Penetration testing

Inspeckage: Dynamic Assessment Tool for Android

If you are pen-testing Android applications, you will need to monitor/check many things at the same time. While doing dynamic analysis, one must take care of all communication, local storage, logs, and what not.

Inspeckage a dynamic Android application analysis tool present under Xposed Framework which makes dynamic analysis very easy. Its various features make it very useful with its inbuilt web server providing simplistic GUI.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

Setting up Inspeckage

We will be using Android 5.1 device on Genymotion in Linux to demonstrate Inspeckage. You can find tons of tutorials on how to setup Genymotion in Linux
(here). Another prerequisite is to have Xposed Framework installed in your rooted device(emulator). You can follow

this tutorial for installing Xposed through apk file on your Genymotion.

This Genymotion 5.1(Marshmallow) has Xposed installed in it. Now let's see the installation of Inspeckage from the Xposed framework.

Open the Xposed framework application, and navigate to Download as shown below,

Next, we will have to search for the "Inspeckage tool" from the plethora of modules present under the Xposed framework. As you can see from the snapshot below, search results show that we have Inspeckage - Android Package Inspector."

As we can see, Inspeckage is used for Dynamic analysis of the Android application. Now comes the question what is dynamic analysis? If this tool is used for dynamic analysis then, there must be tools for static analysis as well, right?

Yes, static analysis of ANdroid application means that you check for all the code, permissions of activities, hardcoded things used, URLs which can be connected directly as well as root detection or any important logic. (more on static analysis is
here.) Whereas in dynamic analysis, you run the application, observe how the application works and perform testing.

Click on the module, and you will find the Download button as shown in the snapshot below:

It will start downloading:

Once the application is downloaded, you will need to enable the "Install from unknown sources" option. If it is not enabled then only you will not be able to install the application on the device.

Once downloaded, it will open the installation option itself. Click on Install

Alas, it is installed. Now let's open it.

As you can see "Module is disabled" is
being displayed, we cannot use Inspeckage until we enable that module. To do so, go to Xposed -> Modules

and check whether it has Inspeckage present or not.

It is present. Now check the box to the right of the module. Once you check it, it will display the message stating "Xposed list has been updated; changes will become active after reboot." Which means that we will need to reboot the device.

Instead of rebooting the phone, we can "Soft Reboot" the Xposed itself as it has that option available. Soft reboot essentially means that restarting the software without restarting the whole system.

Open the Xposed module and click on the Options menu

This menu has the "Soft Reboot" option

Click on "Soft Reboot"

It will restart all the apps.

Now that the module has been activated let's open the Inspeckage application.

Now we can see that Module is enabled and we are now ready to hook the application. The section below shows that we can see that it has started on

http://10.0.3.15:8008

http://192.168.56.101:8008

http://127.0.0.1:8008

These are all addresses which can be accessed through the browser, but when we try to open the http://127.0.0.1:8008 in the browser

The connection was reset, and we are unable to access the URL mentioned in the application. What could be the reason behind this? Since Inspeckage is running on the Android application, we need route the application's traffic to the system so that we can see the Web-based GUI of Inspeckage. How do we do this?

We can do it via Android Debug Bridge(ADB) itself, by forwarding the traffic to the specified port. As there is a command mentioned we need to run the above-highlighted command in the terminal. (for installing ADB, type "apt-get install adb" in terminal).

Now let's open http://127.0.0.1:8008/ in the browser again,

We can see the GUI version of the browser. Let's go through all the options present under web-console.

1. Download: This option will let you download and APK file as well as any files which have been created under the /data/app/<packagename> folder.
2. Camera Icon: It will let you take snapshots.
3. Settings: This has a couple of options which let you bypass basic SSL checks, snapshots bypass (some application do not allow you to take snapshots while they are running) and it also has proxy settings as well where you can set the proxy to intercept traffic.
4. LogCat: Through this, we can run the logcat via web socket to the connected device.
5. AppisRunning: This will tell us whether the application which we have started is running or not.

Let's use the Inspeckage on Damn Insecure and Vulnerable ANdroid application(DIVA). You can download the application from
here. It is your task to install that application on the device. Here is the DIVA installed on the Genymotion.

Open DIVA application:

Let us hook the DIVA application through Inspeckage, but how do we hook? Let's look at the DIVA application console again

As you can observe there is an option "Only user app" that has a slider. It allows us to choose between:

• Only User App: Which hooks all the user installed applications
• Non-User App: Which can hook all the system installed(default) applications.

Keeping the same settings, we will add the DIVA for hooking. Choose the application from the drop-down menu as shown below

After adding DIVA to Inspeckage, the UI will look like this:

After clicking the "Launch App," it will directly open the DIVA application. DIVA it has 13 vulnerabilities consisting of various scenarios of Android. We will be going through some of it to understand Inspeckage.

