
We will discuss the concept (setup) of this course. How we can interact with a device and we also talk about the advantages and disadvantages of an real smartphone vs an emulator / virtual machine.
This video covers the core setup of an Ubuntu VM together with the installation of Android Studio. We will set our environment variables and get ready for this course :)
We will have a look into the installation process of an android emulator. We will also find out, which images directly gives us root access and which not.
In this video, we will learn more about the emulator and the really amazing options it provides. We will also have a look into some secret interfaces, which helps us location spoofing. It is not the mocking feature in the developer options ;)
We will setup a virtual machine which is based on an android image. This can be faster if we have to deal with nested virtualization. You will find more information about this in the concept video (beginning).
Just a quick look into some useful developer options. Some of them are really underrated like the "bluetooth hci snoop log".
This video covers automating processes like inserting text or performing clicks on the device. This can be turned into playing games, without playing them :)
You will find two versions of this game. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
We will learn how to create and dump the bluetooth log of a smartphone. Afterwards we will have a look into the connection parameters with wireshark.
We move on with capturing and analyzing the traffic and start sending our own modified packages, without requiring the android application.
We will get a better understanding of the Android Debug Bridge (ADB) and it's components. This is very helpful to perform more advanced attacks, that also requires port forwarding.
The final video of this chapter will cover useful adb commands and shows some interaction with the device.
The scrcpy version has been updated regarding to certain vendors. Some things have changed in Android version 14 and therefore, the old scrcpy version does not work anymore. This only affects real devices. Within the emulator I do not have encountered any issues.
In this video we will have a look into installing the new version to fix the problem for real devices :)
In this video we will get familiar with the app structure of an android app.
You smartphone is using the ARM architecture. You Java application bytecode is therefore being transfered into the "Dalvik Executable" (dex) format. Here we will learn more about this process.
This video gives a deeper view into the "Dalvik Executable" (.dex) format and also shows ways, analyzing it.
If we want to modify an android application, we need to decompile it. We will find out how this process works, in this video here.
In this video we will decompiling an android application.
The AndroidManifest.xml is the most important configuration file of an android application. In this video we will learn more about the strucutre.
You will find two versions of this game. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Android apps are being sandboxed. We have a look into the permission model, how it works and also get some impression, how to attack it.
In this video we will have a look into activities.
*Update: Just flashed the information that contentProvider do not have intent filters. That's all :)
Some practical exercises on interacting with activites
Some practical exercises in exploiting misconfigured activties.
Intents are some sort of messaging objects. We will learn more about them in this video.
This video shows the "arming" and "disarming" process of an alarm system, based on an intent.
Here you will find different versions. The "alarmPin.apk" is the apk which I have used in this video. One participant mentioned, that this application does not work for him. Therefore I have added an additional check which is "alarmPin_updated.apk". In case if you are using an android device version >= 12, I have also added the "alarmPin_androidVersion12.apk" for you. I hope we should be good to go right now :)
We will find out how deep- web- and app-links work and what vulnerabilities they offer.
We will take a practical view on deep- and weblinks and how they work. We will cover different android versions - up to 14 - and we will also see how to manipulate the application behavior by viewing them :)
BroadcastReceiver are some sort of notifcations for applications. They can be used for various tasks. We will find out how they work and also have a look into exploiting them.
In this video we learn, how to hunt for vulnerable BroadcastReceiver within an android app and also start exploiting them, with the adb shell.
You will also find a version of this app for android devices >= 12 (SDK31).
In case if a customer demonstration is required, it might be required to write our own application to demonstrate an exploit. This topic will be covered in this video.
Services are being used for all kind of background tasks. We will learn the differences between "bind" and "intent" services and also get a better understanding of, how they work.
ContentProvider is a very interesting topic. They simply "provide content" to other applications which can be sometimes be abused to trigger SQL injections or Path-Traversal attacks. In this video we will find out, how they work.
SQL injection attacks are not related to web applications. They can be used to bypass security features of an android application. An attacker might be able to access sensitive information of your app. We will find out how such an attack look like.
