Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:12,190 --> 00:00:15,050 Hey, guys, welcome back to another episode on How to Hack. 2 00:00:15,610 --> 00:00:21,040 So today we'll be discussing and learning about mobile application security, so otherwise could be 3 00:00:21,040 --> 00:00:23,730 called as mobile application penetration testing. 4 00:00:24,100 --> 00:00:27,730 So we're testing the mobile application that our install into your phone. 5 00:00:28,210 --> 00:00:33,170 So over here in our case, we actually have a mobile phone running on the left side. 6 00:00:33,220 --> 00:00:36,940 So this is an Android device being followed up by Android studio. 7 00:00:37,330 --> 00:00:40,810 And on the right side, we have command from running and of course, in command prompt. 8 00:00:41,020 --> 00:00:43,780 We want to learn about Android debark breech. 9 00:00:44,020 --> 00:00:49,450 So we have a full tutorial on that that you can check out as part of a YouTube channel to go ahead and 10 00:00:49,450 --> 00:00:52,350 subscribe to the channel so that you can learn all about cyber security. 11 00:00:52,900 --> 00:00:57,910 So moving back to the tutorial, we can enter, for example, EDB for mobile devices. 12 00:00:58,720 --> 00:01:03,790 So this will isdell all the devices that are attached to your computer, whether they are attached to 13 00:01:03,810 --> 00:01:06,670 USB emulation or even wirelessly. 14 00:01:06,850 --> 00:01:10,570 So we can see all the devices that are connected to your EDB. 15 00:01:11,230 --> 00:01:16,870 And on the left side, I actually have an mobile device running and we actually have an application 16 00:01:16,870 --> 00:01:18,390 called Deiva. 17 00:01:19,060 --> 00:01:25,660 So if I scroll up and I go into this particular application over here, I can open it up and we actually 18 00:01:25,660 --> 00:01:32,020 have the application and this is a vulnerable mobile application that we can do our vulnerability analysis 19 00:01:32,020 --> 00:01:34,420 on, that we can do our penetration testing on. 20 00:01:34,840 --> 00:01:40,570 So this is a wonderful way for us to learn about mobile application security and how we can secure this 21 00:01:40,570 --> 00:01:40,870 data. 22 00:01:41,650 --> 00:01:47,860 So what we're going to learn over here as we review through the data, we have insecure logging, hot 23 00:01:47,860 --> 00:01:53,920 coding issues in secure data storage and so on and so forth, including input validation series. 24 00:01:54,490 --> 00:01:58,330 And we can actually look at, for example, in secure data storage. 25 00:01:58,720 --> 00:02:05,830 So the whole idea about this insecure data storage lies with one of the problems of how data is being 26 00:02:05,830 --> 00:02:09,750 stored inside the mobile device, truly mobile application. 27 00:02:10,090 --> 00:02:17,340 And one of those issues is that a lot of this mobile application stores data in plain text, in clear 28 00:02:17,350 --> 00:02:19,890 text inside the storage device. 29 00:02:20,260 --> 00:02:26,770 So as a result of that, whoever has access into the mobile applications storage will have the ability 30 00:02:26,920 --> 00:02:28,930 to actually view all those data. 31 00:02:29,350 --> 00:02:29,680 All right. 32 00:02:29,690 --> 00:02:35,770 So, for example, over here, I can enter the third party service username. 33 00:02:35,770 --> 00:02:41,530 I can enter tests, for example, and I can click on the third party service password. 34 00:02:41,530 --> 00:02:44,490 So you can think of this like logging in to your banking app. 35 00:02:44,800 --> 00:02:48,900 You can think of this like logging into the e-commerce mobile application you have. 36 00:02:48,910 --> 00:02:53,920 So in some sense, when you have the same login, they would actually have to see your password somewhere. 37 00:02:53,950 --> 00:03:00,370 I'll be able to save some kind of token inside your device in order to inject that back into the application 38 00:03:00,370 --> 00:03:01,550 authentication server. 39 00:03:01,930 --> 00:03:06,120 So as a result of that, when you click save, we have that data being saved. 40 00:03:06,130 --> 00:03:09,270 So we have the credential being safe inside the system. 41 00:03:09,730 --> 00:03:13,820 And when I go back into the Android box breach. 42 00:03:14,080 --> 00:03:18,670 So, for example, if I enter the following, I can enter EDB full of my shell. 43 00:03:18,790 --> 00:03:23,390 So this would give us access into the system so I can enter, for example, who am I? 44 00:03:24,070 --> 00:03:30,470 So we are looking at Unix or Linux commands so I can actually exit on this so I can enter route. 