Following are some of the tools used for the entire application auditing and penetration testing process:
Test Platform: Ubuntu Linux Desktop v12.04
Device: Nexus 4 running Android v4.4.2
The Android SDK
APKTool 1.5.2: To decompile the Android application into Smali source files
Dex2Jar 0.0.9.15.48: To decompile the Android application source to Java
JD-GUI 0.3.3: To read the Java source files
Burp Proxy 1.5: The proxy tool
Drozer 2.3.3: The Android Application Assessment Framework
NMAP 6.40: To scan web services
Description: An injection vulnerability was found in the Android application in the DatabaseConnector.java
file. The parameters account_id
and account_name
were passed to the SQLite query inside the application, making it vulnerable to SQLite injection.
Risk Level: Critical
Remediation: The user input should be properly sanitized before passing into the database commands...