Morty Sherlocked: Android Application Based CTF Challenge Walkthrough
Morty Sherlocked is a beginner level Android application CTF challenge. It walks us through the basic concepts of Android application security, giving us an amazing experience of analyzing an APK.
The aim of this CTF challenge is to concentrate on the basic flaws which are being founded while performing a security assessment of a mobile application.
Let’s take a minute to thank Moksh for creating this challenge. If someone wants to try and solve the challenge, the link for the CTF can be found [here] and the application can be downloaded from [here].
Tools Used :
adb : command line tool that lets you communicate with device
apktool : command line tool for reverse engineering android applications
jadx-gui : tool for producing Java source code from Android Dex and APK files
Android Studio : official Integrated Development Environment (IDE) for Android app development
Device : Android Device/Android Studio Emulator/Genymotion Emulator
Connecting the device with a USB cable and entering command for checking proper connectivity.
adb devices
The above command will list down all the connected devices/emulators.
Note : Make sure to connect the android phone with debugging mode enabled for initiating the application installation process.
After downloading the application from the above given link, the application can be installed in device/emulator by a very simple command.
adb install <apk-name>
We can run the application in the device/emulator
So it’s written…
Morty, you are at the right place but you need to step up with your tools and find the flag for all of us to proceed ahead.
The message is a hint indicating that we need to use APK analysing tools to find the flag. Great!
We have jadx-gui in our bucket as an APK analysing tool. Let’s reverse engineer the APK.
jadx-gui <apk-name>
After reverse engineering the APK using jadx-gui, we can read the source code of the application and grab the flag.
Now start reading the source code from MainActivity.java
After observing the code we can see there are keys stored named as i.e string and string2.
Tracing down the code we were able to find that the keys that are being stored in res/values/strings.xml
Following the code, a function ja.a(string2,string) is being observed with those two strings we found in res/values/strings.xml.
Let’s see function ja.a(string2, string) declaration.
We can see in private static byte[] a(byte[] bArr, byte[] bArr2) function, they are using encryption.
Now, We need to break the encryption…
Fasten your seat belt guys.. The encryption is about to break…
We can replicate these two functions in android studio :
- public static String a(String str, String str2)
- private static byte[] a(byte[] bArr, byte[] bArr2)
After replicating the above two functions in android studio we tried printing the flag value in application logcat.
Output in Logcat
FALSE FLAG… ? WHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT !
Congratulations Guys !! We all were part of the Rabbit hole.
Let’s go to the beginning of the application and read the hint again…
Is there any other APK analysing tool ? Wait! we have apktool as well.
The basic difference between apktool and jadx-gui is that, we get smali code while analysing APK using apktool and on the other side we get java source code using jadx-gui.
Let’s reverse engineer the application using apktool and try to analyse application source code again.
We can use a very simple command for that
apktool d <apk-name>
OR
apktool d <apk-name> -o <new-folder-name>
Note : Here “d” stands for decompiling the application.
After reverse engineering the APK, analysing all the XML files in the application source code.
So the flag was hidden in the resource directory /res/values/arrays.xml
BINGO!! Morty! You did it again..
Takeaways
Learned how to reverse engineer android application.
Learned how to read the application source code.
Learned breaking encryption and never to use weak encryption algorithm such as “AES/ECB/PKCS5Padding”
Never hard code data in application source code.