Corellium Café Android Trial Guide

Hardcoded Login Credentials

The Corellium Café application can log in or continue as a guest when launched. The login credentials for the application are hardcoded within the “Strings.xml” file.

Note: Logging in does not change the interface; this is used to show various vulnerabilities.

To solve this vulnerability, we will need to decompile the Android APK and find the “Strings.xml” file.

apktool d Corellium_Cafe.apk

Once the application is decompiled, navigate to the folder and follow the below path to find “Strings.xml”

corellium_Cafe/res/values/strings.xml

Alternatively, if you have JADX installed, you can open the APK with JADX and navigate the above file path to see the same contents.

jadx-gui Corellium_Cafe.apk

Shared Preferences – Customer Data

In order to find the sensitive data within Shared Preferences and the next couple of vulnerabilities, you will have to navigate through the full application flow (add items to your cart and proceed through the checkout process).

Once you have done that, the first place to find sensitive data is within the Shared Preferences. Navigate to the following path (Application Data Directory)

/data/data/com.corellium.cafe/shared_prefs/

Within this directory, there is a file called “Customer Data.xml” which contains some personal information which was gathered during your coffee purchase (name, phone number, etc.)

Database (Sensitive)

The Corellium Café application creates a database that contains sensitive values (Credit Card Data).

Navigate to the Android data directory and the databases folder within.

/data/data/com.corellium.cafe/databases/

Once you are in this directory, you will notice a database file, “Customer_Payment”

Using a database viewer (DB Browser, etc) and downloading the database file locally, you can review the contents in plain text.

The “Customer_Payment” database will contain all credit card data used within the application since it was installed.

Sensitive Information Leakage

The Corellium Café application sends a POST request containing the credit card details to the Corellim.com domain. While sensitive data within the body of a request over HTTPS is not a vulnerability in-itself, in this situation it is simulating sending data to a third party with no purpose.

Credit Card Number in the Logs

The Corellium Café application has debug logs enabled for testing and does happen to log sensitive data, including the Credit Card, when processing a transaction.

Navigate through the application to the checkout, as seen in the screenshot below

While the application is running, go to the console tab within Corellium and start logcat (command below) to review the debug logs that are coming through on the device

adb logcat

Once logcat is running, you can submit the order within the application, stop the logcat command after ( Ctrl + C)

Review the logs and look for the credit card, similar to the screenshot below

Backup Enabled

As we did in the first step, if you have decompiled the Android application, within the decompiled folder is the “AndroidManifest.xml” file. This file contains Android permissions, activities, and configurations for the Android application.

If you open this file with a text editor, you can look for the following flag being set:

android:allowBackup=”true”

If this flag is set to true, as it is in this application, it means that when an Android backup is taken, all application data from this app is included. In the case of this application, sensitive data is being stored, making this a higher risk.

Screenshots saved to the device with Sensitive Data

When backgrounding an application on Android, a screenshot is taken by the system and stored on the local device. If a splash screen or blurred-out image is not shown, the application data is visible, which opens users up to information leakage.

These screenshots can be pulled from the local data directory, and the vulnerability can be proven by backgrounding the application and bringing up the Android task manager to see the applications running, if data is visible, it is an issue.

The below directory is where screenshots can be found after you have backgrounded the application.

/data/system_ce/0/snapshots

Secret Exported Activity

In Android, activities are used for various applications' screens and functionality. In the case of the Corellium Café, a secret activity is used to show all the credit card numbers currently in the database.

First, to exploit this vulnerability, we need to identify the activity name to try and launch it ourselves.

Open the AndroidManifest.xml from the decompiled android binary we have (prior steps) and look for a secret activity (shown in the screenshot below)

Now that we have identified that, in the Corellium platform, ensure the application is running and open the “console” tab

We will use the activity monitor command built into ADB to interact with the SecretActivity we found above.

am start -n com.corellium.cafe/com.corellium.cafe.ui.activities.SecretActivity

Notice that on the device, a new screen is loaded that shows all the credit card data currently in the database.

Root Detection

When you attempt to log in (not when you are a guest), the application will detect if you are on a rooted device and will crash. To get past that, we must use Frida within Corellium to bypass the enabled root detection.

The following link has a Frida script from the Frida Codeshare to bypass Android root detection

https://codeshare.frida.re/@dzonerzy/fridantiroot/

Save the script as a .js file and upload i

t to the Frida console within Corellium.

Launch the Café application, hook the process within the Frida console and execute the uploaded script

With the script executed, login to the application with the below creds (also retrieved from the first vulnerability). The script will hook the methods and allow you to log in without the app crashing by effectively bypassing the root detection.

CREDENTIALS:

            Username: admin@corellium.com

            Password: Hellogoodbye123

Promo Code Exploitation

When checking out with an order in the Café application, you will notice a Promo Code field that can be added. In the application code, a promo code is randomly created each time the app is launched, giving a user 100% off. With it being different each time the app is run, it is impossible to find hardcoded in the code as we have found other sensitive data. This is where Frida comes in to show the ability to hook a function and return the value.

The first thing we need to do within the application is add an item to your cart and go through the process to get to the checkout screen containing the promo code.

Without clicking “Submit Order,” use the following JavaScript code to create a .js file you can upload into the Frida console in Corellium.

  Java.perform(function () {
    var aes = Java.use("com.corellium.cafe.ui.activities.OrderReviewActivity");

    // Hook the function inside the class.
    aes.decrypt.implementation = function(var0, var1) {

        // Calling the function itself function its return value
        var decrypt = this.decrypt(var0, var1);

        // Leaking our secret
        console.log(decrypt);
        return decrypt;
    }
});

Now that you have this script hook the application within the Frida console. Once you have hooked the application, run the script we uploaded.

If the script is loaded, type any value within the “Promo Code” field and click “Apply”

The script will hook the method decrypting the promo code value and show you the correct value in the Frida console.

Enter that code into the check-out screen and notice the price change to “Free” for your entire purchase.

Webview Hooking

The application's main screen has a button to open the Corellium blog, which loads the URL within a webview. Looking at the code, you notice a way to hook that value and change it to something malicious.

Like the last attack, we will use the code below to create a .js JavaScript file to upload into the frida console.

Java.perform(function () {
    var vulnerableWebView = Java.use("com.corellium.cafe.ui.activities.WebViewActivity");

    // Hook the web view function
    vulnerableWebView.setupWebView.implementation = function(var0) {

        // Inject malicious URL
        var injectURL = this.setupWebView("https://www.youtube.com/watch?v=dQw4w9WgXcQ");

    }
});

Launch the application so it is at the main screen with the option to open the Corellium blog. Now navigate to the Frida console within Corellium, hook the café application and execute the script we uploaded above.

Click the “Corellium Blog” button and notice a new URL is launched within the application and the Webview has been hooked.

If you want to change the URL to any website (instead of the video shown above), edit the script we used to include the website you want to go to.

Thank you for exploring the depths of Corellium Cafe and immersing yourself in the world of mobile pentesting and appsec. By delving into the vulnerabilities, we showcased, you've gained valuable insights into the Corellium platform and honed your skills in uncovering and exploiting mobile app weaknesses. Your dedication to learning and experimenting is commendable, and we hope this experience has provided you with practical knowledge and a deeper understanding of mobile security. As Corellium Cafe continues to evolve, we remain committed to enhancing the app, introducing new vulnerabilities, and delivering an even more immersive and enriching experience. Together, let's stay at the forefront of mobile pentesting and explore the limitless possibilities of securing mobile applications. Keep hacking, keep learning, and embrace the exciting journey ahead.