a

Author: carlospolop

mobile-pentesting/android-app-pentesting/README.md

@@ -25,6 +25,9 @@ Other ways to support HackTricks:
 * [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs)
 * [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz)
 
+
+**Parts of this tutorial were extracted from the [Drozer documentation pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf).**
+
 ## Installation
 
 Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases).
@@ -37,15 +40,15 @@ pip install service_identity
 
 Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk).
 
-```
+```bash
 adb install drozer.apk
 ```
 
 ### Starting the Server
 
 Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
 
-```
+```bash
 adb forward tcp:31415 tcp:31415
 ```
 
@@ -55,7 +58,7 @@ Finally, **launch** the **application** and press the bottom "**ON**"
 
 And connect to it:
 
-```
+```bash
 drozer console connect
 ```
 
@@ -80,14 +83,14 @@ drozer console connect
 
 Find the **name** of the package filtering by part of the name:
 
-```
+```bash
 dz> run app.package.list -f sieve  
 com.mwr.example.sieve
 ```
 
 **Basic Information** of the package:
 
-```
+```bash
 dz> run app.package.info -a com.mwr.example.sieve
 Package: com.mwr.example.sieve
 Process Name: com.mwr.example.sieve
@@ -109,13 +112,13 @@ Defines Permissions:
 
 Read **Manifest**:
 
-```
+```bash
 run app.package.manifest jakhar.aseem.diva
 ```
 
 **Attack surface** of the package:
 
-```
+```bash
 dz> run app.package.attacksurface com.mwr.example.sieve
 Attack Surface:
  3 activities exported
@@ -199,7 +202,7 @@ Package: com.mwr.example.sieve
 
 #### **Interact** with a service
 
-```
+```bash
 app.service.send            Send a Message to a service, and display the reply  
 app.service.start           Start Service                                       
 app.service.stop            Stop Service
@@ -221,30 +224,15 @@ In the following example:
 * `arg2 == 1`
 * `replyTo == object(string com.mwr.example.sieve.PIN 1337)`
 
-```
+```bash
 run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
 ```
 
 ![](<../../../.gitbook/assets/image (195).png>)
 
 ### Broadcast Receivers
 
-Android apps can send or receive broadcast messages from the Android system and other Android apps, similar to the [publish-subscribe](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe\_pattern) design pattern. These broadcasts are sent when an event of interest occurs. For example, the Android system sends broadcasts when various system events occur, such as when the system boots up or the device starts charging. Apps can also send custom broadcasts, for example, to notify other apps of something that they might be interested in (for example, some new data has been downloaded).
-
-Apps can register to receive specific broadcasts. When a broadcast is sent, the system automatically routes broadcasts to apps that have subscribed to receive that particular type of broadcast.
-
-This could appear inside the Manifest.xml file:
-
-```markup
-<receiver android:name=".MyBroadcastReceiver"  android:exported="true">
-    <intent-filter>
-        <action android:name="android.intent.action.BOOT_COMPLETED"/>
-        <action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
-    </intent-filter>
-</receiver>
-```
-
-From: [https://developer.android.com/guide/components/broadcasts](https://developer.android.com/guide/components/broadcasts)
+**In the Android basic info section you can see what is a Broadcast Receiver**.
 
 After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`** function as it will be handling the messages received.
 
@@ -279,7 +267,7 @@ Package: com.google.android.youtube
 
 #### Broadcast **Interactions**
 
-```
+```bash
 app.broadcast.info          Get information about broadcast receivers           
 app.broadcast.send          Send broadcast using an intent                      
 app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents
@@ -295,7 +283,7 @@ In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blo
 
 If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider.
 
