Zero to Hero - Mobile Application Testing - Android Platform

12 Comments


Hello Friends,

Writing this blog post for those who struggling with `Mobile Application Testing` OR those who don't know from where to start while doing mobile app sec testing.

BEFORE WE START :-

  1. For those who are champ in mobile app sec just cheers.
  2. This will take your: 15-30 mins (So if you think that you have time then only go ahead)
  3. This post is about  

              3.1 - How to setup a testing environment for mobile app sec 
              3.2 - Various terminologies/tools details
              3.3 - Ever green findings
              3.4 - Some pro tips. XD


Back in time when I was doing my first mobile application assessment to be honest I was very much confused that how shall I initiate the testing/setup/findings and bla bla... And trust me that's the reason
"Beginning is always tough".

So I wrote this blog post to help those new beginner who wanted to learn about mobile application testing. As of now I have covered only `Android Platform` other platform like iOS and Windows are almost same.

Content Covered: 

Case 1 :- Setting up testing environment for capturing http/https traffic
Case 2 :- What is .APK File ?
Case 3 :- What is Certificate Pinning and how to bypass ?
Case 4 :- 2 ways to test mobile application.
Case 5 :- How to install .apk file in emulator
Case 6 :- Ever Green Findings you will find during mobile app sec.

Introduction: 

We live in a mobile, personal world, where nearly a billion new mobile phones ship each year. Businesses that are most efficiently adapting to today’s “app economy” are the most successful at deepening customer engagement and driving new revenues in this ever-changing world.

Hackers are increasingly aiming targets to launch attacks on high-value mobile applications across all platforms. That's where mobile application security comes into the picture.

So Lets do this.

CASE 1:- For Android Device - Capturing http/https traffic


Device Type: Android

Requirement: Smart phone(Android),WiFi Connection, Laptop,Burp suite or Fiddler (Interception)

Before we start few assumption:-

  1. You have been given `Mobile Device (Android)` in which the application which needs to be test is Installed.
  2. Application with - No SSL Pinning.  Hold on If you not aware about what this term means than just move reading ahead at the end I have explained. 

Step by Step Process for setting testing environment:

Step 1: 

  • Your Mobile Device (Android) and Laptop should be on same Wi-Fi
  • If my laptop is connected to Nile$h SSID then my Mobile Device (Android) also be connected to Nile$h SSID and vice-versa.

Below screenshot represents the same.

Fig 1: Laptop connected to Nile$h SSID 

Fig 2: Mobile device connected to Nile$h SSID 

Note: Your both devices (Mobile Device (Android) and Laptop) Should be on same network.


Step 2: 

On your mobile device Press and hold on SSID name as shown below and select Modify network   

      


Step 3:   

Select => Show advanced option and Under Proxy setting click on manual


    




Step 4:

Now In this step we have to assign our Laptop IP address to Mobile Device setting as below:

My laptop IP Address is : 192.168.0.103


In mobile device fill details as below:
Proxy hostname : 192.168.0.103 (Your Laptop IP address)
Proxy port : 8080

Save the settings



Now we have completed setting up Laptop and Mobile device. 

The next step will be setting up Interception proxy and Installing its certificate in your mobile device. 

But why ? 

Now a days most of the android application transmits data over SSL which you cannot normally intercept using the above step. So to intercept the SSL traffic you need to import a CA certificate (of your host machine proxy which will be intercepting the android traffic) to the android keystore.
  1. If you are using Burp Suite for interception then install burp suite certificate in your mobile device as below:-                                                                                                                             Open your burp suite and go to Proxy=>Options=>Edit=> Select  All interfaces 



It looks like as below :- 



Now open your Mozilla firefox browser and type:- 
http://burp
Make sure your Burp intercept is on. Download the burp certificate and install in your mobile device.


