- 70
- 237 481
Android AppSec
India
Приєднався 13 сер 2017
We (@hpAndro and @_RaviRamesh) spend a lot of time attacking android app hacking, breaking encryption, finding business logic flaws, penetration testing, and looking for sensitive data stored insecurely.
We do it for the right reasons - to help developers make their apps more secure. The best way to verify that your app follows secure mobile development best practices is to perform security assessments of the app, which can include automated mobile app security testing, fuzzing, manual penetration testing, and more. This application represents some of the knowledge we share with the infosec community. We are trying to build vulnerable applications based on OWASP Mobile Security Testing Guide.
🚩 CTF Link : ctf.hpandro.raviramesh.info
🟦 Facebook Page: hpAndro1337
🔷Twitter handle : hpandro1337
We do it for the right reasons - to help developers make their apps more secure. The best way to verify that your app follows secure mobile development best practices is to perform security assessments of the app, which can include automated mobile app security testing, fuzzing, manual penetration testing, and more. This application represents some of the knowledge we share with the infosec community. We are trying to build vulnerable applications based on OWASP Mobile Security Testing Guide.
🚩 CTF Link : ctf.hpandro.raviramesh.info
🟦 Facebook Page: hpAndro1337
🔷Twitter handle : hpandro1337
Runtime Debugging Native Android Shared library (.so) file using IDA Pro
🚩 CTF Link: ctf.hpandro.raviramesh.info
♚ All applications: github.com/RavikumarRamesh/hpAndro1337
🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec
🟦 Facebook Page: hpAndro1337
🔷Twitter handle: hpandro1337
============================================
how #runtime #debugging a #nativelibrary can help in identifying the application's logic and #bypassing it using #IDA Pro
nsconclave.net-square.com/debugging-android's-native-library.html
By :
0ninaik
ps_doom
♚ All applications: github.com/RavikumarRamesh/hpAndro1337
🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec
🟦 Facebook Page: hpAndro1337
🔷Twitter handle: hpandro1337
============================================
how #runtime #debugging a #nativelibrary can help in identifying the application's logic and #bypassing it using #IDA Pro
nsconclave.net-square.com/debugging-android's-native-library.html
By :
0ninaik
ps_doom
Переглядів: 16 258
Відео
Android Studio Emulator (AVD) Rooting with Magisk using rootAVD
Переглядів 52 тис.3 роки тому
🚩 CTF Link: ctf.hpandro.raviramesh.info ♚ All applications :github.com/RavikumarRamesh/hpAndro1337 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle: hpandro1337 Android Studio #Emulator (#AVD) Rooting with #Magisk using #rootAVD github.com/newbit1/rootAVD forum.xda-developers.com/m/newbit.1350876/ avicoder.me/2021/09/02/Root-...
SSAID or ANDROID_ID validation Bypass using Dalvik bytecode Patch - hpAndro Vulnerable Application
Переглядів 2,2 тис.3 роки тому
🚩 CTF Link: ctf.hpandro.raviramesh.info ♚ All applications on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle: hpandro1337 #SSAID or #ANDROID_ID validation #Bypass u...
GPS Location Spoofing - hpAndro Vulnerable Application Challenge
Переглядів 5913 роки тому
🚩 CTF Link: ctf.hpandro.raviramesh.info ♚ All applications on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle: hpandro1337 #GPS Location Spoofing #Location #spoofing...
Hardcoded Secret in Native Library (.so files) - hpAndro Vulnerable Application Challenge
Переглядів 1,1 тис.3 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 Hardcoded Secret in Native Library 00:00 ...
RPATH - run-time search path hard-coded in native library - hpAndro Vulnerable Application Challenge
Переглядів 5793 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 RPATH CWE-426: Untrusted Search Path cwe....
Checking Memory for Sensitive Data (Memory Flag) - hpAndro Vulnerable Application Challenge
Переглядів 9053 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 Process Memory Flag mobile-security.gitbo...
XML External Entity [XXE] - hpAndro Vulnerable Application Challenge
Переглядів 6233 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 #XXE #XML eXternal #Entity injection (XXE...
XPath Injection - hpAndro Vulnerable Application Challenge
Переглядів 8613 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 #XPath Injection Similar to SQL Injection...
User Password Enumeration - hpAndro Vulnerable Application Challenge
Переглядів 3613 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 Insecure direct object references (#IDOR)...
Server Side Request Forgery [SSRF] - hpAndro Vulnerable Application Challenge
Переглядів 4543 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 #SSRF - Server-Side Request #Forgery Web ...
Server Fingerprinting - hpAndro Vulnerable Application Challenge
Переглядів 2323 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 Fingerprint Web Server Web #server #finge...