Let us see what information we can get from the browser:

We can see all information related to the installed applications on one screen, such as: exported activities, permissions which the application requires, whether backup flag is set to true or false in the manifest file, the location of the application under Android file system as well as showing if the app is running or not. The "App is running: false" which means that the application is not running in the emulator, so let's start the application and see this screen again.

As observed "App is running: true"(application is running). Also, we can directly see other important things as shown below

1. Allow Backup:
   True which means that application allows backup.
2. Exported Activities: These are activities can be directly called by components of any application or can be called from the console or can be called with the help of
   Drozer as well.
3. Requested Permissions: All the permissions requested by the ANdroid application, this can also be checked while analyzing the AndroidManifest.xml but thanks to Inspeckage we can see it on the screen itself.
4. Data Dir: Path where the application sandbox is present under the Android application.
5. Package: Name of the package.

Moving on to DIVA, let us start the 3rd vulnerability which is Insecure Data Storage - Part 1

When we store some data (here secret, ******), we will need to look out for all the local storage where the application is storing it.

While checking the Inspeckage over the browser, we should get the notification in such a way that it indicates something has been edited

Going to the Shared Preferences tab, we can see that there has been an entry made by the application, with MODE_PRIVATE which means that the created file can only be accessed by the calling application.
Read about the various modes while creating the shared preferences.

There also, we see the Files tab, when we click on it, we can see the filename.

When you click on the file, it will not allow you to download, because of MODE_PRIVATE. Now we need to take the shell into the Android system and read the content of the file. We will follow the guide below to get there.

The first thing is to check whether the device is connected or not, type the following command in terminal.

adb devices

Getting into the device shell

adb shell

As we can see, we are inside the Android emulator with root privileges. Navigate to the application directory inside and shared preferences to read the content of the file.

Getting inside the shared preferences

We have already seen this name of the file previously, now let's view the content of it

So that is it, application is storing the credentials in plain text under the shared preferences. Moving on to the exercise number 4 - INSECURE DATA STORAGE - PART 2

When we open this exercise, an interesting notification comes to the Inspeckage.

As it is seen that both SQLite and File System both have notifications, which means that it will have certain changes for SQLite. Though file system changes suggest that any addition, removal, or the upgradation of the file in the application folder. Checking the File System tab,

It suggests that some read-write operation has been done on the /databases/ directory under ids2 name of the new database created. (Note that other similar entries are for presentational purpose while trying to capture all the required details), on checking the SQLite tab

There is a database file being created with the value as shown, containing the user and password, let's try to enter the value and check SQLite tab again.

checking the browser

There it is, we have an entry to the database, let us check that entry as well

So that is our data, stored as plain text in the database under ids2 file. (You can verify by getting the shell to the Android system). Let us see the exercise 9. Access Control Issues Part 1

The goal of this vulnerability is to understand how we can call an exported activity without going to that activity.

When you click on "View API Credentials" it will display the result of the activity "

jakhar.aseem.diva.APICredsActivity", which is

Let's call this activity directly from the browser

Click on the "Start Activity"

Select the activity which you want to call from the drop-down menu; I have chosen the activity which I want to run. If any activity requires any parameters, then we can pass those parameters while calling that activity.

When we hit the start activity, we can see that we have the API credentials shown to us.

The last exercise we want to do is

In the 11th exercise, we must see all the contents of an exported content providers. Content providers are interfaces between the application(s) to share the data from either files or SQLite with the help of the content resolver class. Moreover, it requires having proper permission to access it. More on
Content Providers.

The basics of the 11th exercise:

In this exercise, we need to create a 4-digit PIN, and after that, we will be able to see the private notes by clicking on the button shown on the Android device.

When we enter the pin, keeping the Inspeckage open will give us the information about changes happening in the file system as well as in the shared preferences of the application.

Let us make use of the pin which we just created

On accessing the private notes

Now let us find the content provider to access it. First checking the manifest file of the application. To get the manifest file, you need to decompile the application, for that, Apktool must be installed on your machine.
How to install?

Once installed using the following command you can decompile the apk file

apktool d <name.apk>

Once decompiled, we will be able to find the manifest file under /diva-beta/AndroidManifest.xml by checking the manifest file for the DiVA we have found the following content provider exported

To access it, the URI is also required. You can use grep or search through the smali file for "jakhar.aseem.diva.provider.notesprovider" along with prefix as content://URI.

Here we can see the URI, through which the content of it can be accessed directly with content://jakhar.aseem.diva.provider.notesprovider/notes

We can directly access this URI from the SQLite itself

Once you click on Retrieve, you will have the results displayed

[This all results are same due to connectivity it has to be run multiple times]

Another thing which was observed is there has been an entry to the Shared Preferences as well.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

This is all the basics about the Inspeckage; there is a functionality called as hooks where we can hook functionality to provide output we require, or return value of our choice, which will come in next post.