2.  If you are using Fiddler for interception then install fiddler certificate in your mobile device as follow:- 

- Go to mobile browser and type http://ipv4.fiddler:8888  in your browser
(Port number should be same as you have set in your mobile setting)
- Download the certificate
- If you having hard time understanding the fiddler then read this How to use Fiddler When Burp Not working . (Remember Fiddler is a savior)


NOTE:- 

While installing Burp OR Fiddler Certificate to your mobile device 

Importing certificate into your mobile device:-

1]  Copy the exported certificate into your mobile device, make sure you have copied that into  INTERNAL STORAGE.

2] Then Go to Settings==>Security==> and select Install From internal storage



3] Pop-up window will comes up,simply click on OK.

4]  Burp certificate is successfully installed on your mobile device.

At this point of time at one hand you will be having your Android phone and on other hand you will be checking burp suite or fiddler to play around.

Hey but we can use Emulator as well ? 

Yes we can use emulator as well, though have you ever wonder why people use emulator to test the application.

Answer is :-

1 - If you are using rooted android device then its fine following CASE 1
2 - If you are using non - rooted device then I recommend to install .apk in emulator and test the app so that at the end of the day you can test the storage related findings :)

But which emulator should l use and how to install any idea ? 

1 - Which emulator should I use - Genymotion
2 - How to Install Genymotion - Click here

So We have successfully created our test environment for testing mobile app sec. Great so lets move ahead.


Case 2:  What is .APK File ?

Lets go back in time and say client gives you .apk file. 

In terms of Industry Standards, before you test mobile application, testing team will provide you .apk file.

But what is APK File? 

Just like Windows PC systems use a .exe file for installing software, Android does the same.
An APK file is the file format used for installing software (usually games or apps) on the Android operating system.

If your Android device lacks access to the Google Play Store, APK files may be your only option for installing apps on your device.

Some Tips:-
  1. Before you can install it on your phone you will need to make sure that third-party apps are allowed on your device. So do below setting. 
  2. Go to Menu > Settings > Security > and check "Unknown Sources" to allow your phone to install apps from sources other than the Google Play Store. 
  3. If you like, you can also download an app like ES File Explorer so you can easily find files on your Android device.(only applicable for rooted devices) 
Take away:-

File extension for the different mobile flavors 
  1. Android    => .apk
  2. iOS           =>  .ipa
  3. Windows  =>  .xap   ==> Burp Certificate to install is cacert.cer 
  4. Feature phone (Nokia, etc) =>  .jar  [But how to test such .jar based application Answer is here]

Case 3:-  What is Certificate Pinning and how to bypass?

To know more about certificate pinning refer my article how to bypass ssl-pinning.

For those who don’t like clicking on external links, I am providing a quick description. Its an extra layer of security which helps application to be more secure.

1 - If Certificate pinning is enable the you will not able to intercept the traffic
2- In that case you need to bypass the certificate pinning

So we understood now
  • How to set up test environment for testing android mobile application
  • What is .apk file and Certificate Pinning 
Now lets move ahead.


Case 4:-   2 ways to test mobile application 

1] Installing .apk in your mobile and test the application (CASE 1)
- In above case you have to open application by mobile phone and test the application.

2] By using Android SDK Tool OR My all time favorite Genymotion

(If you know other let me know will love to know more about it)


Case 5:-  How to install .apk file in emulator
  • Install  .apk file in your emulator. (Just drag and drop .apk file in your emulator.)
OR
  • Before that check if your emulator is connected or not by following below step
     Step 1:-  Go to C:\Program Files\Genymobile\Genymotion\tools

     Step 2:-  Open your cmd and type
                   command:-
                   adb devices



  • Now its time to install your .apk. Type below command, but make sure you are in below directory
  • C:\Program Files\Genymobile\Genymotion\tools

Command :-  adb install  "Path of file where your .apk is placed"
i.e.                   adb install   C:\Users\Nilesh\Desktop\diva-beta.apk



Hey But what is "adb" ? 

ADB = Android Debug Bridge

Adb is a command line tool that lets you communicate with an emulator instance or connected Android-powered device.

All adb clients use port 5037 to communicate with the adb server.

