Security Testing for Android Cross Platform Application ( Xamarin & Cordova) - Part 1

Hello All,

Hope you all are doing great. So this would be an interesting topic which need more research from the community. I have not explore much but let me share what I have found. If I have missed  few aspect or made any mistake kindly comments below and I will update the post.
Let's begin:

Bypassing SSL Pinning or Connection not secure Error of Cordova based Application 

What is Cordova?


Apache Cordova enables software programmers to build applications for mobile devices using CSS3, HTML5, and JavaScript instead of relying on platform-specific APIs like those in Android, iOS, or Windows Phone. It enables wrapping up of CSS, HTML, and JavaScript code depending upon the platform of the device. It extends the features of HTML and JavaScript to work with the device. The resulting applications are hybrid, meaning that they are neither truly native mobile application

So Recently I was given an android application to assess which was build using Cordova framework.
  1. How to Identify if the application is build in Cordova?
One way to identify which worked for me was using apktool to unzip the apk and found the folder name Cordova and other method was Reading AndroidManifest.xml file.

Step 1:
Command:- apktool d yourapp.apk



Step 2:
Let's Check the AndroidManifest.xml file and folder with name Cordova



So let's run the application and intercept the request using burp

Step 1:

Configure the Burp Suite to intercept the HTTP(S) Request


Step 2:

Configure the Device and install burp certificate


Oppss!!!  I am unable to Intercept the Request because I am intercepting the traffic with burp suite and the application has some SSL certificate validation. The application throws "Connection not Secure" error. 😐


Let's not talk about the difficulties faced while trying to bypass connection not secure error using various publicly available tools & method.
So due to frustration I started to look into the application logs and interestingly I found something in the logs which was throwing the "Connection not Secure" error message
www/app/main.service.js



So again I visited my old unzip apk folder and checked for the files in assets\www\app. Holy Crap it was gold mine containing various JavaScript files and folders


So I started are hunting in those files for the string "CONNECTION NOT SECURE" and found that Login.ctrl.js file contains that string.


I opened the Login.ctrl.js and tried to search for "CONNECTION NOT SECURE" string and understand the logic and found that the function just pop's an alert box 😣


I also found another function which sends "Connection Secure" response.
Hmmm!!! So what if we copy entire function of "CONNECTION SECURE" into "CONNECTION NOT SECURE"

CONNECTION SECURE CODE


Let's Copy the Code of Connection Secure to Connection not Secure


Save the file and build the apk and sign the apk
Command:- apktool b yourapp.apk


Sign the apk
Command:- java -jar sign.jar yourapp.apk


So After signing and installing the apk finally I was to intercept the traffic and bypass the "CONNECTION NOT SECURE" error


There were multiple Javascript script files present in the application which contained sensitive information like hard-coded credential and API key which were related to payment gateway.

Conclusion 

So we must always look for the Javascript files as they might contain sensitive information or can help us in understanding the validation imposed in the applications.

Thank to everyone who support me and help to write this blog. Special thanks to abhijeet.


Comments

Popular posts from this blog

Windows Red Team Lab Journey

Process Injection - Part I

Android Root Detection Bypass