
· Download Android SDK from : http://developer.android.com/sdk/index.html.
Download the latest version of apktool from : http://ibotpeaches.github.io/Apktool/.
Download latest version of dex2jar from : https://bitbucket.org/pxb1988/dex2jar/downloads
Download Link : https://developer.android.com/studio
---------- M10 : Extraneous Functionality ----------------
The Insecure Bank v2 apk file has a customer login page
This is the customer login page
We will try to find out any hidden admin login pages left behind by the Developers.
Step 1 : We will decompile the .apk file using "apktool" [Command : java -jar d InsecureBankv2.apk]
Step 2 : Navigate to the folder ~/apktool/InsecureBankv2/res/values and open the file "strings.xml" for editing.
Step 3 : We find a flag “is_admin”. [Our piece of interest]
Step 4 : We will change the flag from 'no' to 'yes' and save the "Strings.xml" file.
Step 5 : We will now recompile the application.
[ Command :java -jar apktool.jar b InsecureBankv2 -o InsecureBankv2.apk]
Step 6 : Copy the InsecureBankv2.apk file generated above into the “dist” folder of "SignApk" and enter the below command to sign the apk file
[Command : java -jar sign.jar InsecureBankv2.apk]
Step 7 : A new sign apk file called InsecureBankv2.s.apk is generated in the same “dist” folder.
Step 8 : Install the new InsecureBankv2.s.apk onto the emulator.
We can now see the "Create user" option which directs the user to the User Creation Module which should have been accessed only by the admins.
Note : Shift + R-Click for Open Powershell here
Learn to Hack Android Apps with Practical & Hands-on Lessons on Bug Bounty Hunting in this Masterclass
[ DISCOUNT CODE: "HACKOCT" for flat @ 499/- INR / $6.55 USD ]
OFFER : Get Free Licence to BURPSUITE PROFESSIONAL with this course
This is the most comprehensive Course to begin your Bug Bounty career in Android PenTesting.
Most Penetration testers target Web Applications for finding Bugs but most of them do not test the Android Apps which are a goldmine of vulnerabilities. This course will take you from the basics of Android Architecture to the advanced level of hunting vulnerabilities in the apps. No other course may provide with such a structured lesson and there are numerous Practical lesson with hands on hacking real and Live Android Applications.
Practicals for finding vulnerabilities are important and this course provides a lot of hands-on practical lessons to clear the concept of each vulnerability. You will explore the concepts of the most frequently found Vulnerabilities with addition to other vulnerabilities found in Android Mobile Applications and methods to exploit those vulnerabilities as well as how to suggest a Patch for these Vulnerabilities. You will also learn how to approach the scope of an Android Application to PenTest and find Attack Surfaces and finally Bag yourself a hefty Bounty amount from the Bug Bounty Programs.