Inspeckage : Dynamic Assessment Tool for Android

If you are pen-testing android application, you will need to monitor/check many things at the same time. While doing dynamic analysis, one has to take care of all communication, local storage, logs, and what not. 

Inspeckage a dynamic android application analysis tool present under Xposed Framework which makes dynamic analysis very easy. It has various to the point features which makes it very useful with its inbuilt web server providing simplistic GUI.

Setting up Inspeckage

We will be using Android 5.1 device on Genymotion in linux to demonstrate Inspeckage. You can find tons of tutorials on how to setup genymotion in linux (here). Another prerequisite is to have Xposed Framework installed in your rooted device(emulator). You can follow this tutorial for installing xposed through apk file on your Genymotion. 

This Genymotion 5.1(Marshmallow) has Xposed installed in it. Now lets see the installation of Inspeckage from Xposed framework.

Open the Xposed framework application, and navigate to Download as shown below,

Next thing, we will have to search for the “Inspeckage tool” from the plethora of modules present under xposed framework. As you can see from the snapshot below, search results shows that we have Inspeckage - Android Package Inspector”.

As we can read the description, Inspeckage is used for Dynamic Analysis of the android application. Now comes the question what is Dynamic analysis? if this tool is used for Dynamic Analysis then, there must exist Static Analysis and tools to perform static analysis as well, right ! 

Yes, Static analysis of Android application means that you check for all the code, permissions of Activities, hard coded things used, URLs which can be connected directly as well as root detection or any important logics, more on Static Analysis is here. Where as in Dynamic analysis, you actually run the application, observe the working of application and perform the testing.  

Click on the module and you will find the Download button as shown in the snapshot below:

It will start downloading:
 

Once the application is downloaded, you will need to enable the “Install from unknown sources” , if it not then only you will not be able to install the application on the device.

Once downloaded, it will open up the installation option itself. Click on the Install

Alas !, it is installed. Now lets open it.

As you can see that "Module is disabled" being displayed, we can not use Inspeckage until we enable that module. To do so Go to Xposed -> Modules 

 

and check whether it has Inspeckage present or not.

It is present, now click on the box which present on the right side on the module. Once you check it, it will display the message stating “xposed list has been updated, changes will become active after reboot”. Which means that we will need to reboot the device. 

Instead of rebooting the phone, we can "Soft Reboot" the xposed itself as it has that option available. Soft Reboot essentially means that restarting the software without restarting the whole system. 

Open the xposed module and click on  

This menu has "Soft Reboot" option

 Click on "Soft Reboot"

It will restart all the apps. 

As, module has been activated, Let us open the inspeckage application

Now we can see that Module is enabled and we are now ready to hook the application. At the section below we can see that it has started on 
http://10.0.3.15:8008
http://192.168.56.101:8008
http://127.0.0.1:8008 
These all are addresses which can be accessed through browser, but when we try to open the http://127.0.0.1:8008 in browser 

The connection was reset, unable to access the URL mentioned in the Application. What could be the reason behind this? Since Inspeckage is running on android application we need route the application's traffic to the system so that we can see the Web based GUI of inspeckage. How to do this? 

We can do that via Android Debug Bridge(ADB) itself, by forwarding the traffic to specific port. As there is a command mentioned we need to run the above highlighted command in the terminal. (for installing ADB, type "apt-get install adb" in terminal)

 

Now let's open http://127.0.0.1:8008/ in the browser again,

We are able to see the GUI version from the browser. Let's go though all the options present under web-console.

1. Download : This option will let you download APK file as well as any files which has been created under the /data/app/<packagename> folder.
2. Camera Icon : It will let you take snapshots.
3. Settings : This couple of options which lets you bypass basic SSL checks, Snapshots bypass (some application does not allow you to take snapshot while it is running) and it also has proxy settings as well where you can set the proxy to intercept traffic.
4. LogCat: Through this, we can run the logcat via websocket to the connected device. 
5. AppisRunning : This will tell us that; the application which we have started is running or not. 
Let's use the Inspeckage on Damn Insecure and Vulnerable Android Application(DIVA). You can download the application from here. It is your task to install that application on the device. Here is the DIVA installed on the genymotion. 

Open Diva Application:

Let us hook the DIVA application through Inspeckage, but how to hook? Let's see the DIVA Application console again

As you can observe that there is an option as "Only user app" has a slider, what it does is that we can chose between :

• Only User App: Which hooks all the user installed Applications

• Non User App: Which can hook all the system installed(default) applications.

Keeping the same setting we will add the DIVA for hooking. Choose the application from the drop down menu as 

After adding DIVA into inspeckage, the UI will be like

After clicking the "Lauch App" it will directly open up the DIVA application. About DIVA it has 13 vulnerabilities consisting of various scenarios of Android. We will be going through some of it to understand the inspeckage.

