CTF Practice - Reverse Engineering Android Apps 101

Introduction


On this blog we will crack some real world unsecured Android applications.

For educational purpose only!

Disclaimer: This guide is provided "as is" with no warranties with regard to the accuracy and completeness of the information provided herein. I am not responsible for any bad outcomes you or anyone may have because you followed this guide. I expect you to have knowledge of some programming language (Java, Kotlin, C/C++, C#), an inquisitive mind to try things out, and the patience to first google and try to find answers to simple questions.


Environment:

  • OpenJDK 8
  • Android Studio SDK
  • Visual Studio Code IDE with APKLab


Reverse Engineering Android Apps - DEX Bytecode

The goal of this exercise is to crack a real world Android apps to bypass the verification code to become a premium user.


Step 0x1


Step 0x2

Decompile the APK with Visual Studio Code.



Step 0x3

Examine the manifest. We see that it only have one activity.



Step 0x4

Look for if-else condition. Open the file that contains the code.



Step 0x5

Capture the code and alter the variable that holds the user input. Simply add the following code as you can see in this image



Step 0x6

Rebuild the APK and install on an Android device to test.



The crack will now accept any invalid code and unlock the app!




Reverse Engineering Android Apps - Native Libraries

Android applications can contain compiled, native libraries. Native libraries are code that the developer wrote and then compiled for a specific computer architecture. The code is written in C or C++. Reverse engineering compiled binaries tends to be a less common skillset than analyzing DEX bytecode. This is largely due to DEX bytecode can be decompiled to Java whereas native, compiled code, often must be analyzed as assembly.


Exercise

This exercise is not easy if you don't know binary/ASM hacking because the app login verification and secrets are stored in C/C++ code. You should learn ARM Assembly Basics.

Here's what the dissembled native libraries looks like in this exercise


Advance Tasks

  • Modify the Login-CTF.apk to bypass the login.
  • Modify the Login-CTF.apk to steal the correct username and password, then forward it to your own server.

You can wrote a blog about this hacking challenge.


Comments

Post a Comment

Popular posts from this blog

Real-world Applications of Computer Programming

Image
Computer programming is the process of creating instructions for a computer to follow. It is a skill that is in high demand, and it can be used to create a wide variety of applications, from simple websites to complex artificial intelligence systems. Here are some specific examples of the real-world applications of computer programming: Healthcare: Computer programming is used to develop medical devices, electronic health records systems, and other healthcare-related software. For example, programmers have developed pacemakers that can regulate a person's heartbeat, insulin pumps that can automatically deliver insulin to diabetics, and imaging systems that can help doctors diagnose diseases. Finance: Computer programming is used to develop trading software, risk management systems, and other financial software. For example, programmers develop software that can help banks and other financial institutions assess risk and make investment decisions. Manufacturing: Computer programming
Read more

Biometric Login: iOS vs. Android: A Comparative Analysis

Biometric authentication has become a cornerstone of modern security, offering a convenient and secure way to access devices. Among the most popular biometric methods are fingerprint and facial recognition. iOS and Android, the two dominant mobile operating systems, have implemented their own approaches to these technologies. Let's delve into how they compare. Fingerprint Recognition: A Common Ground Both iOS and Android have embraced fingerprint recognition as a standard feature. Apple introduced Touch ID in 2013, and it has since become synonymous with their devices. Android followed suit, incorporating fingerprint sensors into a wide range of devices. The implementation of fingerprint recognition on both platforms is generally comparable in terms of accuracy and speed. Users can unlock their devices, authorize payments, and access secure apps using their fingerprints. Facial Recognition: iOS Takes the Lead While both platforms support facial recognition, there's a significan
Read more