SANS Holiday Hack 2016-Analytics Server: Part One

Analytics Server (Part 1)

Goal:

Retrieve discombobulated audio file 2.

Tools:

jadX

OS:

Kali Linux

Browser:

Firefox

Use your favorite tool to disassemble the apk file and look for sensitive information.  Jadx was used in this case.

Make sure to use whatever path that you used that contains the apk.

/jadx/build/jadx/bin/jadx <path to apk>

Example:

/jadx/build/jadx/bin/jadx SantaGram_4.2.apk

There was a hardcoded username/password in the Source Code>com.northpolewonderland.santagram.b file in plain text.

    public static void a(final Context context, String str) {

        final JSONObject jSONObject = new JSONObject();

        try {

            jSONObject.put("username", "guest");

            jSONObject.put("password", "busyreindeer78");

            jSONObject.put("type", "usage");

            jSONObject.put("activity", str);

            jSONObject.put("udid", Secure.getString(context.getContentResolver(), "android_id"));

            new Thread(new Runnable() {

                public void run() {

                    b.a(context.getString(R.string.analytics_usage_url), jSONObject);

                }

            }).start();

The url for the analytics server was found in Resources>resources.arsc>res>strings.xml.  The url is https://analytics.northpolewonderland.com.

Navigate to the analytics server website:  https://analytics.northpolewonderland.com.  The login screen will appear.  Type in the credentials that were borrowed from the disassembled apk.

Navigate to the mp3 tab. A box will automatically appear asking whether or not to play or Save discombobulatedaudio2.mp3.  Select the Save Option and the click the OK button.  The file by default is saved in the Downloads directory.

Mitigation:

Don’t hard code credentials and other sensitive information into an apk. 

If one must store credentials and other sensitive info into an apk, at least don’t store it in plain text.  Try to obscure it.

Note:  Obscuring sensitive information in an apk is difficult, because tools can just extract the information from the already compiled app, ie, the apk.   

Or, a reverse engineer can simply add the variables that they need in a statement that prints the variable to the screen when it is ran.

The elf, SugarPlum Mary, talks about the difficulty of hiding sensitive information in an apk at the resources listed below:

https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/

http://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/

Only give these credentials the access that they need, and no more.

Do not reuse credentials.  If these credentials are used to send analytics data to the server, make certain that they can’t be used to log into the web application.  Even if the web application is assumed to be locked down, sometimes people can find ways to exploit it.