Basically It is a client-server program that includes three components:

  1. A client, which runs on your development machine. You can invoke a client from a shell by issuing an adb command.
  2. A server, which runs as a background process on your development machine. The server manages communication between the client and the adb daemon running on an emulator or device.
  3. A daemon, which runs as a background process on each emulator or device instance.
If you want to deep dive in it check this reference links hold on.. but after finishing this article so that you be in sync.

Below is the screenshot of above commands we have installed the DIVA.

DIVA is Damn Insecure and Vulnerable Application created by Aseem Jakhar, Payatu Labs.

It contains various vulnerabilities including flaws in input validation, access control, hardcoding issues and a bunch more.








So now we are all ready to hack the DIVA :)

Hey but how to intercept traffic OR Set up environment via emulator can you guide me ?

Sure its almost same as CASE-1 Set Up, follow simple steps:-

Step 1:- Set up burp suite
Assign your laptop wifi to burp suite with port 8080



Step 2:-  Set your laptop IP address under WiredSSID



Step 3:-  Installing burp certificate.

3.1 Download the burp certificate and change its extension to .crt
3.2 Move that certificate to below directory C:\Program Files\Genymobile\Genymotion\tools

Now you have to move that burp certificate in your emulator to do so run below commands.

  • adb connect 192.168.56.101
  • adb push cacert.crt /mnt/sdcard/cacert.crt

Where 192.168.56.101 is your emulator IP address



Step 4:-
  • In the emulator go to Settings ==> Security
  • In the Credential storage select “Install form SD Card” 
  • Now you can select the “cacert.crt” file present in the sd card 
  • Give the name cacert and click on ok
  • It will ask you to set a lock screen click simply click ok and select a type of lock screen and confirm








Now you are all set to capture the traffic via emulator :)

So now we know all the way to setup the mobile application test bed. Now lets move and see what are different findings which we can think while testing mobile application.

Below is the list of "Ever Green" Findings you will find during the assessment of Android application


Case 6:- List of "Ever Green" Findings you will be finding in android application 

List of evergreen findings in "Android Application"

  1. Decompiling the apk file into source code to check for `Code Obfuscation` finding.
  2. Sensitive information in clear text inside the `Local Storage`
  3. Sensitive information in clear text inside the `Logs`
  4. Anti debugging set to TRUE - In Android manifest file:- (Decompile the .apk file and check the manifest file) 
  5. allowBackup is set to TRUE - In Android manifest file:- (Decompile the .apk file and check the manifest file) 
  6. Application has set insecure permissions  [App can read/write to External Storage] - In Android manifest file:- (Decompile the .apk file and check the manifest file) 
For more in-depth detail of various bugs which you can find under mobile app sec refer :-
OWASP - Mobile Top 10 2016-Top 10

If you not sure how to test "Storage related findings" then refer my another blog How to test storage related findings

Now we will see how to find those findings describe above.

1 - Reverse Engineering an android application OR Decompiling the apk file into source code

We can reverse engineer given .apk file to view the source code and add +1 finding code is not obfuscated if it is. Follow below simple steps

Step 1:- convert .apk to .zip file.
Step 2:- Extract .zip file content.
Step 3:- You will find  classes.dex file in that folder.
Step 4:- Download dex2jar and unzip it (Android applications are written using the java code.)
Step 5:- Put that classes.dex file in dex2jar folder.
Step 5:- Open command window at dex2jar location i.e. in my case C:\Users\Nilesh\Desktop\M_Tools\New folder\dex2jar-2.0>
Step 6:- Run this command
             > d2j-dex2jar.bat classes.dex
Step 7:- At this point of time classes-dex2jar.jar file will be created in your folder  (dex2jar-2.0)
Step 8:- Download jd-gui and open that classes-dex2jar.jar file

Now you can play around with java code. And you have one finding to add in your sheet if developer miss to obfuscate the code ;)

2  Sensitive information in clear text inside the storage

Step 1:-  Download the plugin for firefox - Sqlite-manager - It is firefox extension.
              After the installation  you can find it in your browser under  
              Tools ==> SQLite Manager

