#100DaysOfAzureSecurity Posts Notes Talks Tags Categories About

Android

Get certificate information of an app :

1

unzip -p app.apk META-INF/CERT.RSA | openssl pkcs7 -inform DER -noout -print_certs -text
  • Get all packages : pm list packages
  • Get all packages along with apk file path : pm list packages -f
  • Get only the package names : pm list packages -f | sed -e 's/.*=//' | sed 's/\r//g' | sort
  • Get all activities of a package (Source) : dumpsys package | grep -i "com.package.name" | grep Activity

Viewing .so file content

  • List function names: nm -D --defined-only filename.so
  • List function names from dynamic symbol table using objdump -T filename.so | grep text
  • Get full info: objdump -Dslx filename.so | more
  • Get only source code: objdump -S filename.so | more

If you are on Mac, the default objdump program may not be very handy. Install objdump using brew install binutils.

SSL Pinning with BKS file: https://medium.com/trendyol-tech/ssl-pinning-in-android-using-public-certificate-and-bks-file-63148aca42b1

Most of the below apps require F-Droid installed on your phone.

  • AntennaPod : App for podcasts. Good alternative to Google Podcasts. If you had started your podcast journey with Google Podcasts you will feel this app a bit lacking in UI, but has all the functionalities for subscribing and listening to podcasts.
  • OpenBoard : Keyboard thats based on AOSP. It doesn’t store or sync your typed words (including usernames, etc) just like most inbuilt keyboards do these days.
  • ProtonVPN & ProtonMail : Open source VPN client and email client. After a lot of reviews on VPNs, I found ProtonVPN to be a VPN which walks it’s talk. Protonmail is a good Gmail alternative.
  • KeePassDX : Open source password manager which does the job. Creates a password file locally and add all passwords to that. Supports TOTP as well.
  • MoneyWallet : App to track your expenses and get an overview on how much you spent on each category. The only downside I found was the less number of category icons to select from.
  • Easy Diary : A daily journaling app (replaced with physical diary)
  • Loop Habit Tracker : App to track your daily habits (replaced with physical diary)

It’s a common security practice to recommend SSL Pinning to Android apps. But the real pain is when the SSL certificate expires. The devs will have a really hard time when they have a lot of customers who are reluctant to update the app on their device. If the SSL certificate expires, the app will stop working.

Never think of pinning the whole Let’s Encrypt SSL cert to the app because it expires every 3 months. A developer could have a pinning logic which says the certificate should be signed by Let’s Encrypt. Its not a bad idea, but remember if Let’s Encrypt could be abused to create a SSL certificate, then the app could be compromised by using the cert.