Security Testing for Android Cross Platform Application ( Xamarin & Cordova ) - Part 2
Hello All,
This is the continuation of my previous post where we tried to bypass SSL Pinning by modifying the JS File in Cordova framework. Now in this post we will focused on Xamarin based application and how to get C# code which is used for building of Android App using Xamarin framework.
What is Xamarin?
According to Microsoft Docs
Xamarin allows you write code in C#, with a class library and runtime that works across all many platforms, including iOS, Android, and Windows, while still compiling native (non-interpreted) applications.
Let's Begin:
How to Identify Xamarin Based application?
The way I used to identify was by converting the apk file to jar using dex2jar to get source code for the application and jd-gui for viewing the source code.
Command:- d2j-dex2jar.bat yourapp.apk
Now open the .jar file with jd-gui and you can notice keyword "xamarin" in below screen.
So while going through the source code of application it was observed that most of file just had some generic java function compared to application containing functionality. This made me confused how the application is able to run so many different functionality 😕 compared to source code available to me.
So it was time to understand what was going on. As usually I used apktool to unzip the apk.
Command:- apktool d yourapp.apk
After unzipping the apk file I started looking for files in each folder and I found a folder named unknown where there was another folder named assemblies. The assemblies contained various .dll files which were used in the application.
What is DLL?
A Dynamic Link library (DLL) is a library that contains functions and codes that can be used by more than one program at a time.
Yes you read it correctly DLL's contain functions and codes. So let's try to decompile the DLL and read the codes
To decompile the dll you can used dotPeek
Open the dotPeek -->Explore Folder ⇒Select your folder containing DLL
Once you select your folder, dotPeek will start decompiling all the DLL's and now you can read the source code of those DLL's which are written in c#.
Note: There are also some default assemblies which are provide by Microsoft .
So now you can perform source code review to find more vulnerabilities like sensitive information(DB Credentials, Encryption Keys etc), SQL Injection etc.
Thanks for reading the post.
Special thanks to all my friends who helped / supported / motivated me for writing blogs. 🙏
This is the continuation of my previous post where we tried to bypass SSL Pinning by modifying the JS File in Cordova framework. Now in this post we will focused on Xamarin based application and how to get C# code which is used for building of Android App using Xamarin framework.
What is Xamarin?
According to Microsoft Docs
Xamarin allows you write code in C#, with a class library and runtime that works across all many platforms, including iOS, Android, and Windows, while still compiling native (non-interpreted) applications.
Let's Begin:
How to Identify Xamarin Based application?
The way I used to identify was by converting the apk file to jar using dex2jar to get source code for the application and jd-gui for viewing the source code.
Command:- d2j-dex2jar.bat yourapp.apk
Now open the .jar file with jd-gui and you can notice keyword "xamarin" in below screen.
So while going through the source code of application it was observed that most of file just had some generic java function compared to application containing functionality. This made me confused how the application is able to run so many different functionality 😕 compared to source code available to me.
So it was time to understand what was going on. As usually I used apktool to unzip the apk.
Command:- apktool d yourapp.apk
After unzipping the apk file I started looking for files in each folder and I found a folder named unknown where there was another folder named assemblies. The assemblies contained various .dll files which were used in the application.
What is DLL?
A Dynamic Link library (DLL) is a library that contains functions and codes that can be used by more than one program at a time.
Yes you read it correctly DLL's contain functions and codes. So let's try to decompile the DLL and read the codes
To decompile the dll you can used dotPeek
Open the dotPeek -->Explore Folder ⇒Select your folder containing DLL
Once you select your folder, dotPeek will start decompiling all the DLL's and now you can read the source code of those DLL's which are written in c#.
Note: There are also some default assemblies which are provide by Microsoft .
So now you can perform source code review to find more vulnerabilities like sensitive information(DB Credentials, Encryption Keys etc), SQL Injection etc.
Thanks for reading the post.
Special thanks to all my friends who helped / supported / motivated me for writing blogs. 🙏
Thankyou so much for wonderful information …great work…well done…keep doing…Looking for the best mobile application penetration testing services in Hyderabad contact Cyanous software solutions now.
ReplyDeleteBest web designing services in Hyderabad
Best software & web development company in Hyderabad
Thanks for sharing the nice information. You have need Xamarin App for your business. Sapphire Solutions is a reputed
ReplyDeleteXamarin App Development Company in USA, India, Uk, Australia and more.
Attract Group offers a comprehensive solution for launching an Uber-like service https://attractgroup.com/solutions/solution-for-uber-services/ that includes a user-friendly interface, real-time tracking, secure payment integration, and customizable features. Their expertise in developing robust and scalable platforms ensures a seamless user experience and efficient management system. A reliable option for businesses looking to enter the on-demand service market.
ReplyDelete