-```
+```bash
 run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
 ```
 
@@ -306,7 +294,7 @@ This mean that you can **attach java debugger** to the running application, insp
 
 When an application is debuggable, it will appear in the Manifest:
 
-```html
+```xml
 <application theme="@2131296387" debuggable="true"
 ```
 

mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md

@@ -18,18 +18,17 @@ Other ways to support HackTricks:
 
 ## Intro
 
-A content provider component **supplies data from one application to others** on request. Such requests are handled by the methods of the ContentResolver class. A content provider can use different ways to store its data and the data can be **stored** in a **database**, in **files**, or even over a **network**.
+Data is **supplied from one application to others** on request by a component known as a **content provider**. These requests are managed through the **ContentResolver class** methods. Content providers can store their data in various locations, such as a **database**, **files**, or over a **network**.
 
-It has to be declared inside the _Manifest.xml_ file. Example:
+In the _Manifest.xml_ file, the declaration of the content provider is required. For instance:
 
-```markup
+```xml
 <provider android:name=".DBContentProvider" android:exported="true" android:multiprocess="true" android:authorities="com.mwr.example.sieve.DBContentProvider">
     <path-permission android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS" android:path="/Keys"/>
 </provider>
 ```
 
-In this case, it's necessary the permission `READ_KEYS` to access `content://com.mwr.example.sieve.DBContentProvider/Keys`\
-(_Also, notice that in the next section we are going to access `/Keys/` which isn't protected, that's because the developer got confused and protected `/Keys` but declared `/Keys/`_)
+To access `content://com.mwr.example.sieve.DBContentProvider/Keys`, the `READ_KEYS` permission is necessary. It's interesting to note that the path `/Keys/` is accessible in the following section, which is not protected due to a mistake by the developer, who secured `/Keys` but declared `/Keys/`.
 
 **Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).**
 
@@ -57,7 +56,7 @@ dz> run app.provider.info -a com.mwr.example.sieve
   Grant Uri Permissions: False
 ```
 
-We can **reconstruct** part of the content **URIs** to access the **DBContentProvider**, because we know that they must begin with “_content://_” and the information obtained by Drozer inside Path: _/Keys_.
+It's possible to piece together how to reach the **DBContentProvider** by starting URIs with “_content://_”. This approach is based on insights gained from using Drozer, where key information was located in the _/Keys_ directory.
 
 Drozer can **guess and try several URIs**:
 
@@ -210,6 +209,7 @@ Vulnerable Providers:
 
 * [https://www.tutorialspoint.com/android/android\_content\_providers.htm](https://www.tutorialspoint.com/android/android\_content\_providers.htm)
 * [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/)
+* [https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)
 
 <details>
 

mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

@@ -53,26 +53,25 @@ frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
 **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\
 **Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
 
-Follow the [link to read it](frida-tutorial-1.md).
+**Follow the [link to read it](frida-tutorial-1.md).**
 
 ### [Tutorial 2](frida-tutorial-2.md)
 
 **From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
 **APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
 
-Follow the[ link to read it.](frida-tutorial-2.md)
+**Follow the[ link to read it.](frida-tutorial-2.md)**
 
 ### [Tutorial 3](owaspuncrackable-1.md)
 
 **From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
 **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)
 
-Follow the [link to read it](owaspuncrackable-1.md).\
-**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
+**Follow the [link to read it](owaspuncrackable-1.md).**
 
-## Fast Examples
+**You can find more Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
 
-Here you can find the more basic and interesting functionalities of Frida to make a quick script:
+## Quick Examples
 
 ### Calling Frida from command line
 

mobile-pentesting/android-app-pentesting/frida-tutorial/README.md

@@ -20,7 +20,7 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
+**This is a summary of the post**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\
 **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\
 **Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
 

mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md

@@ -7,7 +7,7 @@
 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 </details>
@@ -20,7 +20,7 @@
 
 
 
-**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
+**This is a summary of the post**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
 **APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
 
 The part 1 is so easy.
@@ -249,7 +249,7 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 </details>

mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md

@@ -22,11 +22,9 @@ Other ways to support HackTricks:
 
 ## **Introduction**
 
-[![objection](https://github.com/sensepost/objection/raw/master/images/objection.png)](https://github.com/sensepost/objection)
-
 **objection - Runtime Mobile Exploration**
 
-`objection` is a runtime mobile exploration toolkit, powered by [Frida](https://www.frida.re). It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
+**[Objection](https://github.com/sensepost/objection)** is a runtime mobile exploration toolkit, powered by [Frida](https://www.frida.re). It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
 
 **Note:** This is not some form of jailbreak / root bypass. By using `objection`, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.
 