Remote File Inclusion [RFI] - hpAndro Vulnerable Application Challenge
Переглядів 4773 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 #RFI / #LFI The #File #Inclusion vulnerab...
REST API HTTP Methods - hpAndro Vulnerable Application Challenge
Переглядів 2243 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 Test #HTTP #Methods HTTP offers a number ...
Unrestricted File Upload - hpAndro Vulnerable Application Challenge
Переглядів 3913 роки тому
🚩 CTF Link : ctf.hpandro.raviramesh.info ♚ All application on Playstore: play.google.com/store/apps/dev?id=7722940558815307513 ♛ Consolidate challenges app: play.google.com/store/apps/details?id=com.hpandro.androidsecurity 🔊 UA-cam Channel: ua-cam.com/users/AndroidAppSec 🟦 Facebook Page: hpAndro1337 🔷Twitter handle : hpandro1337 #Unrestricted File #Upload Uploaded files...
Server Side Template Injection [SSTI] - hpAndro Vulnerable Application Challenge
Переглядів 3383 роки тому
Server Side Template Injection [SSTI] - hpAndro Vulnerable Application Challenge
S3 Bucket Misconfiguration - hpAndro Vulnerable Application Challenge
Переглядів 2503 роки тому
S3 Bucket Misconfiguration - hpAndro Vulnerable Application Challenge
RIA Cross Domain Policy - hpAndro Vulnerable Application Challenge
Переглядів 9933 роки тому
RIA Cross Domain Policy - hpAndro Vulnerable Application Challenge
Review Comment and Meta Data - hpAndro Vulnerable Application Challenge
Переглядів 1153 роки тому
Review Comment and Meta Data - hpAndro Vulnerable Application Challenge
OTP Bruteforce - hpAndro Vulnerable Application Challenge
Переглядів 6 тис.3 роки тому
OTP Bruteforce - hpAndro Vulnerable Application Challenge
Old Backup Files - hpAndro Vulnerable Application Challenge
Переглядів 3153 роки тому
Old Backup Files - hpAndro Vulnerable Application Challenge
Login Bypass Cookie Manipulation - hpAndro Vulnerable Application Challenge
Переглядів 8593 роки тому
Login Bypass Cookie Manipulation - hpAndro Vulnerable Application Challenge
JWT Misconfiguration - hpAndro Vulnerable Application Challenge
Переглядів 2813 роки тому
JWT Misconfiguration - hpAndro Vulnerable Application Challenge
JSON to XXE Blind - hpAndro Vulnerable Application Challenge
Переглядів 5443 роки тому
JSON to XXE Blind - hpAndro Vulnerable Application Challenge
JavaScript Info Leak - hpAndro Vulnerable Application Challenge
Переглядів 2313 роки тому
JavaScript Info Leak - hpAndro Vulnerable Application Challenge
Insecure Direct Object References [IDOR] - hpAndro Vulnerable Application Challenge
Переглядів 2863 роки тому
Insecure Direct Object References [IDOR] - hpAndro Vulnerable Application Challenge
Encoding & Hashing - hpAndro Vulnerable Application Challenge
Переглядів 2693 роки тому
Encoding & Hashing - hpAndro Vulnerable Application Challenge
Default Credential - hpAndro Vulnerable Application Challenge
Переглядів 1773 роки тому
Default Credential - hpAndro Vulnerable Application Challenge
Client Side Validation Bypass - hpAndro Vulnerable Application Challenge
Переглядів 3053 роки тому
Client Side Validation Bypass - hpAndro Vulnerable Application Challenge
Ninjutsu Android Penetration Testing Environment - MEmu based emulator
Переглядів 2,3 тис.3 роки тому
Ninjutsu Android Penetration Testing Environment - MEmu based emulator
is it static analysis
got this error : [ ! ] elevated write permissions are needed to access $ANDROID_HOME
I have Google api android 11 system image x64 which internet says Google api is pre-rooted unlike Google play system image. Do I still need rootAVD?
after this video, i feel like i want to milk a cow
Hello, why when I install version 4.0.3 with docker does it ask me for a login and password?
Same here, did you find how it work out?
how can u get ida pro version?
Where i can found downl. Android_Server for ida?
Can I use my emulator for Rubber Ducky to brute force my phone? How will the emulator detect the mobile phone?
Realtime most of Apps hangs up due to epoll waiting implementation,we can't debug that apps , games with ida, Do u have solution of that
thank you very much please give me your telegram or whatsapp i need your help
Muito obrigado por ter criado o tutorial !
