M 303: Yaazhini Android Vulnerability Scanner (15 pts extra)

What You Need for This Project

A Mac or Windows machine

WARNING: This scanner seems broken

As of Oct 22, 2022, it seems unable to run. It gives an error message saying the APK file is corrupt.

I recommend skipping this project.

Purpose

To practice using Yaazhini, a free Android vulnerability scanner.

Downloading an APK

In a Web browser, open this URL:

https://samsclass.info/128/proj/genie.apk

Save the genie.apk file in your Downloads folder.

Installing Yaazhini

Go to

https://www.vegabird.com/yaazhini/

Download and install Yaazhini. On Debian, in a Terminal, execute these commands:

Launch Yaazhini

If you're on a Mac, the app may refuse to open because it's fron an unknown developer.

To get around that, open Finder and go to Applications. Right-click Yaazhini and click Open.

Scanning the APK

In the Yaazhini window, in the "APK Scanner" box, enter an app name, as shown below.

Click the "Choose file" button. Navigate to the genie.apk file you downloaded and double-click it.

Click the "Upload & Scan" button.

When the scan finishes, a page opens with a summary, as shown below.

M 303.1: Man in the Middle Attack (10 pts)
At the top, click the Vulnerabilities tab.
Expand the High object and the "Man in the middle attack" object.
Double-click CryptoHttpClient.java(1).
The vulnerability description appears in the lower pane.
Find the text covered by a green box in the image below. That's the flag.

M 303.2: ECB Mode (5 pts)
In the Medium section, find the vulnerability shown below.
Find the text covered by a green box in the image below. That's the flag.

Posted 9-26-22
Warning added 10-22-22