Equipped with the theory about the attack, we are now performing some practical one. We will gain access to a protected database table, through a vulnerable ContentProvider. Hands On!
Path-Traversal attacks are still common in android applications and could lead to a complete breach of the app. We will learn how they work and more important - how to exploit it.
Android applications needs to be signed. We will learn more about this process and why it is necessary.
This video covers some additional information about the signing process and the corresponding files of it. Knowledge about it might be required if there are some anti tamper actions: "has the app been modified?". We will learn how we can verify if an android app has been modfied and also, how to bypass it again :)
The "Bluebox Master Key" vulnerability is an issue within the signature verification of an android app. It has been patched a couple of years ago but it is still very interesting and might be useful regarding to the other platforms / checks.
This video gives an introduction into the reversing tool dex2jar and its corresponding features.
This video gives an introduction into the reversing tool jadx-gui and its corresponding features.
An exercise on how to get back the Java code of an android application. It is not the original code but regarding to the functionality, pretty close to it. This Java code cannot be dirctly modified and compiled back again. If we want to modify an android application, we have to do this in SMALI (see SMALI chapter).
This tool has some really amazing features and the switiching between different decompilers sometimes allows us, to restore back the Java code of hard obfuscated applications.
Some practical view into Androguard.
This video shows, how to create a call graph of an android application. It can come handy if we have to deal with high obfuscated android apps.
IMPORTANT
In the video I mentioned using the networkx library in a certain version. This step is not necessary anymore. Androguard did remove this library and it should work right now out of the box.
Please update your current androguard with the following command:
git pull
pip3 install -r requirements
In case if you have not downloaded it yet, please follow the instruction on the installation page of the wiki. I cannot link external sources here.
Info:
You will find two versions of the "reverseme.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
This video shows, how to create a flowgraph of an android application. It helped me solving really hard CTF challenges. This approach is of course also useful for real world applications. Really hard obfuscated android apps.
Let's recap everything we have learned so far by hacking a "banking app". This of course a training application but many findings we cover here, are also out there and waiting for you to be discovered (... and reported!:) ).
IMPORTANT:
Please install the following version of sqlalchemy if you encounter an error. Thanks Kyle! :)
$ pip3 install sqlalchemy==1.4.32
Let's try to bypass the login screen of the insecureBank application.
Let's play around with the databse entries of the logging table.
Changing the password of this application, without even knowing it? Not a big deal because we know how to hack a BroadCast receiver.
Modern applications are now a days encrypting many of their data. We will find out how the password of this application is being encrypted and more importantly, how to decrypt it :)
Let's do a quick recap of the things we have learned so far.
We take our first step into the SMALI chapter and have a look into the code structure of our first application.
You will find two versions of the "smaliOne_Simple.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
If we want to modify an android application we need to do it in SMALI. We will learn more about this process in this video. We will also have a look into our first challenge, which is increasing the power level to be over 9000!
You will find two versions of "smaliOne.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
This video covers the solution of increasing the power level. It is over 9000!
In this video we will learn more about registers in SMALI.
You will find two versions of the "registers.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video will cover certain types in SMALI and how to identify them.
The p0 register is sometimes a little bit special. It is acting as the "this" operator. We will learn more about this registers in this video.
This video covers the structure of a SMALI line and also gives an introduction into certain operations.
In this video we will learn more about the file structure of SMALI. This provides us a better understanding of the code itself.
After all this theory, we need to practice the things we have learned. So let's do a quick recap.
You will find two versions of the "practice_smali.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will insert some real values into the function we have reversed before. We will verify if our reversing process was correct by running the application with the given parameters on our device.
This is our first real world challenge and it is about increasing the player lives of our spacepeng application. Start slow and try to increase it more and more.
This video covers the solution of patching the player lives in the spacenpeng application. We will also learn more about the width of a register.
This is just a short introduction for the upcoming if - content.
In this video we will learn how to write simple android application to simulate a certain task. In this case, the structure of an if statement.
