Question

Now that your mobile hacking environment is set up, it’s time to start hunting for vulnerabilities in the mobile app. Luckily, hacking mobile applications is not that different from hacking web applications.

现在您的移动设备黑客环境已经设置好，是时候开始在移动应用程序中寻找漏洞了。幸运的是，攻击移动应用程序并不比攻击 Web 应用程序不同。

To start, extract the application’s package contents and review the code for vulnerabilities. Compare authentication and authorization mechanisms for the mobile and web apps of the same organization. Developers may trust data coming from the mobile app, and this could lead to IDORs or broken authentication if you use a mobile endpoint. Mobile apps also tend to have issues with session management, such as reusing session tokens, using longer sessions, or using session cookies that don’t expire. These issues can be chained with XSS to acquire session cookies that allow attackers to take over accounts even after users log out or change their passwords. Some applications use custom implementations for encryption or hashing. Look for insecure algorithms, weak implementations of known algorithms, and hardcoded encryption keys. After reviewing the application’s source code for potential vulnerabilities, you can validate your findings by testing dynamically on an emulator or a real device.

首先，提取应用程序包的内容并检查代码中的漏洞。比较同一组织的移动应用程序和 Web 应用程序的身份验证和授权机制。开发人员可能会信任来自移动应用程序的数据，这可能会导致 IDOR 或破损的身份验证，如果您使用移动终端。移动应用程序也往往存在会话管理问题，例如重复使用会话令牌、使用更长的会话或使用不过期的会话 cookie。这些问题可以与 XSS 链接，以获取会话 cookie，使攻击者甚至在用户注销或更改密码后仍能接管帐户。有些应用程序使用自定义实现进行加密或哈希。寻找不安全的算法、已知算法的弱实现和硬编码的加密密钥。在审查应用程序的源代码以查找潜在漏洞后，您可以通过在模拟器或实际设备上进行动态测试来验证您的发现。

Mobile applications are an excellent place to search for additional web vulnerabilities not present in their web application equivalent. You can hunt for these with the same methodology you used to find web vulnerabilities: using Burp Suite to intercept the traffic coming out of the mobile app during sensitive actions. Mobile apps often make use of unique endpoints that may not be as well tested as web endpoints because fewer hackers hunt on mobile apps. You can find them by looking for endpoints that you haven’t seen in the organization’s web applications.

移动应用程序是搜索与其 Web 应用程序等效物中不存在的额外 Web 漏洞的绝佳场所。您可以使用与查找 Web 漏洞相同的方法来寻找：使用 Burp Suite 拦截敏感操作期间从移动应用程序中出来的流量。移动应用程序通常使用独特的终端节点，可能没有像 Web 终端节点一样经过充分测试，因为更少的黑客在移动应用程序上搜索。查找这些节点的方法是寻找组织的 Web 应用程序中没有看到的节点。

I recommend testing an organization’s web applications first, before you dive into its mobile applications, since a mobile application is often a simplified version of its web counterpart. Search for IDORs, SQL injections, XSS, and other common web vulnerabilities by using the skills you’ve already learned. You can also look for common web vulnerabilities by analyzing the source code of the mobile application.

我建议先测试组织的 Web 应用程序，再深入其移动应用程序，因为移动应用程序通常是其 Web 同类产品的简化版本。通过使用您已经学习的技能搜索 IDOR、SQL 注入、XSS 和其他常见 Web 漏洞。您还可以通过分析移动应用程序的源代码来查找常见的 Web 漏洞。

In addition to the vulnerabilities that you look for in web applications, search for some mobile-specific vulnerabilities. AndroidManifest.xml contains basic information about the application and its functionalities. This file is a good starting point for your analysis. After you’ve unpacked the APK file, read it to gain a basic understanding of the application, including its components and the permissions it uses. Then you can dive into other files to look for other mobile-specific vulnerabilities.

除了在网络应用程序中搜索的漏洞外，还要搜索一些移动特定的漏洞。AndroidManifest.xml 包含有关应用程序及其功能的基本信息。该文件是您分析的良好起点。解压 APK 文件后，阅读文件以基本了解应用程序的组件和使用的权限。然后您可以深入其他文件以寻找其他移动特定的漏洞。

The source code of mobile applications often contains hardcoded secrets or API keys that the application needs to access web services. The res/values/strings.xml file stores the strings in the application. It’s a good place to look for hardcoded secrets, keys, endpoints, and other types of info leaks. You can also search for secrets in other files by using grep to search for the keywords mentioned in Chapter 22 .

移动应用程序的源代码通常包含硬编码的秘密或 API 密钥，应用程序需要访问 Web 服务。res/values/strings.xml 文件存储应用程序中的字符串。这是查找硬编码的秘密、密钥、端点和其他类型的信息泄漏的好地方。您还可以使用 grep 搜索关键字来查找其他文件中的秘密，这些关键字在第 22 章中提到。

If you find files with the .db or .sqlite extensions, these are database files. Look inside these files to see what information gets shipped along with the application. These are also an easy source of potential secrets and sensitive information leaks. Look for things like session data, financial information, and sensitive information belonging to the user or organization.

如果你在文件中发现.db 或.sqlite 扩展名的文件，那么这些是数据库文件。在这些文件中查找信息，看它们与应用程序一起发送了什么信息。这些也是潜在秘密和敏感信息泄露的容易来源。查找 session 数据、财务信息和属于用户或组织的敏感信息。

Ultimately, looking for mobile vulnerabilities is not that different from hacking web applications. Closely examine the interactions between the client and the server, and dive into the source code. Keep in mind the special classes of vulnerabilities, like hardcoded secrets and the storage of sensitive data in database files, that tend to manifest in mobile apps more than in web applications.

寻找移动漏洞与黑客攻击 Web 应用程序并没有太大的区别，需要仔细检查客户端和服务器之间的交互，并深入源代码。请记住，移动应用程序比 Web 应用程序更容易出现硬编码的秘密和在数据库文件中存储敏感数据等特殊漏洞类型。