Security Testing for Android Cross Platform Application ( Xamarin & Cordova) - Part 1

Hello All,

Hope you all are doing great. So this would be an interesting topic which need more research from the community. I have not explore much but let me share what I have found. If I have missed  few aspect or made any mistake kindly comments below and I will update the post.
Let's begin:

Bypassing SSL Pinning or Connection not secure Error of Cordova based Application 

What is Cordova?

Apache Cordova enables software programmers to build applications for mobile devices using CSS3, HTML5, and JavaScript instead of relying on platform-specific APIs like those in Android, iOS, or Windows Phone. It enables wrapping up of CSS, HTML, and JavaScript code depending upon the platform of the device. It extends the features of HTML and JavaScript to work with the device. The resulting applications are hybrid, meaning that they are neither truly native mobile application

So Recently I was given an android application to assess which was build using Cordova framework.
  1. How to Identify if the application is build in Cordova?
One way to identify which worked for me was using apktool to unzip the apk and found the folder name Cordova and other method was Reading AndroidManifest.xml file.

Step 1:
Command:- apktool d yourapp.apk

Step 2:
Let's Check the AndroidManifest.xml file and folder with name Cordova

So let's run the application and intercept the request using burp

Step 1:

Configure the Burp Suite to intercept the HTTP(S) Request

Step 2:

Configure the Device and install burp certificate

Oppss!!!  I am unable to Intercept the Request because I am intercepting the traffic with burp suite and the application has some SSL certificate validation. The application throws "Connection not Secure" error. 😐

Let's not talk about the difficulties faced while trying to bypass connection not secure error using various publicly available tools & method.
So due to frustration I started to look into the application logs and interestingly I found something in the logs which was throwing the "Connection not Secure" error message

So again I visited my old unzip apk folder and checked for the files in assets\www\app. Holy Crap it was gold mine containing various JavaScript files and folders

So I started are hunting in those files for the string "CONNECTION NOT SECURE" and found that Login.ctrl.js file contains that string.

I opened the Login.ctrl.js and tried to search for "CONNECTION NOT SECURE" string and understand the logic and found that the function just pop's an alert box 😣

I also found another function which sends "Connection Secure" response.
Hmmm!!! So what if we copy entire function of "CONNECTION SECURE" into "CONNECTION NOT SECURE"


Let's Copy the Code of Connection Secure to Connection not Secure

Save the file and build the apk and sign the apk
Command:- apktool b yourapp.apk

Sign the apk
Command:- java -jar sign.jar yourapp.apk

So After signing and installing the apk finally I was to intercept the traffic and bypass the "CONNECTION NOT SECURE" error

There were multiple Javascript script files present in the application which contained sensitive information like hard-coded credential and API key which were related to payment gateway.


So we must always look for the Javascript files as they might contain sensitive information or can help us in understanding the validation imposed in the applications.

Thank to everyone who support me and help to write this blog. Special thanks to abhijeet.


Post a Comment

Popular posts from this blog

GadgetToJScript, Covenant, Donut

Introduction to Callidus

Process Injection - Part V