Steal User Information from Android App – GoatDroid Example

Posted: September 11, 2013 in Mobile Testing, Security Testing
Tags: , , , , , ,

Many of you may be wondering and searching for Security Testing/Hacking Tutorials of Android Apps. Android is a very popular OS now a days, so every customer wants to have their Android App. It has become inevitable for a Software Tester to learn and find security flaws.

So, here is the simplest attack to steal User Credentials and App Settings.

I will use goatdroid app to demonstrate the attack. Download Link: https://github.com/downloads/jackMannino/OWASP-GoatDroid-Project/OWASP-GoatDroid-0.9.zip

Pre-Requisite:

1. Install Android SDK. Download Link: http://developer.android.com/sdk/index.html

2. Set Platform Tools in Path Environmental Variables. E.g. C:\Program Files (x86)\Android\android-sdk\platform-tools

3. Create Android AVD and start emulator. Tutorial Link: http://developer.android.com/tools/devices/managing-avds.html OR connect device in your computer. Make sure USB Debugging is turned on in Developer Options of Settings

GoatDroid Installation Steps:

1. Unzip GoatDroid and launch goatdroid-0.9.jar. GoatDroid Tutorial Link: https://github.com/jackMannino/OWASP-GoatDroid-Project/wiki/Getting-Started

2. Select FourGoats under Apps and Click on Start Web Service from the right pane

3. Go to “OWASP-GoatDroid-0.9\OWASP-GoatDroid-0.9\goatdroid_apps\FourGoats\android_app” folder

4. Press Shift and Right click on empty space

5. Click on Open command window here. Command Prompt will be opened

6. Type “adb install OWASP GoatDroid- FourGoats Android App.apk”. App will get installed

7. Launch FourGoats app

8. Click on Android Menu button

9. Click on Destination Info

10. Enter your computer’s IP in “Host (Or IP)

11. Enter HTTPS Port as 9888. No need to enter anything in Proxy Host and Proxy Port

12. Click on Save

13. Register an account in FourGoats

14. Launch monitor.bat from “Android\android-sdk\tools” folder. Android Debug Monitor will be opened

15. Observe the app in the left pane and the file structure of android in right, especially /data/data/folder. All installation files, settings and DBs are stored under /data/data folder. You will not be permitted to view inside /data folder if your phone is not rooted. If your using rooted phone or emulator, you can view the files and folders under /data folder

gt1

 

 

 

 

 

 

 

 

 

16. Observe FourGoats app in /data/data/folder

gt2

 

 

 

 

 

 

 

 

 

Follow the below mentioned steps if you are using rooted phone or emulator

1. Type adb pull /data/data/org.owasp.goatdroid.fourgoats C:/goatdroid. All the folders and files inside the app (org.owasp.goatdroid.fourgoats) will be copied in “goatdroid” folder under C drive

gt3

gt4

 

 

 

 

 

 

 

 

 

 

2. Open the goatdroid folder and check the files inside it. You will observe userinfo.db inside databases folder. SQL,Oracle and MySQL RDMS usually have DBs with .sql extension. But .db is SQLite extension

gt6

 

 

 

 

 

3. Download SQLite Browser: Download Link: http://sourceforge.net/projects/sqlitebrowser/

4. Open userinfo.db in SQLite Browser. You will observe user information in it

gt7

 

 

 

 

 

 

 

 

 

5. Go to shared_prefs folder and open credentials.xml file. You will observe user credentials with which you registered FourGoats in Device are displayed here

gt9

 

 

 

 

 

 

 

 

Follow the below mentioned steps if you are not using a rooted device. You have to go inside Android Shell to get the files. Open command prompt and type the commands.

1. To go inside Android Shell: adb shell

2. To fool the system and login as the app developer: run-as org.owasp.goatdroid.fourgoats . “org.owasp.goatdroid.fourgoats” is the package name of the app. To find it, check Android Debug Monitor. Once you type this, you will be under “/data/data/org.owasp.goatdroid.fourgoats” folder

3. To list the files under org.owasp.goatdroid.fourgoats: ls

4. To navigate to databases folder: cd databases

5. To copy userinfo.db from “/data/data/org.owasp.goatdroid.fourgoats/databases” folder to sdcard, which is accessible to the user: cat userinfo.db>/sdcard/userinfo.db

6. To navigate to sdcard: cd /sdcard

7. To check if the userinfo.db is copied properly: ls

8. Navigate to root folder: cd /

9. Execute exit command twice:

exit
exit

10. To copy userinfo.db from sdcard to data folder of C drive: adb pull /sdcard/userinfo.db C:/data

That’s it 🙂

See it’s not too hard, you can now use the same technique in any app, just you need to know the package name of the app as with the same name a folder will be created inside /data/data folder. If you don’t find the package name, trying opening the app in device and then check it in Android Debug Monitor.

Please get back to me if you are stuck in any step 🙂

Advertisements
Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s