Latest Posts

During a recent engagement I came across an Android application which, after extracting and decompiling the Java code (using dex2-jar and jd-gui) I noticed the logic was calling a native function, by reviewing the code a little more I figured out the native function was defined in a DLL file located in an assemblies folder.…

Functions are the most important part of smart contracts as this is the place where the logic of the smart contract takes place, in other words, whatever the smart contract is supposed to do, this will most likely happen within the logic defined in the functions of said contract. Functions can receive parameters that are…

Constructors play a similar role in smart contracts as they do in regular object oriented programing; they are used to create the instance of an object and to execute any custom logic required for object initialization. Constructors are executed upon contact creation and the contract is deployed to the blockchain after the constructor has been…

Function modifiers are a way to extend the behavior of functions and this is usually utilized to apply or enforce some required restrictions. The restrictions enforced by the modifier may be required in different locations of the logic, so having the modifier defined independently from the code of the function allows for the restrictions to…

Events are mostly utilized to communicate back with whoever invoked the contract in the first place, this can be a client implemented in web3.js for example or it can also be another contract. Let's say you want to invoke a function on a smart contract using a web3.js client and you want to obtain the…

Here we will discuss about the different kinds of variables and types that can be utilized within Solidity to develop smart contracts. First we will take a look at how variables are declared and what are the different kinds of variables available, we will then look into access modifiers for variables (which defines their visibility…

Following we will investigate the basic structure of a smart contract as well as the key concepts required in understanding the length of possibilities that what can be achieved through these blockchain applications. Although the syntax of the Solidity language is quite similar to other high level object oriented programming languages such as Python or…

Smart contracts are at the heart of Decentralized Applications (DApps for short), these are the kinds of applications made possible through the Blockchain technology and yes, cryptocurrencies are only but one of the multiple usages of this technology. The ability to support and run decentralized applications through smart contracts is actually the true power of…

No matter if we are talking about well established technologies (such as desktop, web and mobile) or relatively recent ones (such as cloud, artificial intelligence or blockchain), whether it is an old school desktop application or a smart contract running in a blockchain, we are certainly required to steer away from the build-then-secure model into…

The OSWE is the Offensive Security Web Expert certification you earn when completing the recently re-branded WEB-300 course (Advanced Web Attacks and Exploitation) and of course you also need to take and pass the fully-proctored 48 hour exam. The course uses mostly a whitebox/code review approach, where students are required to read and understand the…

In previous articles (part 1, part 2 and part 3) we have setup the foundation for understanding the details of SIMs, SMS, SMS-Submit, SMS-Deliver, SMS-PP Data Download, Over The Air messages and the SIM Tester tool. In this article we will put all the pieces together and attempt to exploit the SIM Jacker vulnerability on…

In previous articles we have discussed the basics of SIMs and SMS as well as the different types of SMS messages such as SMS-Submit, SMS-Submit and Over The Air messages (specifically SMS-PP Data Download). In this part we will be talking about SIM Tester. SIMTester is a tool written in Java by the folks of…

In part 1 we went through the basics of how SIMs and SMS work, as well as the concepts of SMS-Submit, SMS-Deliver and how to send APDU messages through an USB Modem. Here, we will discuss the concept of Over The Air (OTA) messages. OTA messages, also known as binary messages, are specific APDU messages…

A few months back, the team from AdaptiveMobile Security published their research about a wide spread SIM vulnerability deemed as SIM Jacker, even though they did not provide many details about the technical steps for reproducing this vulnerability, there was a technical paper that can be found here. Now, to be fair, they are not…

On Android applications, Webviews can be leveraged to load web content within an activity, they can be used for loading both static and dynamic content depending on what's needed. Content can be available as an Android resource within the application itself or as a published web page accessed through the internet, for instance, say you…

Say you need to dump an Android application's memory, for example, to check whether or not sensitive information is kept in memory longer than it needs to be, this is a usual test case for applications handling highly sensitive information. Any data that is required by the application needs to be in memory at some…

Android components are the building blocks for Android mobile applications; activities, for example, are used for creating the application's user interface and a rich user experience (every screen in an Android application is an activity). Components, however, are not only for building the application's UI, but mainly for the purpose of process and inter-process communication…

Mobile applications are no doubt an important part of our lives nowadays. More and more, users want to have everything within arm's reach and service providers are turning to mobile channels to satisfy these needs. For the same reason, attackers are also turning their attention towards mobile channels; the more they are used, the more…

This article expands on the things you can achieve with the frida framework. It focuses on the usage of frida-gadget to bypass SSL Pinning controls on Android applications. Do note that this method requires tampering of the application, which means that it also requires re-signing the app. Also note that this approach should work on both…

As a pentester, you may come into the need of bypassing security controls to be able to provide a more significant evaluation. SSL Pinning is one of the most important security controls for protecting the communication between the mobile client and the server, been able to bypass this control is an important to also evaluate…

