Hacker Public Radio

HPR4645: ZERO HOUR: FRIDAY AFTERNOON APK HACKING


Listen Later

This show has been flagged as Explicit by the host.

WARNING AI GENERATED NOTES AHEAD YMMW

Here is a summary of the recorded training session regarding Android hacking from Hacker Public Radio, including web references for the main topics discussed.

Overview

The recording features a security consultant performing a live assessment of an Android application. The consultant uses a custom tool suite called "Jamboree" and various other utilities to test a location-sharing and vehicle management app. The session highlights the increasing complexity of mobile app security, specifically dealing with SSL pinning, encrypted traffic, and anti-tampering mechanisms
1
.

Environment and Tools

The assessment is conducted on a rooted Android emulator. The speaker utilizes several tools to set up the environment and intercept traffic:

  • Jamboree
    : A custom automation tool developed by the speaker over six years to handle rooting, proxy setup, and app installation within minutes
    1
    .
  • Burp Suite
    : The primary interception proxy used to analyze traffic between the app and the production server
    1
    .
  • Frida
    : Used to bypass anti-root detection and SSL pinning
    1
    .
  • Ghidra
    : A decompiler used to analyze the app's code, specifically helpful for patching the Flutter-based application
    1
    .
  • Android Debug Bridge (ADB)
    : Used for troubleshooting, debugging, and analyzing logs (
    logcat
    ) to extract user IDs and location data
    1
    .
    Technical Challenges: SSL Pinning and Flutter

    The target application is built using Flutter and implements rigorous security controls, including SSL pinning, which prevents standard Man-in-the-Middle (MitM) attacks. The app's HTTP client ignores system and user-installed certificates, and it does not respect device Wi-Fi proxy settings
    1
    .

    To overcome this:

    1. Traffic Redirection
      : The speaker uses
      iptables
      commands to force all HTTP and HTTPS traffic through the proxy's IP address at the network layer, bypassing the app's proxy ignorance
      1
      .
    2. Patching with AI
      : The speaker leverages AI (specifically mentioning Claude and access to "Kuro") to assist in patching the APK. The AI helped navigate Ghidra and generate Python scripts to bypass the app's protections, allowing the modified APK to trust the auditor's certificate
      1
      .
    3. Frida Scripts
      : "Frida anti-root SSL pinning" scripts are executed to further mitigate detection mechanisms
      1
      .
      Key Vulnerabilities Identified

      1. Geolocation Spoofing

      The consultant successfully spoofed the device's GPS location using emulator settings (e.g., setting the location to Puerto Rico or Costa Rica). The application accepted this falsified location data as valid, indicating a lack of server-side verification for location origin
      1
      .

      2. Insecure Direct Object Reference (IDOR) / Broken Access Control

      The most critical finding involves the app's user tracking feature.

      • The consultant discovered that the API allows querying a user's location via a
        user_id
        .
      • By intercepting traffic and analyzing
        adb logcat
        logs, the consultant extracted their own
        user_id
        and the
        user_id
        of a second test account
        1
        .
      • While authenticated as one user, the consultant was able to send a request substituting the
        user_id
        with the target's ID. The server responded with the target's GPS coordinates. This confirms that an authenticated user can track any other user's real-time location if they possess the target's ID
        1
        .
      • Proof of concept was created by copying the request as a
        curl
        command to demonstrate the exploit
        1
        .

        3. Potential Information Disclosure

        The consultant began testing a feature that allows users to add vehicles by license plate. The concern is that querying a license plate might return excessive PII (Personally Identifiable Information), such as VIN numbers or registration details, beyond what the UI strictly requires (least privilege issue)
        1
        .

        4. Access Control (Calendar Feature)

        The consultant tested whether calendar events could be accessed by switching
        user_id
        parameters. This test resulted in a "401 Unauthorized" error, indicating that this specific endpoint had proper access control in place
        1
        .

        Web References and Resources

        Below are references for the main tools and concepts discussed in the training:

        • Hacker Public Radio
          :
          https://hackerpublicradio.org/
        • Burp Suite (Web Security Testing)
          :
          https://portswigger.net/burp
        • Frida (Dynamic Instrumentation Toolkit)
          :
          https://frida.re/
        • Ghidra (Software Reverse Engineering)
          :
          https://ghidra-sre.org/
        • Android Debug Bridge (ADB)
          :
          https://developer.android.com/tools/adb
        • OWASP Mobile Top 10
          :
          https://owasp.org/www-project-mobile-top-10/
        • OWASP Testing for Insecure Direct Object References (IDOR)
          :
          https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authorization_Testing/04.1-Testing_for_Insecure_Direct_Object_References
        • Flutter (UI Toolkit)
          :
          https://flutter.dev/

          Provide feedback on this episode.

          ...more
          View all episodesView all episodes
          Download on the App Store

          Hacker Public RadioBy Hacker Public Radio

          • 4.2
          • 4.2
          • 4.2
          • 4.2
          • 4.2

          4.2

          34 ratings


          More shows like Hacker Public Radio

          View all
          The Infinite Monkey Cage by BBC Radio 4

          The Infinite Monkey Cage

          1,920 Listeners

          Click Here by Recorded Future News

          Click Here

          421 Listeners

          Hacker And The Fed by Chris Tarbell & Hector Monsegur

          Hacker And The Fed

          167 Listeners