Mobile Pentesting - L1
The Pentesting Mission
• Background: On February 22, 2025, "FitCorp," a controversial fitness tech conglomerate, releases "FitTrack Pro" (package: com.fitcorp.fittrackpro, APK: fittrackpro.apk), an Android app marketed as a revolutionary employee wellness tool. It tracks steps, heart rate, sleep patterns, and other metrics via wearables, integrating with corporate wellness systems to monitor workforce health across global enterprises.
• The Hidden Truth: Jane Doe, a former FitCorp senior developer turned whistleblower, exposes a dark secret on a hacking forum: FitTrack Pro doubles as a corporate espionage tool. Beyond fitness data, it secretly collects sensitive employee information—email contents, calendar schedules, geolocation history, and a hidden CTF flag (FLAG{corporate_steps_exposed})—transmitting it to FitCorp’s shady partners under the pretext of "analytics."
• Security Nightmare: Rushed by profit-obsessed executives to meet an impossible deadline, FitCorp’s developers left FitTrack Pro riddled with vulnerabilities. It features an exposed Content Provider leaking data, a Broadcast Receiver broadcasting secrets, an unsecured HTTP service open to interception, a SQLite database with poorly encrypted flags, a SharedPreferences file with lax permissions, a WebView exposing an admin panel with weak safeguards, and fragile anti-tampering checks in an obfuscated native library (libfitcorp.so).
• The Insider Edge: Jane hints at a hidden debug mode (triggered by Intent com.fitcorp.fittrackpro.DEBUG) that bypasses some protections, but warns of a decoy flag to mislead pentesters. The app’s sloppy design makes it a prime target for Android-specific exploits, from static analysis to runtime manipulation.
• The Pentesting Mission: You’re a pentester in a high-stakes, 48-hour CTF hosted by "HackShield," a rival cybersecurity firm aiming to dismantle FitCorp’s reputation. Your goal is to master Android app pentesting—both theory and practice—exploit FitTrack Pro’s flaws, navigate the decoy, and extract the real FLAG{corporate_steps_exposed} to expose FitCorp’s espionage scheme, racing against top hackers worldwide before FitCorp’s legal team shuts it down.
Scenario: You’re studying FitTrack Pro’s structure to identify weak points.
Question 1. What’s the primary file defining an Android app’s components?
Scenario: Jane suggests FitTrack Pro leaks data to external entities.
Question 2. What Android component shares data between apps?
Scenario: FitTrack Pro’s manifest reveals a security oversight.
Question 3. What Android attribute makes a component vulnerable if set to "true"?
Scenario: You’re theorizing how FitTrack Pro’s Content Provider exposes data.
Question 4. What’s the standard URI scheme for Android Content Providers?
Scenario: FitTrack Pro broadcasts sensitive info internally.
Question 5. What Android IPC mechanism uses Intents for communication?
Scenario: FitTrack Pro’s data sync uses an insecure protocol.
Question 6. What vulnerability arises from an Android app using HTTP instead of HTTPS?
Scenario: You suspect FitTrack Pro stores the flag locally.
Question 7. Where do Android apps commonly store persistent key-value data?
Scenario: Jane mentions a database in FitTrack Pro with flaws.
Question 8. What Android database is often targeted in pentesting?
Scenario: FitTrack Pro’s admin panel might leak via a hybrid feature.
Question 9. What Android feature loads web content within an app?
Scenario: FitTrack Pro restricts components with a custom rule.
Question 10. What Android permission level restricts component access?
Scenario: FitTrack Pro tries to thwart pentesting efforts.
Question 11. What’s a common Android anti-tampering check?
Scenario: You’re analyzing FitTrack Pro’s compiled code format.
Question 12. What Android file extension contains compiled code?
Scenario: Jane warns of encryption weaknesses in FitTrack Pro.
Question 13. What’s the risk of hardcoded keys in an Android app?
Scenario: FitTrack Pro runs a background task that might leak data.
Question 14. What Android component runs background tasks?
Scenario: FitTrack Pro requests excessive Android permissions.
Question 15. What vulnerability occurs if an Android app’s permissions are too broad?
Scenario: You’re mapping FitTrack Pro’s local storage for pentesting.
Question 16. What’s the Android filesystem path for app-private data?
Scenario: FitTrack Pro logs errors that could reveal clues.
Question 17. What Android tool logs runtime messages?
Scenario: FitTrack Pro’s manifest exposes a debug risk.
Question 18. What’s the risk of an Android app with debuggable="true"?
Scenario: FitTrack Pro uses precise Intents for internal triggers.
Question 19. What Android Intent type targets specific components?
Scenario: FitTrack Pro’s database queries lack sanitization.
Question 20. What vulnerability arises from poor Android SQLite input handling?
Scenario: FitTrack Pro leverages a native library for speed.
Question 21. What’s the purpose of an Android native library?
Scenario: FitTrack Pro’s WebView might leak via scripting.
Question 22. What Android feature can leak data via JavaScript?
Scenario: FitTrack Pro’s components lack explicit export settings.
Question 23. What’s the default Android permission for external apps?
Scenario: You’re tracing FitTrack Pro’s UI entry point.
Question 24. What Android component launches the app’s UI?
Scenario: FitTrack Pro’s Intents are poorly validated.
Question 25. What vulnerability comes from unvalidated Android Intents?
Scenario: You’re setting up to pentest FitTrack Pro.
Question 26. How do you set up an Android pentesting environment for FitTrack Pro?
Scenario: You need to load FitTrack Pro for testing.
Question 27. How do you install FitTrack Pro for pentesting?
Scenario: You must confirm FitTrack Pro is ready for pentesting.
Question 28. How do you verify FitTrack Pro’s Android installation?
Scenario: You’re dissecting FitTrack Pro’s APK for vulnerabilities.
Question 29. How do you decompile FitTrack Pro’s Android APK?
Scenario: You’re reversing FitTrack Pro’s compiled code.
Question 30. How do you reverse FitTrack Pro’s Android .dex files?