Step 2:-  Now you need to decompile the .apk file. To do this download apk tool or Appie.
              then run the command
              apktool d "apkfile.apk"

Step 3:-  After de-compiling you will find many a files then check for the .db file and open
              that with Sqlite-manager

Note:-
If you do not have "rooted device" or any "emulator" then you might not able to see the local storage of the device to deal with such situation you need to first take the entire device backup and then look for the findings related to storage.
Reference Link 1 and Link 2

If mobile device is rooted then you can follow above steps OR  Download an app like ES File Explorer so that you can easily see internal storage related findings

To get above describe findings right away in one click you can use MOBSF security framework.

OR

Below some of the checklist of different attacks which you need to keep in mind when you are about to perform a Mobile penetration test:-

API assessment
Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Weak Pseudo Random Implementation
Path Traversal
Local SQL Injection
Intent based Denial-Of-Service - SMS
LockScreen Bypass
Location Spoofing
Dead Code


FAQ:- 


1] Which is best emulator in which I can install my .apk  if I don't want to load/Install app in my android device ?
Though go with Genymotion. Its savior ;)

2] Which are different tools which I might require to do Android testing ?
  •  Simply use Appie – Android Pentesting Portable Integrated Environment.Its all in one.
3] Any demo application to test mobile app sec ?
4] Any Solution available for DIVA ? As I am new in mobile app sec.
  •      Yes. Pentesting Android Apps (http://pentesteracademy.com/course?id=25) - DIVA by Aditya Gupta (@adi1391)
5] Any scanning sort of tool or framework available which can automate the mobile app sec testing .
  •  Yes you should refer Mobile-Security-Framework-MobSF and its documentation by Ajin Abraham
6] Any MobileApp-Pentest-Cheatsheet Link.
  • MobileApp-Pentest-Cheatsheet Link ; If you want to deep dive into mobile application penetration testing.
7] Good read -  Introduction to the OWASP Mobile Security Testing Guide


Last but not least :- 
I hope you guys learn something new. If you have any suggestions or If you feel I missed out any points then do let me know OR DM.  I'd love to add them to the post.

At the end of the day we all are `learner`.

+ I would like to thank my friends who taught me and helped me out to learn mobile app sec. They all know what I mean :)

Happy Mobile Hacking.

How To Bypass SSL Pinning in Android

2 Comments



What is SSL Pinning ?

Description:-

As per OWASP, SSL Pinning can be defined as process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.
A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key.
Applications communicating over HTTPS and using SSL Pinning makes it non-trivial to perform Man-In-The-Middle attack and grab the network traffic in clear text using the proxy tools.

Note: - In cryptography, X.509 is a standard that defines the format of public key certificates. ... An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed.

Now what developers thinks when it comes to Pinning the application (.apk)


IMPLEMENTING SSL PINNING 





What Should Be Pinned?
You can (1) pin the certificate; or (2) pin the public key
If you choose public keys, you have two additional choices: (a) pin the subjectPublicKeyInfo; or (b) pin one of the concrete types such as RSAPublicKey or DSAPublicKey.

Note 1: - I would encourage you to pin the subjectPublicKeyInfo because it has the public parameters (such as {e,n} for an RSA public key) and contextual information such as an algorithm and OID.
Note 2: - A certificate is an object which binds an entity (such as a person or organization) to a public key via a signature. The certificate is DER encoded, and has associated data or attributes such as Subject (who is identified or bound), Issuer (who signed it), Validity (NotBefore and NotAfter), and a Public Key.

Final takeaways:
(1) A certificate binds an entity to a public key;
(2) A certificate has a subjectPublicKeyInfo; and
(3) A subjectPublicKeyInfo has an concrete public key.


