Cracking OWASP’s Android Uncrackable Level 2

While spending some time developing some modules for MEDUSA, I decided to give a try and see how I could use this tool in order to crack some of the popular OWASP’s Android Crackmes. I will try to keep this post as short as possible, so lets get right to the point…

Download and Install

Assuming that the reader has already install MEDUSA, lets download the crackme and install it using the apkutils.py script:

That wasn’t hard I guess, but when we try to run the application we got our first wall:


Recap

In PART 1 of this tutorial we went trough some basic theoretical concepts such as the Free Floating Windows (FFW), the SYSTEM_ALERT_WINDOW permission (SAW) and the Android’s Window Manager. Finally we created an application that implements an FFW and added a view to it. In PART 2 we rendered our FFW “independent” from the parent activity and focused on its look, size and position on the screen.

In this, final part of the tutorial, we are going to cover more advanced topics in regards to the FFW appearance and see how an application may use these techniques to literally ‘imitate’…


Introduction

Despite the fact that communication has become much easier these days, privacy and trust has been ignored for years by several industry powerhouses. During the last few years, revelations about mass surveillance have made consumers more privacy aware, thus the necessity of developing a security protocol that provides end to end encryption for instant messaging is now most imperative.

The Signal Protocol, described as an “end-to-end ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments” [1] has recently been adopted by most of the messaging applications, including WhatsApp, Facebook Messenger etc.

The specific document focuses on the…


Recap

In PART 1 of this tutorial we went trough some basic theoretical concepts such as the Free Floating Windows (FFW), the SYSTEM_ALERT_WINDOW permission (SAW) and the Android’s Window Manager. Finally we created an application that implements an FFW and added a Button to it. In this part we are going to go a little bit further and play with the “look and feel” of our “construction” , starting to understand how this feature can be abused in a malicious way.

Parental (Un)Control

Before we start, let’s first add a single line of code that will help us get rid of the main…


PART 1

Introduction

Overlays are not something new in IT Security. Actually, the “Cloak & Dagger” which is based on these techniques is still considered as one of the most popular attacks that affected the Android Operating System [1]. But this is just the tip of the iceberg, since overlays are used by various types of malware including banking trojans, spyware, privilege escalation, ad-frauds or even ransomware [2,3,4,5]. While experience so far showed the opposite, the ability of an application to draw on top of others, is still not considered as dangerous. After all, vulnerabilities “playing” with the user interface were always considered…


The Need For Speed

Maybe the rest of the audience need some context regarding the paragraph title, but I am pretty sure that most of the malware analysts know exactly what I am talking about. So…yes, speed is a critical factor when it comes to malware analysis especially when you have pile up a big number of apps in your queue and you have to identify potential malware activity for each one of them.

This need was my motivation when I started MEDUSA which was created taking under consideration the day-to-day tasks of a malware analyst. In this write-up, grabbing the chance that was…

+Ch0pin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store