45 00:03:30,520 --> 00:03:36,360 Do we start as route OK and we can enter EDB Shell again and we can enter. 46 00:03:36,370 --> 00:03:36,940 Who am I. 47 00:03:37,180 --> 00:03:43,570 So in this case we are now accessing the Android device as route and we can try to examine what kind 48 00:03:43,570 --> 00:03:44,400 of data they are. 49 00:03:44,950 --> 00:03:53,710 So I can KDDI into slash data, slash data, enter URLs so we can actually see all the information over 50 00:03:53,710 --> 00:03:56,020 here, so we can see all the applications. 51 00:03:56,350 --> 00:03:59,910 So one particular folder stands out. 52 00:03:59,920 --> 00:04:02,350 So that is actually on there, over here. 53 00:04:02,360 --> 00:04:09,700 So let me just bring up the command prompt for you so we can see over here we have Chunka assume, Devah, 54 00:04:10,000 --> 00:04:19,570 so we can see into Jaka assim devah hit enter on debt and PTR else again and we can see all the information 55 00:04:19,570 --> 00:04:22,030 regarding the directory. 56 00:04:22,060 --> 00:04:24,640 So we have all four different directories. 57 00:04:24,640 --> 00:04:29,830 We have cache code cache databases, we have the data app. 58 00:04:30,150 --> 00:04:32,710 OK, so we can actually look at all this information. 59 00:04:32,710 --> 00:04:39,970 We have share preferences so we can actually tried to KDDI, for example, in shet preference hit enter 60 00:04:39,970 --> 00:04:47,260 on debt and through less special a to do a listing and we can see that there is an XML file. 61 00:04:48,070 --> 00:04:54,190 So what happened is that a lot of mobile application could be storing those data in XML format or Ezekial 62 00:04:54,190 --> 00:04:54,610 Light. 63 00:04:54,880 --> 00:05:00,100 So Ezekial, I will do that as a separate tutorial in the future about how we can examine those data. 64 00:05:00,910 --> 00:05:06,910 So over here we have an XML fall and all you got to do is do a cat to read a particular file hit. 65 00:05:06,910 --> 00:05:09,610 Enter on that and we can immediately. 66 00:05:10,180 --> 00:05:13,150 Find out the information of the string name. 67 00:05:13,420 --> 00:05:18,640 OK, so we have the password and we have the user and both of these was tests. 68 00:05:18,640 --> 00:05:24,690 So we actually entered Tess and Tess for our string password as well as string user. 69 00:05:24,700 --> 00:05:29,920 So immediately we can retrieve those data inside of storage of the mobile device. 70 00:05:29,920 --> 00:05:36,460 So very quickly we could actually view and access a lot of those critical data, personal information 71 00:05:36,760 --> 00:05:38,170 inside the mobile device. 72 00:05:38,650 --> 00:05:43,510 So moving forward, I can actually do a changed directory back then. 73 00:05:43,510 --> 00:05:50,650 I can CD into databases and I can enter again and we can see all this different information here. 74 00:05:50,680 --> 00:06:00,920 So we have Devar notes, we have dot DB Desh S M Dash, WHL IDs too, and all these different data. 75 00:06:01,210 --> 00:06:04,600 So the question to ask is, are we able to budos information? 76 00:06:04,870 --> 00:06:08,280 So can we do a Cat Vigano study? 77 00:06:08,290 --> 00:06:10,130 What can we see from those results? 78 00:06:10,510 --> 00:06:13,840 What about deaths as heat and turn that? 79 00:06:14,380 --> 00:06:16,550 What about Desh WHL? 80 00:06:16,600 --> 00:06:19,120 What kind of data can we find? 81 00:06:19,480 --> 00:06:24,190 And over here, OK, over here we can see we have some information. 82 00:06:24,400 --> 00:06:33,040 We have exercise, alternate days running expense, spent too much on home theater, holiday idogawa 83 00:06:33,040 --> 00:06:33,850 or MSM. 84 00:06:34,120 --> 00:06:35,260 So we realize this. 85 00:06:35,920 --> 00:06:39,580 We have not actually log in into the mobile application yet. 86 00:06:39,910 --> 00:06:46,600 We are also able to view those data inside the mobile application of those data that are used by the 87 00:06:46,630 --> 00:06:51,220 mobile application to provide information and update through the mobile application. 88 00:06:51,610 --> 00:06:56,110 OK, so with that, we have come to the end of today's tutorial and I hope that you've learned something 89 00:06:56,110 --> 00:06:56,710 valuable. 90 00:06:57,160 --> 00:07:01,270 So if you have any questions, we have to leave a comment below and I'll try my best to answer any of 91 00:07:01,270 --> 00:07:06,340 your questions submitted like subscribe to the channel so that you can be kept abreast of the latest 92 00:07:06,340 --> 00:07:07,030 cybersecurity. 93 00:07:07,690 --> 00:07:09,160 Thank you so much once again for watching. 10155