Let us see what information we can get from the Browser: 

We can see all information related to installed application in one screen, like exported activities, permissions which application requires, whether backup flag is set to true or false in the Manifest file, location of the application under android file system as well as it shows if the app is running or not. As shown "App is running : false" which means that application is not running in emulator, let us start the application and see this screen again.  

As observed "App is running : true"(application is running). Also, we can directly see other important things as following 

1. Allow Backup : True which means that application allows backup.

2. Exported Activities : These are activities can be directly called by components of any application or can be called from the console or can be called with help of Drozer as well. 

3. Requested Permissions : All the permission requested by the Android Application, this can also be checked while analyzing the AndroidManifest.xml but thanks to Inspeckage we are able to see it on the screen itself. 

4. Data Dir : Path where the application sandbox is present under the android

5. Package :  Name of the package.

Moving on to DIVA, let us start the 3rd vulnerability which is Insecure Data Storage - Part 1 

When we store some data (here secret, ******), we will need lookout for all the local storage where application is storing it. 

While checking the Inspeckage over the browser we should get the notification such a way that it is indication of something has been edited

Going under the Shared Preferences tab, we can see that there has been an entry made by the application, with MODE_PRIVATE which means that the created file can only be accessed by the calling application. Read about the various modes while creating the shared preferences.

There also, we see the Files tab, now when we click on it, we can see the filename.

When you click on the file it will not allow you to download, because of MODE_PRIVATE. Now we need to take the shell into the Android system and read the content of the file. We will follow the guide below to reach there. 

First thing is to check whether device is connected or not, type the following command in terminal.
adb devices

Getting in to the device shell
adb shell

As we can see that we are inside the android emulator with root privileges. Navigating to the application directory inside and shared preferences to read the content of file. 

Getting inside the shared preferences 

 As we have already seen this name of the file previously, now let's view the content of it

So that is it, Application is storing the credentials in plain text under the shared preferences. Moving on to the exercise number 4 - INSECURE DATA STORAGE - PART 2

When we open this exercise, interesting notification comes to the Inspeckage.  

As it is seen that both SQLite and File System both has notifications, which means that it will have certain changes for sqlite. Though file system changes suggests that any addition, removal or the upgradation of the file in the application folder. Checking the File System tab,  

It suggests that some read write operation has been done on the /databases/ directory under ids2 name of new database created. (Note that other similar entries are for presentational purpose while trying to capture all the required details), on checking the SQLite tab

there is a database file being created with the value as shown, containing the user and password, let's try to enter the value and check SQLite tab again

checking the browser 

There it is, we have an entry to the database, let us check that entry as well 

So that is our data, stored as plain text in database under ids2 file. (You can verify by getting shell to the android system). Let us see the exercise 9. Access Control Issues Part 1

The Goal of this vulnerability is to understand how can we call an exported activity without going to that activity.

 

When you click on "View API Credentials" it will display the result of the activity "
jakhar.aseem.diva.APICredsActivity", which is 

Let's call this activity directly from the browser

Click on the "Start Activity" 

Select the activity which you want to call from the drop-down menu, i have chosen the activity which i want to run. If any activity which requires any parameters as well then we can pass those parameter while calling that activity.

So when we hit the start activity, we can see that we have the API credentials shown to us. 

The last exercise we want to do is

In the 11th exercise we have to see all the contents of an exported content providers. Content providers are interfaces between application(s) to share the data from either files or Sqlite with the help of content resolver class, moreover it requires to have proper permission to access it. More on Content Providers.

The basic of 11th exercise:

In this exercise, we need to create a 4 digit PIN and after that we will be able to see the Private notes by clicking on the button shown in the android device. 

When we enter the pin, keeping the inspeckage open will give us the information about changes happening in the file system as well as in the shared preferences of the application. 

Let us make use of the pin which we just created

On accessing the private notes 

 

Now let us find the content provider to access it. First checking the manifest file of the application. To get the manifest file you need to decompile the application, for that apktool must be installed on your machine. How to install?

Once installed using following command you can decompile the apk file

apktool d <name.apk> 

Once decompiled, we will be able to find the manifest file under /diva-beta/AndroidManifest.xml by checking the manifest file for the DiVA we have found the following content provider exported

In order to access it, we will also require the URI. You can use grep or search through the smali file for "jakhar.aseem.diva.provider.notesprovider" along with prefix as content://URI.

Here we can see the URI, through which the content of it can be accessed directly with content://jakhar.aseem.diva.provider.notesprovider/notes

We can directly access this URI from the SQLite itself

 Once you click on Retrive, you will have the results displayed

[This all results are same due to connectivity it has be run multiple times]

Another thing which was observed is there has been an entry to the Shared Preferences as well. 

 
This is all the basics about the Inspeckage, there is a functionality called as hooks where we can hook a particular functionality to provide output we require, or return value of our choice, which will come in next post.