VIDEO
HIGHLIGHT
Log InSign up
jadx basic tutorial - mobile app analysis (TECHNICAL TUTORIAL)
SummaryTranscriptChat

jadx basic tutorial - mobile app analysis (TECHNICAL TUTORIAL)

How to Gain Access to Mobile Applications

Introduction to Hacking Mobile Apps

  • The speaker introduces the topic of accessing mobile applications, emphasizing the importance of legality and parental permission before attempting any hacking activities.

Setting Up the Environment

  • The speaker mentions using Kali Linux or Windows XP for hacking operations, indicating that ADB (Android Debug Bridge) is essential for connecting to devices.
  • Instructions are provided on how to find the IP address of a target device by navigating through Wi-Fi settings.

Establishing Connection

  • The process of connecting to a device via ADB is demonstrated, including entering commands like ADB connect followed by the device's IP address and port number.
  • Once connected, root access is obtained using ADB shell and SU, allowing deeper access into the mobile device's file system.

Accessing User Credentials

  • The speaker navigates through directories in search of user credentials stored within an app’s data files.
  • It is noted that usernames and passwords are encrypted; thus, further steps are required to decrypt this information.

Decrypting Information

  • The speaker discusses breaking down an insecure banking application (APK), highlighting tools like JADX for extracting APK contents.
  • Instructions on extracting APK files are given, with emphasis on analyzing their source code for potential vulnerabilities.

Analyzing Source Code

  • After extraction, the speaker navigates through folders containing resources and source code files relevant to login functionality.
  • Key logic behind credential verification during login attempts is examined, revealing how credentials are processed within the app.

Understanding Encryption Mechanisms

  • Discussion includes how encrypted usernames and passwords utilize Base64 encoding, which can be decoded easily.
  • Reference is made to a crypto class in Java used within the app that handles encryption processes.

Tools for Easier Analysis

  • The introduction of JAX-GUI as a more user-friendly alternative for analyzing APK files compared to raw source code inspection.

Insecure Bank Application Analysis

Exploring the Graphical User Interface

  • The speaker demonstrates how to open files in a graphical user interface, specifically focusing on the "insecure bank v2.apk" application.
  • The source code is accessed, highlighting the "do login" function and its associated information.

Key Encryption Details

  • Important encryption details are revealed, including the use of Advanced Encryption Standard (AES) 256 for encrypting and decrypting data.
  • The initialization vector (IV) is noted to be set to all zeros, which raises security concerns regarding encryption practices.

Decrypting Information

  • The encrypted username is copied and decoded using a site like B64 decode, revealing the username "hacker Loy."
  • The password field is targeted next; the encrypted password string is processed through an encoding website to retrieve sensitive information.

Accessing Account Credentials

  • Using the retrieved secret key ("super secret key one through three"), decryption of the password yields "handsome Loy."

Successful Login Attempt

  • With both username and password obtained, access to the insecure bank application account is successfully achieved by logging in with these credentials.
Video description

In this video, I show how attackers reverse engineer Android apps using JADX to decompile APKs, read Java source code, and extract hardcoded encryption keys and secrets. Watch as we walk through a real-world example of identifying insecure key storage practices and understanding how mobile apps can leak sensitive data. Ideal for bug bounty hunters, red teamers, and mobile app developers. // Membership // Want to learn all about cyber-security and become an ethical hacker? Join this channel now to gain access into exclusive ethical hacking videos by clicking this link: https://www.youtube.com/channel/UC1szFCBUWXY3ESff8dJjjzw/join // Courses // Full Ethical Hacking Course: https://www.udemy.com/course/full-web-ethical-hacking-course/ Full Web Ethical Hacking Course: https://www.udemy.com/course/full-web-ethical-hacking-course/ Full Mobile Hacking Course: https://www.udemy.com/course/full-mobile-hacking-course/ Full AWS Security Course: https://www.udemy.com/course/aws-security-course/ // Books // Kali Linux Hacking: https://amzn.to/3IUXaJv Linux Basics for Hackers: https://amzn.to/3EzRPV6 The Ultimate Kali Linux Book: https://amzn.to/3m7cutD // Social Links // Facebook: https://www.facebook.com/Loiliangyang/ Instagram: https://www.instagram.com/loiliangyang/ LinkedIn: https://www.linkedin.com/in/loiliangyang/ // Disclaimer // Hacking without permission is illegal. This channel is strictly educational for learning about cyber-security in the areas of ethical hacking and penetration testing so that we can protect ourselves against the real hackers.