Mobile Application Penetration Testing on ArtsTailorNews.apk
0 views
2 min read
Mobile Application Penetration Testing on ArtsTailorNews.apk
Situation:
This exercise focused on assessing the security of the ArtsTailorNews.apk mobile application, version 0.01, to identify vulnerabilities and potential risks of sensitive data exposure. The application was downloaded and analyzed using jadx-gui to examine the decompiled source code.
Obstacles:
- Source Code Navigation:
- Locating potential vulnerabilities within the complex directory structure of the decompiled APK.
- Credential Decoding:
- Deciphering hard-coded credentials to evaluate their impact.
- Data Exfiltration:
- Verifying how the application manages and transmits sensitive data.
Actions Taken:
- APK Decompilation:
- Downloaded the APK from
http://www.artstailor.com/apps/ArtsTailorNews.apk. - Loaded the APK into
jadx-guifor analysis.
- Downloaded the APK from
- Source Code Inspection:
- Navigated to the
Source code/com/example.artstailor.com/ItemListActivity/Asyncdirectory. - Found hard-coded credentials on line 146 within the
Asyncfile.
- Navigated to the
- Credential Decoding:
- Saved the base64-encoded credentials into a file and decoded them using
base64 -d, revealing:- Username:
artstailor - Password:
secure123
- Username:
- Saved the base64-encoded credentials into a file and decoded them using
- Database Access:
- Logged in using the decoded credentials.
- Queried the "test" database, which printed all records in a loop, demonstrating unrestricted access to sensitive information.
Results:
- Vulnerability Identified:
- Hard-coded credentials in the source code allowed unauthorized access to the application's backend test database.
- Data Compromised:
- Full access to database records was achieved, demonstrating a significant security flaw.
- Critical Security Risk:
- The hard-coded credentials pose a severe risk, allowing attackers to exfiltrate sensitive information.
Tool Purpose Overview:
jadx-gui:
- Decompiled the APK to analyze its source code and identify potential vulnerabilities.
base64:
- Decoded the hard-coded credentials extracted from the application source.
Recommendations:
- Avoid Hard-Coding Credentials:
- Use secure authentication methods, such as token-based systems or encrypted configuration files.
- Implement Access Controls:
- Restrict database access to authorized users only and enforce query limitations.
- Encrypt Sensitive Data:
- Ensure that all sensitive data is encrypted during storage and transmission.
- Conduct Secure Code Reviews:
- Periodically review source code for security best practices to prevent similar vulnerabilities.
View PDF Document