 |
| Vulnerable Android App |
Okay, so this was a little journey to create the most vulnerable Android app for a competition by Jack Mannino (first prize was Motorola XOOM).
I must say, I've been creating lots of vulnerable programs in the past as PoCs/research, but it was usually just one security bug or two, so it was easy to determine when it was the actual security bug for the research or another bug, by mistake.
In this app, there are so many bugs, and we've also decided to write it as bad as possible with as much bad code habits we can possibly create (like tons of variables that are used for the same string or not being used at all, etc), a thing which led it to be almost impossible to debug and add features.
What I think we should have done was creating a working application first, and then adding vulnerabilities and making the code as bad as possible.
The App requests more permissions than it uses. In-app exploitation will not lead to root, but will lead to very high capabilities which another app didn't initially have requested upon installation.
Also,this app can be remotely exploited.
Download the MoshZuk Application: contains the following vulnerabilities:
- Stack Overflow
- Heap Overflow
- SQL Injection
- Command Injection
- Format Strings
- Double Free
- Directory Traversal
- Race Condition
- Hardcoded Passwords
- Bad code habits
- Overblown permissions
- Bad file permissions
e.g Unchecked permissions (or unchecked sender) may lead to -> Directory traversal + RACE Condition + Heap(or stack) Overflows / Command injection.
First the APK will be released only, so you can test it out and use it to find vulnerabilities within it. After a while we will release some demos and exploitation methods. I hope that we will be able to maintain it to add more vulnerabilities + ways to exploit it, remote and locally (possibly via intents to make it easier).
What the app does is to send from one GTalk client to another (must have 2 email accounts). A Gtalk message will be sent to the user which will be able to respond a message according to a protocol of MoshZuk.
What is it being used for? Send yourself quick notes so you can remind yourself later via reading the log file or via reading GTalk history.
The protocol for incoming messages is delimited by ":", any other message will receive a "Not supported in protocol" message [HINT: Only 2 ":" are needed per message].
I can tell more about it, by I prefer that you will reverse it and enjoy it more!
Check logcat for details on debug info!
Download MoshZuk APK is here, I will release the code later on!
Enjoy!
The application was developed by Moshe Vered and Itzhak 'Zuk' Avraham, Feel free to hack it as much as possible, don't forget to write your exploits in the comment section :)
Posts
22 comments:
Great information on Android Application Development. I also want to develop a good application which can give details of health on the body and other things.
Your app is stopping unexpectedly. I've tried both Android device and emulator. The error is the same. Any clues?
Thanks in advance!
Hi Fabricio,
The app keeps crashing because most of the crashes are there to make you look at logcat once in a while to understand what's going on and find a way to exploit the crashes :)
When PFGBest wanted to create the world's first real-time FOREX quotes app, they chose McGinley Media. iphone apps
ipad application development
Really meaningful information about this applications and you are a great reviewer, I will definitely try this applications. Thanks a lot for spreading this information here.
Thanks my friend for sharing such an interesting and valuable information to us :) It is helping me for my new project
Were you still planning on releasing the source? Would be nice to approach it from a secure dev perspective.
After Anti release I will get some time to release the source. Thank you for reminding me.
C code was added to the package as a resource.
Enjoy
This looks pretty much interesting.Very useful post.You gave me some of the good ideas.
Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.
Android app developer| Android apps development|
This is one of the successful post.Anyhow Google is taking an important part In web marketing field.
Android pap developers
When will you release the code for reference?
Watch a short video about Top 10 vulnerable applications on your network:
http://rocketviews.com/watch?416aO901fuUagic
Hi there, awesome site. I thought the topics you posted on were very interesting.
I tried to add your RSS to my feed reader and it a few. take a look at it, hopefully I can add you and follow.
Android App Development
Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.
iCaption That
While trying to download MoshZuk, application shows :404 Not Found" on below path:http://www.zimperium.com/files/MoshZuk.apk
Any alternative place to download the apk file?
thanks
more
Wasp dudes! Awesome stuff keep it up.
Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me....
App Development Company
apk android trusted site and Muchos Gracias for your blog.Really looking forward to read more.
The links seem to be down. Doesn't seem to be available anywhere else either. Would love to try this app out so I hope this problem is fixed soon.
From,
A fan
Best Beautiful Cars, Latest Hot Vehicles, Strange Cars, Super Cars Model, Funny Cars, Car Latest Models, Cars with Girls, Cars like helicopter and Most Speed and Expensive Cars
WorldLatestVehicles.com
Post a Comment