try to test that to see if we can do some sort of command injection 61 00:03:46,140 --> 00:03:46,460 on that. 62 00:03:46,500 --> 00:03:47,200 Right. 63 00:03:47,210 --> 00:03:48,520 And then of course the load you URL. 64 00:03:48,540 --> 00:03:52,610 Because as we learned we can load Uber or so we can load files through the load. 65 00:03:52,610 --> 00:03:58,230 You are El function so if we ever get the opportunity to get data into load you or El we might be able 66 00:03:58,230 --> 00:04:00,480 to load a specific file utilizing that. 67 00:04:00,480 --> 00:04:03,620 So this is something to always look out for as well. 68 00:04:03,690 --> 00:04:08,580 So in general through these videos you should have a pretty good understanding of how to hunt for vulnerabilities 69 00:04:08,580 --> 00:04:14,580 in Android and how to be able to expose those vulnerabilities through D compiling as well as utilizing 70 00:04:14,580 --> 00:04:16,340 tools like drones here. 71 00:04:16,380 --> 00:04:21,330 In general this should give you a little bit of an overview towards the general flow of what we typically 72 00:04:21,330 --> 00:04:26,610 look for in vulnerabilities and like how we typically go about looking for them how someone like me 73 00:04:26,610 --> 00:04:29,970 would go about looking for vulnerability if I'm searching for one. 74 00:04:29,970 --> 00:04:35,450 So this should give you some good information to be able to get up there and start bug hunting in Android 75 00:04:35,460 --> 00:04:41,820 whether it be your own applications or looking for bug bounties or testing other people's applications. 76 00:04:41,820 --> 00:04:46,740 This will give you a good solid set of foundations to be able to try out some vulnerabilities and learn 77 00:04:46,740 --> 00:04:47,930 all sorts of new stuff. 78 00:04:47,940 --> 00:04:50,480 With this using a sort of like a good foundation.