Pinning via – Certificate   
1.      The certificate is easiest to pin.
2.      You can fetch the certificate out of band for the website, have the IT folks email your company certificate to you, use openssl s_client to retrieve the certificate etc.
3.      When the certificate expires, you would update your application. Assuming your application has no bugs or security defects, the application would be updated every year or two.
4.      At runtime, you retrieve the website or server's certificate in the callback. Within the callback, you compare the retrieved certificate with the certificate embedded within the program. If the comparison fails, then fail the method or function.
5.      There is a downside to pinning a certificate.
6.      If the site rotates its certificate on a regular basis, then your application would need to be updated regularly. For example, Google rotates its certificates, so you will need to update your application about once a month (if it depended on Google services). Even though Google rotates its certificates, the underlying public keys (within the certificate) remain static.

Pinning via – Public Key
1.      Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate.
2.      As with a certificate, the program checks the extracted public key with its embedded copy of the public key.
3.      There are two downsides to public key pinning.
3.1         First, it’s harder to work with keys (versus certificates) since you usually must extract the key from the certificate. Extraction is a minor inconvenience in Java and .Net, buts its uncomfortable in Cocoa/CocoaTouch and OpenSSL.
3.2         Second, the key is static and may violate key rotation policies.

Reference: - https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning



Certificate pinning is used by many popular applications for e.g Facebook,Twitter, Square etc.
So the question that arises is, how do you bypass this certificate validation that is happening on the client side ?

The important thing to note here is all that all the validation is happening on the client side.
And since there are frameworks like Mobile Substrate that allow us to patch any method during runtime and modify its implementation,
it is possible to disable the certificate validation that is happening in the application.

HOW TO CHECK SSL PINNING IS THERE OR NOT 




How to check whether SSL pinning is implemented or not ?  

- If you are not able to intercept the traffic then
  • You may have done the wrong setup for interception 
  • Developer has implemented SSL Pinning 
1] If you have done the incorrect setup
Verify the same by simply following the steps of setting up mobile application testing environment from this link.

2] Developer has implemented SSL Pinning or not

Below is the few test cases which I know till now

PS:- If anyone know any other way to check if SSL pinning is implemented or not then do DM me, I love to add and share the knowledge.

2.1 :-  You will be able to intercept the first request and not other request.

2.2 :-  If code is obfuscated then under source code => Press Ctrl + Shift + S  and search for the keyword searching for strings like "checkClientTrusted" or "checkServerTrusted", it would show you piece of code with pinning.

2.3 :- 
User MOBSF security framework. - My all time favorite
- Scan your application with MOBSF,  and then a static analysis report will be appeared.
- Check left hand side of report, then go to
  Security Analysis tab ==> click on File Analysis.
- If you find "Certificate/Key Files Hard-coded inside the App"  or "Hardcoded Keystore Found"  keywords,  it means application has SSL pinning.  OR
- If you find  .bks and .key files then there is SSL Pinning
- If  no .bks and .key files are observed then there is no SSL Pinning.

OR 

- Scan your application with MOBSF,  and then a static analysis report will be appeared.
- If MobSF detects SSL Pinning from code, it will show the finding under Code Analysis.





BREAKING THE SSL PINNING 



How To Bypass SSL Pinning ?


After confirming that android application having SSL Pinning the next step is to bypass SSL Pinning


SSL Pinning in case of Android can be performed either in the
1.      Java layer, using the Android API, OR
2.      In the native C/C++ layer.

Let’s look into each of the cases one at a time:

Java Layer:
To implement SSL Pinning, Android API exposes multiple functions to do so.
In order to bypass the SSL Pinning in Java layer one can use existing tools or can patch the APK file manually.

Xposed Framework:
If the device is rooted, one can install XposedFramework and use one of the multiple modules available to disable SSL Pinning. One such module is SSL Unpinning.
Using the module is straight forward and I would leave the details of usage to the readers to figure out.

Manual Patching: 
In order to use Xposed Framework we requires the device to be rooted. In such a case we cannot use the tools discussed above to bypass the SSL checks.
In such a situation we can patch the APK file manually. Patching the file manually requires some extra effort, this can be done with ease.