@@ -128,13 +126,13 @@ This is also usefull if somehow you are **unable to get some readable source cod
 
 #### List activities, receivers and services
 
-```
+```bash
 android hooking list activities
 ```
 
 ![](<../../../.gitbook/assets/image (78).png>)
 
-```
+```bash
 android hooking list services
 android hooking list receivers
 ```
@@ -143,7 +141,7 @@ Frida will launch an error if none is found
 
 #### Getting current activity
 
-```
+```bash
 android hooking get current_activity
 ```
 
@@ -153,7 +151,7 @@ android hooking get current_activity
 
 Lets start looking for classes inside our application
 
-```
+```bash
 android hooking search classes asvid.github.io.fridaapp
 ```
 
@@ -163,7 +161,7 @@ android hooking search classes asvid.github.io.fridaapp
 
 Now lets extract the methods inside the class _MainActivity:_
 
-```
+```bash
 android hooking search methods asvid.github.io.fridaapp MainActivity
 ```
 
@@ -173,7 +171,7 @@ android hooking search methods asvid.github.io.fridaapp MainActivity
 
 Lets figure out wich parameters does the methods of the class need:
 
-```
+```bash
 android hooking list class_methods asvid.github.io.fridaapp.MainActivity
 ```
 
@@ -183,7 +181,7 @@ android hooking list class_methods asvid.github.io.fridaapp.MainActivity
 
 You could also list all the classes that were loaded inside the current applicatoin:
 
-```
+```bash
 android hooking list classes #List all loaded classes, As the target application gets usedmore, this command will return more classes.
 ```
 
@@ -195,7 +193,7 @@ This is very useful if you want to **hook the method of a class and you only kno
 
 From the [source code](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) of the application we know that the **function** _**sum()**_ **from** _**MainActivity**_ is being run **every second**. Lets try to **dump all possible information** each time the function is called (arguments, return value and backtrace):
 
-```
+```bash
 android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --dump-args --dump-backtrace --dump-return
 ```
 
@@ -205,7 +203,7 @@ android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --d
 
 Actually I find all the methods of the class MainActivity really interesting, lets **hook them all**. Be careful, this could **crash** an application.
 
-```
+```bash
 android hooking watch class asvid.github.io.fridaapp.MainActivity --dump-args --dump-return
 ```
 
@@ -237,7 +235,7 @@ android heap print_instances <class>
 
 You can play with the keystore and intents using:
 
-```
+```bash
 android keystore list
 android intents launch_activity
 android intent launch_service
@@ -254,7 +252,7 @@ memory dump from_base <base_address> <size_to_dump> <local_destination> #Dump a
 
 #### List
 
-```
+```bash
 memory list modules
 ```
 
@@ -272,7 +270,7 @@ Lets checks what is frida exporting:
 
 You can alse search and write inside memory with objection:
 
-```
+```bash
 memory search "<pattern eg: 41 41 41 ?? 41>" (--string) (--offsets-only)
 memory write "<address>" "<pattern eg: 41 41 41 41>" (--string)
 ```
@@ -283,7 +281,7 @@ You cals can use the command `sqlite` to interact with sqlite databases.
 
 ### Exit
 
-```
+```bash
 exit
 ```
 

mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md

@@ -20,11 +20,9 @@ Other ways to support HackTricks:
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-\\
-
 ***
 
-**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
+**This is a summary of the post**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
 **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)
 
 ## Solution 1