Mobile phones have become an integral part of our daily lives and so is our reliance on mobile applications. Mobile applications are being used to handle sensitive data ranging from personal information to financial transactions. Organisations, such as Disney, Youtube and Netflix, have also started to offer premium services through mobile applications in which paying a small fee will grant users access to unlimited amounts of content.
Malicious actors are taking advantage of weak implementations made in mobile applications in order to exploit vulnerabilities to gain access to unauthorised information, perform unauthorised transactions or bypass restrictions for paid features on the application.
As an example, in recent news, it was reported that an unnamed third party application was exploited in order to exfiltrate sensitive data from Samsung phone users.
In this blogpost, we will attempt to perform just that, bypassing on client restrictions for paid functionalities in a sample Android application. The following screenshot shows a third-party application that offers free modded Android applications that unlock paid features of an application.
Malicious actors are modifying and releasing paid applications for free, which will have significant financial impact on the organisation that developed the application. Hence, it is important to conduct mobile application penetration tests in which security professionals take a proactive approach that simulates real-world attacks to uncover such vulnerabilities in the application.
Uncovering Client-Side Restricted Paid Content or Features With Frida
Frida is an open-source dynamic instrumentation toolkit used for mobile application penetration tests. Frida allows penetration testers to analyse and manipulate the functions and workflow of the application, allowing penetration testers to discover flaws that usual scanners are not capable of uncovering.
For this example, we are going to use a “Capture-The-Flag” style Android application to uncover the flag hidden in the application, which simulates paid content locked behind client-side logic. An example of this would be, accessing premium features like “no ad” experience or making Youtube videos downloadable that are exclusive to individuals that have paid for YouTube Premium content.
Demonstration
You will notice that in this screenshot, the flag is hidden and masked with Xs, and clicking the “Click me” button would not show the hidden flag content and was prompted with the “Try Again” popup message.
First, we would have to reverse engineer the application and understand how the application hides the hidden flag. For this, we can use an application called JADX, it allows us to decompile the APK and look into the source code itself.
After reading the source code using JADX, we noticed that in the MainActivity class that it reflects 2 popup messages, “YOU WON!!!” and “TRY AGAIN”.
In order to access the flag we will need the application to execute the code under the “YOU WON!!!” block. If we further analyse the source code, we will see that the particular section of the code is protected by an if statement which indicates Checker.code value to be at 512 in order to execute that block of code to reveal the hidden flag.
Now, if we look into the Checker class, we quickly see that the variable code was assigned to 0. As such, no matter how many times we click on the “Click me” button, it will never reveal the hidden flag as the variable will never be changed to 512.
However, it is possible to abuse the increase() function observed in the same Checker class. We can trigger the increase() function until it reaches the required 512 before we click on the “Click me” button.
This is where the potential of Frida comes in as it has the ability to inject commands on runtime into the application. First we will have to attach the application with Frida.
Then we will use the following Proof of Concept code as seen in the screenshot below.
Java.perform(function () {
var Checker = Java.use("com.ad2001.frida0x3.Checker"); // class reference
for (Checker.code.value; Checker.code.value < 512; Checker.increase()) {
console.log("current checker.code value is at: " + String(Checker.code.value + 2))
};
});
In the following PoC code, we leverage on the existing Checker.increase() function and iterate the function until it hits 512. Once the value hits 512, we will proceed to click on the “Click Me” button and observe that we have gained access to the hidden flag.
Just imagine that if this was a premium feature, an unauthorised user would have gained access to the premium feature without making any payment. The attacker can recompile the application and distribute the edited application which will have significant financial impact for the organisation.
Conclusion
The reliance on mobile applications, and how they are used everyday to handle our sensitive data and organisations premium services, necessitates a robust approach to security. In the example above, it demonstrated that attackers exploiting vulnerabilities in mobile applications pose a significant threat to organisations. Mobile application penetration testing emerges as a crucial proactive measure to simulate real-world attacks and uncover vulnerabilities. This emphasises the importance for organisations to prioritise mobile application security through comprehensive penetration testing which allows the organisation to protect themselves against potential financial losses and protect user data. Due to the amount of change and updates that occur within mobile applications, organisations must either bake security testing into the secure development lifecycle or take advantage of services such as Penetration testing as a service.
If you are interested in discussing penetration testing or other offensive security services and how we can support your organisation, please feel free to get in touch.