The steps involved are following:
1.      Decompile the application using Apktool or any other similar tool. Apktool gives Smali code for the application.
2.      Patch the relevant functions in the Smali code.
3.      Compile the application back using apktool, sign it using jarsign and run zipalign over it.
4.      Installed the patched APK generated above.

What if above two approach fails?

Native Layer:
If the above approaches fail, you can fairly be confident that the SSL Pinning checks are being performed in the native layer. FBM is doing exactly same. To make things a bit obscure, the FBM application do have SSL Pinning logic in Java layer as well, but patching it does not work.
To get started, simply run APKTool and get the decompiled/unzipped version of the APK. More read.


Note:-
Android Mobile OS dependency :- 

1]  For Android 4.2.2 and below version you can install in your rooted device to bypass SSL
Pinning :- Cydia substrate +  Android-SSL-TrustKiller

2] For Android 4.2.2 and above version you can use  
 Xposed framework with JustTrustMe


NOTE - 1:- 

Weird problem when you get below error:- 
(When you are not able to intercept the mobile application traffic)

In this you will learn how to
  • Decompile the .apk  file
  • Re-compile the apk
  • Signing the Apk File




While capturing the traffic of mobile application if you getting any sort of response like this then do the troubleshooting as below:-


=> Decompiling the Apk File

1 -  Decompile the .apk  file by using command
      apktool d "name_of_app.apk"

2 - you will find the folder where there is different certificates are placed

3- Put your burp-suite certificate insider this directory (convert .der to .cer )


=> Recompiling the Apk File

4-  Now Re-compile the apk

 4.1 - Type command as apktool b filename (filename is the folder with your edited files)

 4.2 - After that, it will generate a final modded apk which will be inside a folder named “dist”.
        The “dist” folder is located inside the original app folder.

4.3 - Now your new .apk is ready with burp suite certificate in it.
         Next step will be Signing the Apk File


=> Signing the Apk File

5 - Signing the Apk File
Now that we have our modded apk, it is still not complete yet. We have to add it back to the original apk file in order to keep its proper signature.

5.1- Download SignApk.

5.2- Copy the “modded apk” from the “dist” folder to the SignApk folder.


5.3- Type command as
   signapk.jar certificate.pem key.pk8 filename.apk newfilename.apk

PS:-
The filename.apk refers to the modded apk file and the newfilename.apk refers to the
new final modified recompiled apk file. You can change the “newfilename” to any file name
 that you want.








Once compiled, the resulting signed apk will be generated on the same folder. This is the FINAL APK(new_app.apk).

Just rename it, and push it in your Android device.


NOTE - 2:- 

Problems which you might face:

1) If you are not able to intercept the traffic then may be firewall is blocking - In this case turn off your firewall and try again.
2) Anti-virus is blocking your traffic - Turn off anti-virus and try again.


Last but not least, If you are facing difficulties in capturing traffic then switch to fiddler.
(Remember Fiddler is a savior) Refer this blog how to use fiddler if you are new.



NOTE - 3:-  Good Read 

1] SSL Pinning and Basic

2] Cydia Substrate

3] SSL Pinning bypass in Android 

4] Intercept all HTTP + SSL Android traffic and bypass SSL Pinning




A Story Of How I Landed On Dating Site and Secured it - PART 2

Add Comment




Hi All,

Back in time I wrote a blog post "A Story Of How I Landed On Dating Site and Secured it ", in which I targeted `Web Application` module .  As time flies skill sets of a researcher grows by leaps and bounds. Likewise I sharpen my skill sets towards "Mobile application security"


TL;DR:  
Brute force and Rcon are always a game changer if executed properly on the weaker target implemented by the developer. Anything is possible. "Anything" yes you heard it right.  By doing brute force attack I was able to takeover any users account who has done the registration via email address. Apart from that there are many critical issue which I found during the course of engagement.
All the reported vulnerability is now fixed. As its "private program" hence I will not be disclosing any details of the dating application.

