Security Testing for Android Cross Platform Application ( Xamarin & Cordova) - Part 1

Hello All,

Hope you all are doing great. So this would be an interesting topic which need more research from the community. I have not explore much but let me share what I have found. If I have missed  few aspect or made any mistake kindly comments below and I will update the post.
Let's begin:

Bypassing SSL Pinning or Connection not secure Error of Cordova based Application 

What is Cordova?


Apache Cordova enables software programmers to build applications for mobile devices using CSS3, HTML5, and JavaScript instead of relying on platform-specific APIs like those in Android, iOS, or Windows Phone. It enables wrapping up of CSS, HTML, and JavaScript code depending upon the platform of the device. It extends the features of HTML and JavaScript to work with the device. The resulting applications are hybrid, meaning that they are neither truly native mobile application

So Recently I was given an android application to assess which was build using Cordova framework.
  1. How to Identify if the application is build in Cordova?
One way to identify which worked for me was using apktool to unzip the apk and found the folder name Cordova and other method was Reading AndroidManifest.xml file.

Step 1:
Command:- apktool d yourapp.apk



Step 2:
Let's Check the AndroidManifest.xml file and folder with name Cordova



So let's run the application and intercept the request using burp

Step 1:

Configure the Burp Suite to intercept the HTTP(S) Request


Step 2:

Configure the Device and install burp certificate


Oppss!!!  I am unable to Intercept the Request because I am intercepting the traffic with burp suite and the application has some SSL certificate validation. The application throws "Connection not Secure" error. 😐


Let's not talk about the difficulties faced while trying to bypass connection not secure error using various publicly available tools & method.
So due to frustration I started to look into the application logs and interestingly I found something in the logs which was throwing the "Connection not Secure" error message
www/app/main.service.js



So again I visited my old unzip apk folder and checked for the files in assets\www\app. Holy Crap it was gold mine containing various JavaScript files and folders


So I started are hunting in those files for the string "CONNECTION NOT SECURE" and found that Login.ctrl.js file contains that string.


I opened the Login.ctrl.js and tried to search for "CONNECTION NOT SECURE" string and understand the logic and found that the function just pop's an alert box 😣


I also found another function which sends "Connection Secure" response.
Hmmm!!! So what if we copy entire function of "CONNECTION SECURE" into "CONNECTION NOT SECURE"

CONNECTION SECURE CODE


Let's Copy the Code of Connection Secure to Connection not Secure


Save the file and build the apk and sign the apk
Command:- apktool b yourapp.apk


Sign the apk
Command:- java -jar sign.jar yourapp.apk


So After signing and installing the apk finally I was to intercept the traffic and bypass the "CONNECTION NOT SECURE" error


There were multiple Javascript script files present in the application which contained sensitive information like hard-coded credential and API key which were related to payment gateway.

Conclusion 

So we must always look for the Javascript files as they might contain sensitive information or can help us in understanding the validation imposed in the applications.

Thank to everyone who support me and help to write this blog. Special thanks to abhijeet.


Comments

  1. Informative post! I wonder if such security testing can be applied to an Android app for Shopify store that I recently built.

    ReplyDelete
  2. I think this is the best article today. Thanks for taking your own time to discuss this topic, I feel happy about that curiosity has increased to learn more about this topic. Keep sharing your information regularly for my future reference.Excellent blog admin. This is what I have looked. Check out the following links for QA services
    Test automation software
    Best automated testing software
    Mobile app testing services

    ReplyDelete
  3. Excellent Blog, I like your blog and It is very informative. Thank you
    xamarin online course
    learn xamarin online

    ReplyDelete
  4. So for Xamarin is it the same way as cordova

    ReplyDelete

  5. Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it up
    allsoftwarepro.com
    anymp4-video-converter-crack
    universal-document-converter-crack

    ReplyDelete
  6. Nice post. Penetration testing is a security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system. Checkout the detailed information about penetration testing services and how it's helps avoid the security threats.

    ReplyDelete
  7. It's really nice and meaningful. it's really cool blog, Thank you.
    Kali Linux Training Courses in Malaysia

    ReplyDelete
  8. This site have particular software articles which emits an impression of being a significant and significant for you individual, able software installation.This is the spot you can get helps for any software installation, usage and cracked.
    anycap-screen-recorder-crack

    ReplyDelete
  9. After looking through a few blog articles on your website,we sincerely appreciate the way you blogged.We’ve added it to our list of bookmarked web pages and will be checking back in the nearfuture. Please also visit my website and tell us what you think.Great work with hard work you have done I appreciate your work thanks for sharing it.
    AVG Driver Updater Crack
    Mailbird Pro Crack
    Captain Chords Crack
    AntiPlagiarism.NET Crack
    Glary Utilities Pro Crack
    FBX Game Recorder Crack
    Topaz Video Enhance AI Crack
    Tenorshare ReiBoot Pro Crack

    ReplyDelete
  10. Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially App development I care for such info a lot.

    Kali linux training courses in malaysia

    ReplyDelete
  11. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.익산출장아로마
    정읍출장아로마
    남원출장아로마
    군산출장아로마
    전주출장아로마
    김제출장아로마
    Very interesting blog.

    ReplyDelete
  12. Really Nice Article! You post inspire me too much.
    lottery sambad from lotterysambad24hr.com

    ReplyDelete
  13. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. crackdoc.org I hope to have many more entries or so from you.
    Very interesting blog.
    JetBrains CLion Crack
    PRTG Network Monitor Crack
    CCleaner Pro Crack
    AOMEI Partition Assistant Crack
    Eset Smart Security Premium Crack

    ReplyDelete
  14. Thanks for providing a valuable tool for developers to create and edit HTML content conveniently on Android devices.Developing Android app in JavaScript frameworks allows for cross-platform compatibility and faster development cycles, making it a popular choice among developers.

    ReplyDelete
  15. Machine literacy is trendy content in academia and business; new ways are always being created. Indeed for specialists, the speed and intricacy of the field make it delicate to keep up with new ways.
    is this one. still, it restricts itself to a direct relationship and only considers the dependent variable’s mean. Time series analysis and trend soothsaying are two operations of direct retrogression. On the base of literal data, it can read unborn deals. . Machine learning classes in pune
    Machine learning training in pune Machine learning training in pune


    Machine learning classes in pune

    ReplyDelete
  16. Thank you for sharing this insightful post! It's crucial to explore security testing in-depth, especially for cross-platform applications like those built with Cordova. FYI Solutions offers Cyber Security Services to help identify and mitigate these vulnerabilities, ensuring robust security for your applications.

    ReplyDelete

Post a Comment

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Introduction to Callidus

Process Injection - Part I