Journey to anonymity. This article describes how to get a decent level of anonymity while browsing the Internet. It shows how to setup the Whonix gateway and how to configure Kali in order to route all traffic coming out of it through the Whonix gateway, and therefore through the TOR network. It also shows how…

Writing your first smart contract. This article is the second part on what are smart contracts and what you need to do to get a test environment up and ready for creating your first smart contract. We will see how to use the Truffle console along with the Ganache personal Ethereum-based blockchain for creating a…

What are Smart Contracts? This article describes how cryptocurrencies are only the tip of the iceberg when it comes to decentralization, the many applications of the blockchain technology (besides a peer-to-peer cash system), what are smart contracts and how they relate to the Ethereum platform, the ERC20 token standard and Ether. It also shows how…

Penetration testing basics with Kali. Two basic skills a pentester needs in his/her arsenal is know how to code and use the right technology; this is a must to play in the pentest field. This article also gives an introduction to the Kali Linux distribution and how you can get it up and running in…

Hashes and blockchains. This article focuses on describing what hashing algorithms are, how they work and what are the characteristics that made them widely used to ensure the integrity of data and communication in the digital world. It also provides a high level explanation of how hashing is utilized on the blockchain architecture and how…

Browser-based cryptocurrency mining. Here we will see what browser-based cryptocurrency mining is, how these kind of miners work and how to easily set one up using the coinhive JavaScript-based framework. We will also explore the nature of these family of miners and under what circumstances they should be considered legitimate or malicious; which mostly depends…

Insecure communication. This is the third article of the OWASP Mobile Top 10 Risks series and it is, more or less, how far I covered during research for my master's degree theses in Cybersecurity. The third most relevant risk affecting mobile applications is, M3-Insecure Communication, and it mainly covers poor handshaking, incorrect SSL versions, weak…

Trusting user installed certificates. Here we see how to bypass a restriction on Android applications targeting API 24 and above, the restriction is a security control added to these Android versions that changes how the systems trust user-installed certificates, meaning that these certificates are no longer trusted by default. You may need to bypass this…

Intercepting traffic on an Android application. Here we will see how to intercept traffic between the Android application and the server it communicates to; it describes what needs to be done and what conditions needs to be met in order to successfully execute a man-in-the-middle attack that compromises the communication. Also describes what certificate pinning…

Insecure Data Storage. This is the second of a series of articles about the most significant security risks lurking mobile applications. Per the OWASP Mobile Top 10 2016, the second category of most significant mobile risks is the M2-Insecure Data Storage and it is concerned with whether or not sensitive data is securely stored on…

Reverse engineering an Android application. This article shows how to reverse engineer an Android application, first by using d2j-dex2jar to convert the .dex file into .class files within a compressed .jar file and then using a Java decompiler (jd-gui in this case) to decompile the converted code. It also emphasizes, from a security point of…

Dumping and analyzing application memory. Here we will see how to dump the memory for an Android application using the Android Device Monitor, after the memory is dumped, it is converted to a standard format using the hprof_conv tool that comes with the Android SDK, once converted, the dump of memory can be viewed and…

Viewing and analyzing Android logs. In this article we will see what the Android log is, what is it used for, what are the different logging levels and what security concerns may arise from misusing this feature. In this case we will be using logcat; a command-line tool that dumps a log of system messages,…

Inject a meterpreter payload. This video shows how to manually inject a meterpreter payload into an Android application. With this method, once you get the victim to install the infected application, you can gain control over the device; including camera, microphone, location, etc. Note that, for the victim to install the infected application, the device…

Exploit Android backup. Here, we will see how to exploit an Android application that allows to be backed up, this is achieved when the application has the allowBackup flag set to true on the AndroidManifest.xml and can be exploited even on devices that have not been rooted. The Android Debug Bridge provides the ability to…

openssl with zlib support. This shows how to install openssl with zlib support. For this, we need to first configure the compile and installation process to include the zlib. It's worth noting that the need of using zlib didn't came from compressing communication (as this may cause some trouble with the security of the communication,…

Improper Platform Usage. This is the first in a series of articles about the most significant security risks lurking mobile applications, as defined on the OWASP Mobile Top 10 in 2016. The list describes the main categories of risks and vulnerabilities affecting mobile applications, as perceived by the industry and the community. This articles focuses…

A debuggable Android application could allow an attacker to access to sensitive information, control the application flow and even gain code execution in the context of the debugged application. For this we will be using several tool, but we will be focusing on the Java Debug Wire Protocol (jdwp) through the Android Debug Bridge along…

This article describes basic steps to setup, install and use the drozer framework to identify possible vulnerabilities on Android-based applications during pentesting. The drozer framework[1] comes in two parts, the first part is the drozer console, which you install on your working computer (workstation), the second part is the drozer agent, which you need to…