Proof Of Concept:-


1x1 - Brute force - The Boss

Brute force attack leads to full account takeover

I was playing around with the most critical part of any mobile application, which is authentication module. Users on that dating application can authenticate via 0Auth (Facebook) OR via registration process and then login via their email id and password.

So I selected method as login via my registered email id and password. I observed that there is "no rate limiting" in place when user logs in into that dating application. For me to practically brute force legitimate user's I encountered one challenge i.e. In order to make brute force attack easier I require legitimate user's email id so the amount of time can be saved to run my brute force attack.

Well in order to be more precise as an attacker, I need to have atlest valid email id of victim and that I was able to guess by using “email address enumeration” bug. When user enters incorrect email address application throws error message as “This email id is not register with "dating app name"”. When user enters correct email address then its shows message as “Reset password instructions has been sent to your email address that is registered with mobile app.”

BINGO.  ;)

No one want to disclose publicly that which dating site you are using, unless and until you are single like me XD. But using this bug I was able to enumerate whether his/her friend using that dating application or not. Not only that this bug gives extra benefits to me for running brute force attack at authentication module. So my first step was collecting legitimate uses email id and then running the brute force attack to takeover users account.



Being lazy, for POC purpose I tried brute forcing more than (20 times) 1 correct email id with a random password. As per the above screenshot you can clearly see I was able to get the correct password of my own test account.  For POC purpose I have take over my own account so that there will be no impact to `Live` dating app users. 


1x2  - Read the chat history - Victim did with other female/male users 

Every time you dive, you hope you'll see something new - some new species. Sometimes the ocean gives you a gift, sometimes it doesn't. Hence its very important that you should keep trying. #NeverGiveUp
Likewise I decided to deep dive in their internal storage in a hope to get some juicy fruits.

Within 5-10 mins I was able to get something interesting. If I as a malicious user by doing social engineering getting victim internal storage data then I can easily take out all the information about


1-  Victim done friendship with whom
2-  How many boys/girls victim chatting with.
3-  Chat History
4-  App Key
5-  What are user ids of their friend list
6-  Their friend’s private details etc.






The  best part about this bug is "imagine married" couples having fun on this app and his rival gets those chat history details. XD


1x3  -  Application .apk can be RE (Reverse Engineer)

This is evergreen finding which you can find in most of the mobile application. If developers are not that smart.

I was able to decompile and the code that can be reverse engineered to understand the working of the entire applications.Since, the code has not been obfuscated, it is possible for me to reverse engineer the code and create my own malicious .apk which can later be spread on behalf of the respective application name. Simply by inserting a malware in the application. Once done we can publish that malicious .apk with injected malware via social engineering to hijack all the user data.


Now next step for me is "Responsible disclosure" So I wrote nice email stating all the details of bug to that application owner CEO. I am good in re-con you know what I mean. XD



Well this team is really amazing within and hour I got a positive response from the respective team.

Email sent                 :-  Aug 1, 2016 at 12:41 PM
Reply from the CEO :-  Aug 1, 2016 at 1:46 PM   <= See the time ;)

I wish all company should be like this.

Action taken by them:- 

After all the submission, we had a quick conversation via email and after exchanging few emails  they fixed my all the bug in short duration of time.

Last but not least all "Gray Hat Hackers" are not that bad they do think about organisation and their security. Also I would like to thank the company CEO and their developer team who took security very seriously and fixed my all reported bugs so quickly.


Moral Of The Story:- 
Some times its good to try on some private site.

Stay focused, Don't Quit, keep trying #NeverGiveUp

Time-Line:

Vulnerability timeline:

Aug 1, 2016   :   Sent email to the CEO
Aug 1, 2016   :   Got prompt reply.
Aug 8, 2016   :   Shared all the findings with developer team.
Sep 29, 2016  :   They fixed my all the reported bug.
Sep 30, 2016  :   Bounty Awarded   <=  MY CURRENT SALARY
Oct 16, 2016  :   Public responsible disclosure



Habits of Highly Successful People

2 Comments

In this blog post I will show you some of my habits which helped me to become more successful. 

So lets do this. 

