Mobile Application - (Basics)
AppSec Apprentice
Welcome to the AppSec Apprentice CTF! You've been tasked with assessing the security of a simple mobile application developed for Craw.in employees. The application is called "CrawConnect." You'll need to use basic mobile security principles to identify vulnerabilities. Good luck!
Scenario:
You've been given the APK file for CrawConnect. You begin by examining the AndroidManifest.xml file.
Question 1:
You notice that the android:debuggable flag is set to "true" in the AndroidManifest.xml. This could expose sensitive information during runtime. What is this crucial flag's state?
Scenario:
Next, you decompile the APK and start browsing the code. You find a class, SecretManager, which seems interesting. Inside SecretManager, you find the following line: private static final String API_KEY = "12345_Insecure_API_Key";
Question 2:
What is stored in API_KEY value, which can be easily exposed and abused?
Scenario:
You discover that CrawConnect stores user login credentials (username and password) in SharedPreferences. The password is not encrypted, but is obfuscated using a simple XOR operation with the key 'CRAW'.
Question 3:
Storing user credentials in plaintext or easily reversible formats is a major security risk. What type of storage is this?
Scenario:
While examining the network traffic of the app using a proxy tool (like Burp Suite), you notice that the application doesn't validate the SSL certificate of the server it's communicating with. It accepts any certificate.
Question 4:
What type of vulnerability is created when the app doesn't properly validate SSL certificates?
Scenario:
The app has a feature where users can upload profile pictures. You find that the server-side validation for these uploads is weak, and you can upload files with extensions like .php.
Question 5:
What security flaw allows malicious files to be uploaded due to improper server-side validation?
Scenario:
The application uses a WebView to display some dynamic content fetched from a Craw.in website. However, the WebView is configured to allow JavaScript execution, and it doesn't properly sanitize the input from the website.
Question 6:
What vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the WebView?
Scenario:
You analyze the exported activities and services declared in the AndroidManifest.xml. You find an exported activity that is not properly protected with permissions, allowing other applications to launch it.
Question 7:
What is the permission missing that allows a malicious app to take control of an exported component?
Scenario:
During testing, you discover the application has no protections against reverse engineering, and you've successfully decompiled the code and examined its logic.
Question 8:
What is the state of security when the application has little or no protection against reverse engineering?
Scenario:
You've identified that the app is using a outdated library that has multiple known vulnerabilities.
Question 9:
The use of outdated libraries presents a vulnerability of what kind?