If statements have a huge impact on the control flow of an android application. In this video we will get familiar with the structure of an if statement.
You will find two versions of the "smaliTwo.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will have a look into the different comparisons / conditions of an if statement.
In this video we will practice everything we have learned so far and translate an if statement in SMALI back to Java code.
We will practice our SMALI skills by changing the logic of the applications.
The file "SmaliTwo_designed.zip" contains the applications with the nicer layout. The file "SmaliTwo.zip" the basic version. It does not really matter which one you pick because the logic is the same :)
The
Beside changing the logic, we can also get rid of it. This is exactly what we learn here :)
You will find two versions of the "app-debug.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
One thing that is missing, is manipulating the jump instructions itself. In this video we will learn how to change the control flow by manipulating the jumps.
You will find two versions of the "smaliTwo" app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions. Same for the solution here.
The solution video is showing multiple ways to bypass a common rooting detection. All of this of course in SMALI ;)
Bonus content showing additional ways to bypass the rooting detection.
You will find two versions of this app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will learn how methods are being called in SMALI. We also make ourself more familiar with the syntax regarding to objects.
You will find two versions of every app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Static methods are the most easiest methods in SMALI. We will find out how we can call them.
You will find two versions of the "static"-apps. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Finally we can talk about a "hello world" implementation in SMALI :)
You will find two versions of this app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
We recap everything by patching an XOR encryption method in SMALI. We are going to write our own code to print out the secret message. This is a huge milestone.
You will find two versions of the "XorEncryption.apk" and the "solution.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will extend our knowledge about the XOR encryption from the last example. We will also figure out additional ways to manipulate it.
You will find two versions of the "solution". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
AES is a very common encryption / decryption method. It is fast and also secure if the parameter have been chosen correctly. In this video we want to recap everything we have learned so far and start analyzing an AES encryption method in Java and SMALI.
You will find two versions of the "AES.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will have a look into understanding new instructions and structures. At this point we are already able to learn completely unknown things in SMALI without even looking them up. We have a really solid understanding and can adapt this knowledge to new things.
In this video we perform the practical exercise and transfering the SMALI code back to the Java code. Line by line.
You will find two versions of the "out.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Finally we will have a look into writing our own code and inserting it into an existing application. You can insert as much code as you want.
You will find two versions of the "solution.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
We are writing our own code to print out the AES secrets and perform the decryption of the message.
You will find two versions of the app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Alright, we are ready to perform the heavy lifting. In this video we want to add more shots on top of our player object. We want to create a quadro/penta/octa shot. As many as you want :) This is the intro for this challenge and I am also providing some hints here.
This challenge is really rough, therefore I start analzying the application and explaining the behaviour behind a player shot. These are some additional hints to solve the task :)
This is the solution, showing, how to add multiple player shots on top of our player. This is really advanced SMALI patching and if you have solved it, you absolutely deserve your blue belt here!
In this video we will have a look into debugging an android application, without having access to the source code.
We will have a look into the limits of JADX debugging and also some errors tha can occure. We will then use a better approach, which gives us the possibility to inspect objecs in memory, create new one and modify existing ones.
In this video we will learn more about the theory behind a man-in-the-middle attack based on the address resolution protocol (ARP).
This video provides detailed instructions on how to setup a man-in-the-middle connection. We will also start capturing the network traffic of the device and have a first look into it with wireshark.
If we want to modify the network traffic, we need to intercept it. We will learn how the theory behind this attack looks like.
In this video we will setup the BurpSuite as a man-in-the-middle proxy. We will also redirect the traffic and manipulate it, but only for HTTP connections.
In this video we will learn how to reset our man-in-the-middle setup. It only takes a few commands.
HTTPS connection are way more secure than HTTP. We will find out why this is the case and why we cannot easily man-in-the-middle them.
To break the SSL connection a custom certificate is requred. We will learn how to create and install it on the device.
Performing a man-in-the-middle attack is on a device way more efficient but sometimes we have to deal with a VM. We will learn how to perform the setup for a virtual machine.