My brain's not braining anymore after watching this
Same😂
please speak out, so it would be easy to understand instead of deaf.
[*] Set Directorys [-] Test IF ADB SHELL is working [-] ADB connection possible [-] Install all APKs placed in the Apps folder [-] Install all APKs placed in the Apps folder That's what powershell says to me. There is no "[*] Trying to install APPS\..." Can somebody help me ?
same did u fixed it?
@@indiancybercultmine is working great ... which version of rootavd and os ur using ??
you need to put the magisk apk inside the APPS folder
late to the parties... first newbie vid. is genymotion still the best emu? was gonna magisk flash avd to try to emulate + test setup on s20. also tried to debug an installed app on android (using usb debug and android studio) but struggling at first step 'attach to debugger'. I have free App Cloner, so no options to create debug there (paid feature). can an app / package be launched in debug mode via shell / adb ? or do you need to build a debug version? or can you manipulate the manifest to make an app be launched in debug, to see everything it's doing, using usb debug? hoped to identify db activity, to understand how apps record info like their config. not learned kotlin or anything yet...
3:14 I have a problem at this point. [*] Set Directorys [-] Test IF ADB SHELL is working [-] ADB connection possible [-] Install all APKs placed in the Apps folder That's what powershell says to me. There is no "[*] Trying to install APPS\..." Can somebody help me?
same here
First run the command . ootAVD.bat ListAllAVDs, then run . ootAVD.bat <path to ramdisk.img file>
you need to put the magisk apk inside the APPS folder
watch on
great job man the next video please : reverse engineering any game for example (temple run 2) on android using il2cppdumper, ida, lldb
generic_x86_arm:/ $ su /system/bin/sh: su: not found 127|generic_x86_arm:/ $
superb content and easy to understand
You can apply this method to creste unsigned apks?
App is even more powerful than I had initially thought
Wow
to bad rootAVD is gone now
Gone? No, not really. It just moved from github to gitlab, but it is still being worked on.
Pls,, tell me site or lab name for practice.. ❤
how to upgrade an apk sdk version this probably works on android 9 but it doesn't work on android 13 this program Cryok sia call recorder this program doesn't work on android 13
bahut hard XD
thank your helpfull!!!
god tutorial 10/10
Does the code go to public when i upload the file?
When click automatic refresh not showing anything
blod: file C:\Users\lenovo\AppData\Local\Android\Sdk\system-images\android-29\google_apis\x86 amdisk.img not found
The script may not be able to detect the exact path. Replace the ENVVAR and ANDROIDHOME with exact path ENVVAR="C:\Users\%User %\AppData\Local\Android\Sdk" ANDROIDHOME="C:\Users\%user%\AppData\Local\Android\Sdk\" and if possible replace the conditional check for ramdisk.img file with exact path in the initial if conditions C:\Users\%User %\AppData\Local\Android\Sdk\system-images\android-30\google_apis\x86 amdisk.img"
@@MrSagarcmp it doesn't work, I'm having the same problem
Use relative path: system-images\android-29\google_apis\x86 amdisk.img. Check the path using ListAllAVDs argument.
. ootAVD.bat system-images\android-29\google_apis\x86 amdisk.img
@@almt7dhteam156 It works for me. Thanks.
'FIND' is not recognized as an internal or external command, operable program or batch file. Why do i get this?
What os u use?
I debug on virtual device it works, but can't do it on physical device is show error as soon as the app launches "prompts: 'process xxx.yyy.zzz not found. aborting session'."
show all processess and follow all steps on video
I opened the apk but the xml is not readable, do you know how to solve that? looks like the file was encrypted
so fast
I’m trying to debug a native file from an android app in IDA and keep getting signal error messages. I assume it’s anti debugging somehow? Is there a chance you can do a video on this
Yeah, this exists. Try LLDB to get a lead into what's happening
how to start process instead of attach?
great but if there is detection
Solución: Amigos, para el que no le funcione a la primera, debe verificar que la ruta de ADB esté añadida correctamente a su path de Windows. No me funcionaba y era por eso.
Hi! Thank you so much for your tutorial. I am facing an issue. If the apk I am trying to debug is NOT DEBUGGEABLE. There is no way to debug it right?
signed ask but giving error any help?
Please make video of Dexcalibur tool because there is no video tutorials that's why.
Finally you're back I missed you alot.
Amazing, can you upload this video in full-hd or higher.
Done .. check same video after few hour
@@AndroidAppSec thanks man
Hope you guide to change android fingerprint by command line from cmd or power shell. Thank you very much
Ada indo ga?
could not load available zip files error showing bro pls help me
good JOB
It always shows analysing but never cameup