Skip to main content

Damn Vulnerable Android Application by Security Compass - Lab 1 Insecure Connection (Traffic over HTTP)

Lab 1 Insecure Connection (Traffic over HTTP)


Here we are gonna do some andoroid app testing for Insecure Connection (Traffic over HTTP) as in previous post I have shown you from downloading the app, instaling it on emulator, setting-up of lab server, its dependencies installation and starting the server.


The base (EMM.apk) application will be used throughout the app testing. In this we will sniff the mobile app and server traffic.

Android Emmulator can sniff data from android apps and create a .pcap file for this give below command
emulator.exe -avd testing -tcpdump testing.cap


 Now all the traffic will be captured in testing.cap file
Thats it now we are ready to start the server and launch our app.


After launching the app it will ask for login credentials as this app is developed on the lines of banking app.

Default login credentials:
  • Username: jdoe
  • passwd: password
Setting-up Pin

 After settin-up of pin we will be logged-in into the app like below

 

Now we have to open that testing.cap file in to packet analyzer like wireshark.
we loaded the pcap file on wireshark and found the login credentials are passing out in plain text



Solution:

As we saw that credentials are passing in plaintext over wire so this could be result in unauthorized access to login credentials so workaround is enable the HTTPS by enabling the server to start with ssl
app.py --ssl --port 8081
and enable the HTTPS in preferences tab in the app

Lab 2 Server Side Authorization Issue

Comments

  1. Unknown17 October 2017 at 20:39

    thanks

    ReplyDelete
  2. Anuraj13 July 2021 at 09:35

    Nice Blog...Waiting for Next Update..

    mobile app development companies in chennai
    mobile app development company in chennai

    ReplyDelete
  3. Nancy taylor9 March 2022 at 05:30

    Nice Blog thanks for sharing information about android app development

    ReplyDelete
  4. Harry4 April 2022 at 02:24

    Android software development is the process of creating applications for devices that run the Android operating system. Google claims that "Android app development may be created using Kotlin, Java, and C++ languages" using the Android software development kit, while additional languages are also supported.

    ReplyDelete

Post a Comment

Popular posts from this blog

Android Damn Vulnerable App by Security Compass

Tutorial of Android Damn Vulnerable App by Security Compass Introduction: Hi folks, today I am gonna show you some hands on or tutorial of the android app testing which I done during my R&D of android app security testing. Here I will show you from scratch setting up of Lab Server to testing of application. In this you will learn on below topics: 1)Insecure Connection (Traffic over HTTP) 2)Server Side Authorization Issue 3)Insecure File Storage 4)Insecure Logging 5)Encryption of data on device 6)Memory Protection Setting-up of lab (App & Server) First of all you have to download the base app which is damn vulnerable from here . After downloading zip and extracting it you have to build it in .apk format using Eclipse IDE. Now you have to install the app in the emulator before that you have to make sure that you installed SDK and its packages. To install the app you have to start emulator using AVD and clicking on "Start" or by command line emul
25 comments
Read more

Drozer Commands - A Security & Attack Framework for Android

What is Drozer? Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing. There are 2 Versions of Drozer an Open Source and other one Pro version having following features Gathering the information about the application Find the attack surface Test your Exposure to Public Exploits Execute dynamic code on a device, to avoid the need to compile and install small test scripts. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate. Simulate sensor input, such as GPS, to emulators to test the full attack surface. View the attack surface as a graph. this will be helpful for the risk assessment reporting. Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device. Command to install the Dr
6 comments
Read more

OWASP IoT (Internet of Things) Top 10 - A Walkthrough

OWASP IoT (Internet of Things) Top 10 - 2014 Introductions: In Todays world things of everyday are becoming smart, every hour hundreds and thousands of smart devices are being added to the Internet whether it is a Toaster, Camera, Refrigerator, T.Vs, Cars etc. So it can be a target of attackers easily, here comes OWASP IoT Top 10 to address this issue. OWASP IoT Top 10 is designed to make the everyday devices secure on same lines of guidelines by OWASP TOP 10 for applications. The OWASP Internet of Things Top 10 - 2014 is as follows: I1 – Insecure Web Interface I2 – Insufficient Authentication/Authorization I3 – Insecure Network Services I4 – Lack of Transport Encryption I5 – Privacy Concerns I6 – Insecure Cloud Interface I7 – Insecure Mobile Interface I8 – Insufficient Security Configurability I9 – Insecure Software/Firmware I10 – Poor Physical Security  How to test for OWASP IoT Top 10   I1 – Insecure Web Interface: Everyday devices have web ser
Post a Comment
Read more