In this video we will learn everything we need to understand about certificate pinning.
We cover some additional topics regarding to certificates and also learn more about OpenSSL to generate our own signature-hashes.
In this video we will learn how to patch a certificate pinning based on the signature in an android application.
You will find two versions of this "certificatePinning_hash.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Beside the signature we also have to deal with another type of certificate pinning. This protection mechanism is checking the certificate, which is being completed as a whole in the android app.
You will find two versions of the "cretificatePinning_cert.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Finally, there is also an easy way to bypass certificate pinning. It does not work all the time, but if it does, you do not need to worry about it :). This method is based on objection a runtime manipulation framework based on FRIDA.
You will find two versions of each certificatePinning app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will have a look into the single components of FRIDA. But only on a very high level.
In this video we will set FRIDA up and already start testing it.
We will have a look into hooking a method in FRIDA and what we need to consider by doing it.
You will find two versions of this app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
For all people out there, that do not have much luck in dizing apps. This part is for you.
We will start analyzing such an application and looking for methods to hook with FRIDA.
In this video we will find our method(s), which are responsible for the eyes on a dize.
You will find two versions of the dicer app. They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will learn how to observe a method in FRIDA. We will hook into the method and print out the parameters on the command line of FRIDA.
Now we are finally starting to manipulate the method. We will change the parameters during runtime. We are switching them to the values we want to have, no matter what the user has selected before.
Methods can be overloaded. If we want to hook an overloaded method, we need to tell FRIDA, which method we want to hook. Luckily, FRIDA is heavily supporting us while doing it :)
Timing is very important in FRIDA. If we are too early, the method might not be available and will not be hooked. If we are too late, the method might have already been called and it is simply to late :) We will learn how to deal with it.
In this video we will have a look into the inner working of a rooting detection.
In this video we will learn how to get rid of a rooting detection with FRIDA. We will hook into the method and manipulate it.
So far, we have only hooked into methods and did wait for them to be triggered. In this video we will learn how to actively call a method. This is super important. We can reuse existing parts of an app to perform certain actions like de-/encrypting our own text / passwords and many more.
You will find two versions of the "fridaFunc.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Beside creating a new object, we sometimes need to manipulate an existing one. We will find out how to scan the memory for an object and actively call methods on it.
We start practicing the things we have learned so far, by manipulating our mobile game to get infinitive lives.
We keep practicing our FRIDA skills to create a "coin rain", get "invisible", "invincible" and gain a rapid fire shot. This part is huge!
We keep extending and learn, how to hook a method that requires an existing instance as parameter.
In this video we keep practicing the hooking of a method that requires an existing instance.
This is the intro video for our challenge "create multiple player" in our spacepeng game.
This video shows, how to add another player object into our spacepeng game.
In this video we will find out how to hook the constructor of a class.
FRIDA has no limits, so do we. We are also able to play around with the UI thread to manipulate objecs on the screen. In this video we will add a notification (toas-message) just with FRIDA.
You will find two versions of the "fridaFunc.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
Alright. We are ready to write our own trainer. We have alredy performed all of these hooks. In this video we will put everything together. The result will be a real trainer for our spacepeng app :)
Beside Java code, we are also able to hook Native Development Kit (NDK) function. With FRIDA we can also observe C / C++ functions. This video provides an introduction into this topic.
Here we will learn more about the easy way, on how to observe / manipulate a C / C++ funtion.
You will find two versions of the "fridaNDK.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
If we want to do it the hard way, we are dealing with some challenges. We will find out more about the a native function and its manipulation in FRIDA.
Libraries that contain the native functions are loaded at a certain point into the app. We will learn more about this timing in this video.
This video sums up the manipulation of a NDK method. This is just for completeness. If we are having easy access in the Java world, there is no need to perform it in this way.
What if, we are not having access to the native method in the Java world? Let's say we want to hook a native method that is deeply buried in the native library. This means, we do not have access to it from the Java side.
We will find out how to deal with such a method in this video here.
