Android CTF

Challenge Description Welcome to the Android App Security Lab: SQL Injection Challenge! Dive into the world of cybersecurity with our hands-on lab. This challenge is centered around a fictitious “Food Store” app, highlighting the critical security flaw of SQL Injection (SQLi) within the app’s framework. foodstore.apk Solution As usual, static analysis to understand first. Static Analysis I started out by reading the AndroidManifest.xml code first. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 <activity android:name="com.mobilehackinglab.foodstore.Signup" android:exported="false"/> <activity android:name="com.mobilehackinglab.foodstore.MainActivity" android:exported="true"/> <activity android:name="com.mobilehackinglab.foodstore.LoginActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> There is a Signup, MainActivity and LoginActivity activity but only Signup activity is not exported. Reading the objective provided, this challenge will be focused in the signup function. ...

Challenge Description Welcome to the “Guess Me” Deep Link Exploitation Challenge! Immerse yourself in the world of cybersecurity with this hands-on lab. This challenge revolves around a fictitious “Guess Me” app, shedding light on a critical security flaw related to deep links that can lead to remote code execution within the app’s framework. guessme.apk Solution I started out by performing static analysis. Static Analysis As usual, jadx-gui for reading the code. ...

Challenge Description Welcome to the Secure Notes Challenge! This lab immerses you in the intricacies of Android content providers, challenging you to crack a PIN code protected by a content provider within an Android application. It’s an excellent opportunity to explore Android’s data management and security features. securenote.apk Solution As usual, I start out by reading the code using static analysis Static Analysis To read the apk code, I used jadx-gui. ...