Series Article Directory
Article directory
foreword
In this series of articles, by capturing and decompiling a "gentleman" APP, its internal positive energy resources are free.
This series of articles aims to summarize some software security problems encountered in the practice of "mobile application security", and the analysis ideas and usage of analysis tools.
The author neither approves nor encourages anyone to maliciously decompile and analyze any software product.
This article is an entry-level article. Suitable for novices, masters please ignore, and my level is limited. If there is something wrong in the article, please give me advice and discuss together.
go deeper
Book next time. When you were about to use your handy tool reptiles for free, you found a problem. You cannot request all albums with the same parameter. For example:
For example, when I use the parameter in the above figure to request an album whose goods_id is another value, an error message will be returned. Let's try it with postman
and there is no information we want. My God, what a fat thing, it's a bolt from the blue. The same phenomenon also appeared in the list of fetching albums. The album list is paginated with 10 pieces of data per page by default.
When you only replace the page parameter to make a request, the same error message as above is returned. In other words, you can't even turn pages automatically. Based on the above two points, it's still a mess! This article ends.
However, it is not over,
(the next step is to analyze the request parameters)
This problem must be caused by the request parameters. Let's look at the request parameters.
The first thing to look at is which parameters can be omitted. Secondly, it is necessary to analyze the specific meaning of the parameters to see if it is possible to change them through sequential growth or easy-to-calculate logic
Repeated testing found that some parameters are omitted, and an error message will be returned. We took the example of obtaining the album list:
after repeated testing, we found that the appid can be omitted.
Is it possible to increase logically? Look at these parameters, the appid can be omitted, we can get the goods_id, the timstamp timestamp, and find that even if it is not the current reality, it will not affect it. The key point of sign should be this. The English translation sign of sign should actually be the signature of the parameter. The backend should verify this signature to ensure the legitimacy of the request.
(The following is the key point, about the signature)
We analyze the sign, a typical 32-bit MD5 digest, so what parameters are involved in the MD5 operation.
It is common and effective to sign data in transit to prevent data from being tampered with. A common way is to encode key parameters. For example, the first one: base64 encoding.
Then, use a public key (publicKey) to encrypt the encoded parameters to generate a signature, and then pass the base54 parameters and the encrypted signature to the backend. After the backend receives it, use the private key to decrypt the signature to get the base64 parameters, and then compare the parameters passed together. If they are the same, the verification is passed. This is the basic concept of JWT authentication. Of course, JWT is more complicated than what I said. This method is suitable for encrypted transmission of user information, such as the login user ID and username, etc. The entire issuance process should be completed by the server. A typical scenario is single sign-on.
This previous analysis is useless, because although the appid can be omitted when requesting, it does not mean that it does not participate in the MD5 calculation.
Let’s talk about the result directly. I tried many combinations, but I didn’t get the same MD5 as sign.
Jokatsu
Since it cannot be revealed, it can only be obtained from the source code. Decompilation ~
decompress APK
to extract classes.dex
I forgot to mention in the last article, I also need a dex2jar tool, put the classes.dex in the dex2jar folder, and run the cmd input command in this folder
d2j-dex2jar classes.dex
Then it will be generated
Drag the jar package classes-dex2jar.jar into jd-gui and
we will see the source code.
Analyze source code
So many source codes at first glance, where to look?
We ctrl+shift+s to open the search, enter MainActivity, and find the main Activiry
MainActivity.class
, good guy, the code is not confused! Very good, very clear, don't look at anything else, just look at what is written in the onCreate() life cycle method below.
The changeFrament method is called, and Frament knows everything! (It’s fine if you don’t know Baidu, it’s just a page, but it depends on the Activity,) Look at what the changeFrame writes
The main thing is to judge the page id passed in, and then create the page. The value passed in when the onCreate method is called is (2131230865), which corresponds to the Fragment instance. See what this instance is
. Click on this class name to jump to the definition.
First, it is found that it is under the fragment package, and there are many fragments under this package, that is, many pages.
There are not many things defined under this CateFragment class.
This NOTICE will be called in each onResume statement cycle, that is, the current user id will be sent every time the page appears, which is not what we want.
see next
Look at the method name, initialize cate, initialize category?
Let me tell you the result directly, I tried a few times and it was not this.
Continue to analyze, careful analysis found that this method finally calls doPost
, yes, it is a class that sends requests. Doesn't sending a request require a request address? then. . .
That's right, this is the interface address. Check it out.
That's right, Fiddler found this interface, and also found the interface request of the above Notice() method notice/my_notice_red.
Then another way of thinking, is it possible to directly search for the interface and locate the class we are looking for.
(The following is important, about code analysis)
There is no fixed way to analyze this kind of code, collect all the information that is helpful to you, and then go to the ocean of code to filter
We ctrl+shift+s to open the search, and enter the address of the interface where we get the album list. Goods_list
Aha found 2, one is bean, bean is generally a value object class, and the other is fragment, let's find out.
We found that initList sent the request. That's right, this is the method. look up
Hey, I found it! Look here, he added a key at the end,We don't know how this Key can't calculate the correct md5。
There is also a method used here. stringSort(), follow up to find out.
The scribbled call graph first calls sortMapByKey and sorts the parameters alphabetically.
Then assemble it, and put the parameters in the form of appid=123&cate=22&.
Note that at the end, the last & is cut off when returning
The final form should be like this.
Verify that the sign automatically generated by the following request is the same as
the sign we manually generated .
You're done!
Crawl a worm to test
Summarize
This article continues the previous article, through an APP product, and briefly explains the method of security analysis of the product in practice.
The product was decompiled, the code was reviewed and analyzed, and the key method for generating the signature of the product was found. The safety of the product is greatly reduced.
In the practice of "mobile application security", we not only need to ensure the security of the application business logic,
such as: send all the image URLs to the front-end, and the front-end will only display it after judging whether it is a member or not. It's not safe.
At the same time, the security of the code must also be ensured.
Such as: the code should be confused, reinforced, etc. to increase the difficulty of cracking.
Since then, the entire application analysis has been completed. The end of Sahua~~~
Explain again: The author does not approve or encourage anyone to maliciously decompile and analyze any software product. The source code and in-app resources analyzed this time have been deleted.