We can also use reverse engineering techniques or tools like ghidra to perform a really precise hook. We can get the exact offset of a function and tell FRIDA to hook exactly into this point of the library.
You will find two versions of the "cFuncFrida.apk". They are identical regarding to the functionality but the one having "12" at the end has been compiled for android version >= 12. The other one will work on all lower versions.
In this video we will learn how to inject the FRIDA library into an exsiting application. The adavantage of this technique is, that it circumvents certrain debugging detections and it can be also performed on a non rooted deivce.
This is the starting point of a whole new series. We will solve together a lot of CTF challenges and find out, if the things we have learned in this course are really that practical! :)
This is our first challenge and we start by reversing an ARM binary with Ghidra. We will find out how the serial number generator works and prepare our steps to successfully pass it! :)
Update: I have rewritten the logic in python that you can verify if your generated code works. Please do not spoilter yourself :) I did not obfuscate this python code that you can also profit and learn from it. It is recommended to check the python script after you have solved the challenge and want to supply your solution :)
python3 validate.py --serial <your serial here>
We will dive into the solution of the android license validator ctf. We will figure out how xoring our values will lead to the result. I have reprogrammed the algorithm that you can try your solution while not having a real smartphone.
In this video, we start solving the Androgoat CTF challenges. We begin with "Rootin-/Emulator Detection" and "Binary Patching".
Solving the reversing challenge.
We will finally get in touch with some web-exploitation techniques. They become interesting while dealing webviews :)
This cheatsheet summarizes important information of this course and I hope it also supports you in solving the harder challanges :). Unfortunately I could not finalize it yet, but I do not want to make you wait any minute longer. Therefore I release it as a draft version.
It already contains the information related to this course. Nevertheless I would like to update it with information that are not dirctly realted to android app hacking but helps you understanding them. For example a deeper look into encryption routines like AES.
I will keep you up to date when I am realising a major version of it.
In this course you will learn absolutely everything about android app hacking. This course teaches you the ethical principles and enables you to become the top expert of your company regarding to app security. We learn really complex attacks in the most funny way that's possible, by hacking a mobile game.
Legal note:
The game we are going to hack is licensed under the GNU GPL, which means, we are allowed to perform such modifications. Hacking apps without having the permission of the author is strongly forbidden! The things you learn are related to security research. I am teaching you all of this in a legal and ethical way.
Course - Structure:
In the installation chapter we will analyze different smartphone setups, their strength and their weaknesses. We unlock our device and use certain features to already start hacking our first apps. We will learn how to analyze bluetooth low energy connections and get familiar with the Android Debug Bridge (ADB).
We move on to the android app structure. Here we gain a rock solid understanding about the key components of an android app. We will analyze the AndroidManifest.xml and learn how to exploit activities, broadcast receiver and content provider. We will write our own small apps to exploit SQL injections and path traversals.
Afterwards we take a deep dive into reverse engineering. We will learn how to decompile an android app and reconstruct the Java code. We will have a look at different decompilers and create flow- and call graphs to deal with highly obfuscated apps. Finally a nice application is waiting for us to practice all the things we have learned so far.
Then we have the treasure of this course, the SMALI chapter. SMALI is like an assembly language of an android application and gives us unlimited power in hacking them. We practice our skills by modifying our mobile game to have infinite lives, become invisible or invincible. We add multiple player shots, manipulate the fire rate and many more.
In the man-in-the-middle chapter we will learn how to analyze the network traffic of a mobile app. We will gain an understanding about HTTPS and how to analyze these connections. We will learn how certificate pinning works and bypass several different types of it.
The last thing that is missing is FRIDA, which is an amazing framework to perform runtime manipulations within an app. We will hook into the pseudorandom number generator (PRNG) to modify a dice application. We will learn how to scan the memory for certain instances and how to interact with the UI thread of an app. We will create new objects and practice all of this by writing our own trainer for a gaming application. The cherry on top will be the analysis of a native c function with Ghidra and the manipulation and modification with FRIDA.
After getting through all these chapters you will be the top expert in android app security of your company. Therefore, what you are wainting for? :)