insecurebankv2 - 애플리케이션 디버깅 기능

Notice

Recent Posts

Recent Comments

Link

« 2025/01 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Tags more

Archives

Today

Total

관리 메뉴

외로운 Nova의 작업실

insecurebankv2 - 애플리케이션 디버깅 기능 본문

Mobile App Penetesting/Android App Vulnerability

insecurebankv2 - 애플리케이션 디버깅 기능

Nova_ 2023. 5. 22. 15:01

- 취약점 소개

매니페스트 파일에 debuggalbe 이 true로 설정되어 있으면 중대한 보안 결함이 발생할 수 있습니다.

- 취약점 진단

매니페스트파일을 보겠습니다.

dz> run app.package.manifest com.android.insecurebankv2
<manifest versionCode="1"
          versionName="1.0"
          package="com.android.insecurebankv2"
          platformBuildVersionCode="22"
          platformBuildVersionName="5.1.1-1819727">
  <uses-sdk minSdkVersion="15"
            targetSdkVersion="22">
  </uses-sdk>
  <uses-permission name="android.permission.INTERNET">
  </uses-permission>
  <uses-permission name="android.permission.WRITE_EXTERNAL_STORAGE">
  </uses-permission>
  <uses-permission name="android.permission.SEND_SMS">
  </uses-permission>
  <uses-permission name="android.permission.USE_CREDENTIALS">
  </uses-permission>
  <uses-permission name="android.permission.GET_ACCOUNTS">
  </uses-permission>
  <uses-permission name="android.permission.READ_PROFILE">
  </uses-permission>
  <uses-permission name="android.permission.READ_CONTACTS">
  </uses-permission>
  <uses-permission name="android.permission.READ_PHONE_STATE">
  </uses-permission>
  <uses-permission name="android.permission.READ_EXTERNAL_STORAGE"
                   maxSdkVersion="18">
  </uses-permission>
  <uses-permission name="android.permission.READ_CALL_LOG">
  </uses-permission>
  <uses-permission name="android.permission.ACCESS_NETWORK_STATE">
  </uses-permission>
  <uses-permission name="android.permission.ACCESS_COARSE_LOCATION">
  </uses-permission>
  <uses-feature glEsVersion="0x20000"
                required="true">
  </uses-feature>
  <application theme="@16974105"
               label="@2131165248"
               icon="@2130903040"
               debuggable="true"
               allowBackup="true">
    <activity label="@2131165248"
              name="com.android.insecurebankv2.LoginActivity">
      <intent-filter>
        <action name="android.intent.action.MAIN">
        </action>
        <category name="android.intent.category.LAUNCHER">
        </category>
      </intent-filter>
    </activity>
    <activity label="@2131165271"
              name="com.android.insecurebankv2.FilePrefActivity"
              windowSoftInputMode="0x34">
    </activity>
    <activity label="@2131165268"
              name="com.android.insecurebankv2.DoLogin">
    </activity>
    <activity label="@2131165275"
              name="com.android.insecurebankv2.PostLogin"
              exported="true">
    </activity>
    <activity label="@2131165278"
              name="com.android.insecurebankv2.WrongLogin">
    </activity>
    <activity label="@2131165269"
              name="com.android.insecurebankv2.DoTransfer"
              exported="true">
    </activity>
    <activity label="@2131165277"
              name="com.android.insecurebankv2.ViewStatement"
              exported="true">
    </activity>
    <provider name="com.android.insecurebankv2.TrackUserContentProvider"
              exported="true"
              authorities="com.android.insecurebankv2.TrackUserContentProvider">
    </provider>
    <receiver name="com.android.insecurebankv2.MyBroadCastReceiver"
              exported="true">
      <intent-filter>
        <action name="theBroadcast">
        </action>
      </intent-filter>
    </receiver>
    <activity label="@2131165267"
              name="com.android.insecurebankv2.ChangePassword"
              exported="true">
    </activity>
    <activity theme="@16973839"
              name="com.google.android.gms.ads.AdActivity"
              configChanges="0xfb0">
    </activity>
    <activity theme="@2131296479"
              name="com.google.android.gms.ads.purchase.InAppPurchaseActivity">
    </activity>
    <meta-data name="com.google.android.gms.version"
               value="@2131427332">
    </meta-data>
    <meta-data name="com.google.android.gms.wallet.api.enabled"
               value="true">
    </meta-data>
    <receiver name="com.google.android.gms.wallet.EnableWalletOptimizationReceiver"
              exported="false">
      <intent-filter>
        <action name="com.google.android.gms.wallet.ENABLE_WALLET_OPTIMIZATION">
        </action>
      </intent-filter>
    </receiver>
  </application>
</manifest>

application 태그 부분을 보겠습니다.

 <application theme="@16974105"
               label="@2131165248"
               icon="@2130903040"
               debuggable="true"
               allowBackup="true">

보게되면 debuggable이 true로 되어있습니다. 이는 보안 위협을 줄 수 있습니다. 이와 관련해서는 다음에 배워보겠습니다.

- 취약점 대응방안

앱을 배포하기전에 매니페스트파일의 debuggable 부분을 체크하고 false로 설정합니다.

'Mobile App Penetesting > Android App Vulnerability' 카테고리의 다른 글

insecurebankv2 - 런타임 조작 (0)	2023.05.27
insecurebankv2 - 안드로이드 백업 취약점 (0)	2023.05.26
insecurebankv2 - 안드로이드 키보드 캐시 이슈 (0)	2023.05.21
insecurebankv2 - 안전하지 않은 로깅 메커니즘 (0)	2023.05.20
insecurebankv2 - 메모리내 민감한 정보 저장 (0)	2023.05.19

'Mobile App Penetesting/Android App Vulnerability' Related Articles

Comments

외로운 Nova의 작업실

insecurebankv2 - 애플리케이션 디버깅 기능 본문

insecurebankv2 - 애플리케이션 디버깅 기능

'Mobile App Penetesting > Android App Vulnerability' 카테고리의 다른 글

티스토리툴바