Before we start some pro-tips and some TO-DO List :-

1x1 - Habits are who you are
What is a habit? A habit is something you do daily without thinking much about it. You probably have a habit of waking at a certain time, brushing your teeth a certain way, and perhaps calling your mom once a week on a Tuesday night. Habits become such a part of your routine that they become who you are. Want to be a different person? Just start a new habit!

1x2 - You can change your habits
The nice thing about habits is that you can change them. Old habits may be hard to break — it seems that the worst habits are the hardest to break — but it is possible. If you want to start eating healthier, all you have to do is skip your morning donut until it becomes second nature to turn down pastries at breakfast.

1x3 Good habits allow you to reach your goals
If you wanted to become a marathon runner, you wouldn’t just jump into the first marathon offered by your city. It takes months or years of training to become fit enough to compete in a marathon race.
Be patient. Great things take time and EMPIRES aren't built in a day.
Step one of reaching any goal is establishing a daily habit. If you want a better job, you must start the daily habit of looking for work. If you want to be able to lift 300 pounds, you must start the daily habit of lifting weights and so on..

Lets learn some  great habits of highly successful people.

I have list down 15 Habits of Highly Successful People.

1. Set goals 
Once they visualize their success(long term goal) then they set consistently short term goals to achieve the long term goals.

2. Daily to-do list 
They value their time and to do list. They keep a to-do list and keep a track on their work and life through to-do list. There are 525,600 minutes in a year. They spend their time being productive.

3. Listen before speaking 
The greatest speaker has the audacity to listen, and highly successful people are great speaker because of the habit of listening. They believe in “You have two ears and only one mouth.” There's a reason for that.

4. View challenges as opportunities 
They sees problems as opportunities for improvement. They grow and lead to better things, both within organization and in life. Highly successful people embrace and get the best from the challenges.

5. Stay humble 
 For them humility matters. They are very nice and confident, but they don't boast or brag. They always stay humble.

6.Visualizing Success 
Highly successful people visualize their success -first and then they follow that path. The greatest example is Jim Carry. It’s the entire creation process that manifests your desires, says Jim. Successful people believe in it and take action towards their desire.

7. Celebrate progress
 One little win everyday and 365 every year. Isn’t that awesome? Highly successful people celebrate progress every day by achieving their short term goals.

8. Understand the strengths 
They are self-aware and know what they are good at. Self-Awareness is their most important attribute. They accept their weaknesses and focus all of their attention on their strengths.

9. Figure out their why 
Highly successful people have things in common : they know WHY they do what they do. Having that WHY factor is a major determinant of a successful person’s life. They know the purpose and actively emulate upon this by reminding themselves everyday.

10. Meditate 
 A secret weapon of top-performers in business, elite athletes and individuals creating breakthrough results in their lives is meditation. They make better choices by being more focused. By seeing things more clearly they spot opportunities quicker.

11. Exercise 
They work out first thing in the morning – then what should get done gets done. Perfect. Successful people know Exercise is one of the finest productivity tools ever created, why not use it more often within a day to get more valuable things.

12. Drink water 
They keep them hydrated. (PS: Coffee is not their last option)

13. Reading 
They are hungry for learning. Always curious. And keep raising their bar.

14. Be-positive (+ve)  
I truly believe that everything that we do and everyone that we meet is put in our path for a purpose. There are no accidents; we're all teachers - if we're willing to pay attention to the lessons we learn, trust our positive instincts and not be afraid to take risks or wait for some miracle to come knocking at our door.
Remember Every day brings new choices and You cannot have a positive life and a negative mind.

15. Help without expectation 
One of the greatest gifts you can bestow upon another. If someone is in need, lend them a helping hand. Do not wait for a thank you. True kindness lies within the act of giving without the expectation of something in return. Remember A friend who offers help without asking for explanations is a treasure beyond price.

This is my small effort to add extra value in your life. I hope I succeeded in delivering that message.
If yes then do "Share" this message.


PS: You help others "GOD" will help you back :-)