PROGRESS
0%
Beginner Android Penetration Testing
Mission Briefing - Android's Security Model 0/1 Setting Up Your Arsenal - Building a Pentesting Lab 0/1 First Recon - Understanding the Target 0/1 Traffic Analysis 0/1 Attacking the Database - SQLite Injection 0/1 Final Challenge: Hack a Real-World Vulnerable Android App 0/1
← Beginner Android Penetration Testing

Final Challenge: Hack a Real-World Vulnerable Android App

Task 1 Final Challenge: Hack a Real-World Vulnerable Android App
Android-InsecureBankv2-master.zip Click to download Download

Learning Objectives

  • Apply all learned skills together: static analysis, traffic interception, and exploitation.
  • Discover and exploit multiple vulnerabilities in a single target.
  • Write a simple penetration testing report.

Introduction

This is your final exam. You will be given an APK file of a vulnerable application. Your mission is to find as many vulnerabilities as you can and document them. Use all the tools and techniques from previous rooms.

Target App

"InsecureBankv2" - a deliberately vulnerable banking app. Download the APK and install it on your emulator. You will also need to run its server component (a Python script) on your local machine.
No local setup? No problem. You can also use our web-based lab environment - no installation required. launch the PocketBank Mobile Pentest Lab on Hacklido

Your Mission

Phase 1: Reconnaissance (Static Analysis)

  1. Use apktool to decode the APK.
  2. Use dex2jar and JD-GUI to analyze the source code.
  3. Findings to look for:
    • Hardcoded credentials (usernames/passwords/API keys) in the code.
    • The android:debuggable="true" flag in AndroidManifest.xml.
    • Exported activities, services, or content providers.

Phase 2: Interception (Dynamic Analysis)

  1. Configure Burp Suite. Install the CA certificate if needed.
  2. Run the app and perform all functions: login, view balance, transfer money, view profile.
  3. Findings to look for:
    • Is the login sent over HTTP or HTTPS? (Use Burp history).
    • Are session tokens predictable or sent in the URL?
    • Can you modify a request to transfer money to a different account?
    • Can you view another user's profile by changing a number in the request (IDOR - Insecure Direct Object Reference)?

Phase 3: Data Storage Analysis

  1. With the app running and logged in, use adb shell to browse the app's data directory (/data/data/com.android.insecurebankv2/).
  2. Findings to look for:
    • Sensitive data in shared_prefs/*.xml files.
    • Unencrypted passwords or PINs in the SQLite database.
    • Sensitive information in logcat: adb logcat | grep -i "password\|pin\|token\|key"

Deliverable: Your First Pentest Report

Write a short report (as a .txt or .md file) with the following sections for each vulnerability you find:

  • Title: (e.g., "Hardcoded Administrative Password")
  • Severity: (Critical, High, Medium, Low)
  • Description: (What is the issue, in 2-3 sentences?)
  • Steps to Reproduce: (Bullet points or numbered steps)
  • Impact: (What could an attacker do? Steal money? Access other accounts?)
  • Recommendation: (How to fix it? Use secure storage, remove hardcoded key, validate user access, etc.)

Example Entry:

  • Title: Login Credentials Transmitted Over Unencrypted HTTP
  • Severity: Critical
  • Description: The app sends the username and password as a plain-text POST request to http://192.168.1.100/login, making them vulnerable to interception.
  • Steps to Reproduce:
    1. Configure Burp Suite as a proxy.
    2. Launch the InsecureBankv2 app and enter any username and password.
    3. Click Login.
    4. Observe the login request in Burp's HTTP history.
  • Impact: An attacker on the same network can intercept the login request and steal the user's credentials.
  • Recommendation: Enforce HTTPS for all network communication and implement certificate pinning.