BEETLEBUG APK – MOBILE SECURITY CTF WRITE-UP
Introduction
This write-up documents the analysis and exploitation of multiple vulnerabilities in the BeetleBug Android application. The goal was to identify insecure implementations related to data storage, component exposure, and input handling and to extract flags provided by the CTF environment.
The analysis was performed using static and dynamic techniques, including APK decompilation, ADB interaction, and manual testing.
1. Hardcoded Sensitive Data (EmbeddedSecretStrings)
Analysis:
In the EmbeddedSecretStrings activity, the application compares the user-entered PIN with a stored value referenced by the variable V98bFQrpGkDJ. This value is not generated dynamically but stored in the application resources.
Methodology:
1. Decompiled the APK and inspected resources.arsc.
2. Navigated to values/strings.xml.
3. Located the variable V98bFQrpGkDJ.
4. Extracted its value, which represents the correct PIN.
Result:
The hardcoded PIN was successfully retrieved from the application resources.
2. Hardcoded Secrets in Source Code (EmbeddedSecretSourceCode)
Analysis:
The EmbeddedSecretSourceCode class contains a PromoCode directly embedded in the source code, which represents a hardcoded secret.
Methodology:
1. Decompiled the APK using jadx.
2. Located the EmbeddedSecretSourceCode class.
3. Identified the PromoCode directly in the source code.
Result:
The PromoCode was extracted from the application source code.
3. Insecure SharedPreferences Storage
Analysis:
The application stores sensitive data in SharedPreferences without encryption or access restrictions.
Methodology:
Using MT Manager:
1. Navigated to:
/data/data/app.beetlebug/shared_prefs/2. Opened the file:
shared_pref_flag.xml3. Located the flag stored in the XML file.
Result:
The flag was retrieved from SharedPreferences.
4. Insecure External Storage
Analysis:
Sensitive information is stored in external storage, which is accessible to other applications and users.
Methodology:
Using MT Manager:
1. Navigated to:
/storage/emulated/0/Documents/2. Located the file:
user.txt3. Opened the file to retrieve the flag.
Result:
The flag was extracted from external storage.
5. Insecure SQLite Database
Analysis:
The application stores sensitive information in an SQLite database without encryption.
Methodology:
1. Logged into the application using the password:
Test@1234
2. Pulled the database using ADB:
adb pull /data/data/app.beetlebug/databases/3. Opened the database using an SQLite browser.
4. Inspected the database tables to locate the flag.
Result:
The flag was retrieved from the SQLite database.
6. SQL Injection Vulnerability
Analysis:
The application is vulnerable to SQL Injection due to improper input validation and unsafe query construction.
Methodology:
Tested the following payload:
' OR 1=1 --Explanation:
1=1 is always true, causing the query condition to evaluate to true.
-- comments out the remaining part of the SQL query.
Result:
The payload bypassed authentication logic and exposed user information, including the flag.
7. Firebase Database Misconfiguration
Analysis:
The application uses Firebase Realtime Database with insecure access rules that allow public read access.
Methodology:
1. Extracted the Firebase URL using the strings utility:
strings base.apk | grep firebase2. Identified the Firebase endpoint:
https://beetlebug-374fc-default-rtdb.firebaseio.com3. Retrieved the database content using curl:
curl https://beetlebug-374fc-default-rtdb.firebaseio.com/.jsonResult:
The flag was obtained from the Firebase database.
8. Vulnerable Activity (Exported Activity)
Analysis:
The application exposes certain activities as exported, allowing them to be launched externally via ADB without proper authorization checks.
Methodology:
1. Inspected AndroidManifest.xml to identify exported activities.
2. Launched an exported activity using ADB:
adb shell am start -n app.beetlebug/.ctf.b33tleAdministrator3. The activity provided access to sensitive functionality that led to the flag.
Result:
The flag was retrieved through an exported activity.
9. Vulnerable Service
Analysis:
The application exposes an exported Android service that can be triggered externally.
Methodology:
Started the service using ADB:
adb shell am startservice -n app.beetlebug/app.beetlebug.handlers.VulnerableServiceResult:
Triggering the service led to the disclosure of the flag.
10. Vulnerable Content Provider
Analysis:
The application exposes an exported ContentProvider without access control, allowing external access to its data.
Methodology:
From the source code, the provider URI was identified as:
content://app.beetlebug.provider/usersThe provider was queried using ADB:
adb shell content query --uri content://app.beetlebug.provider/usersResult:
Sensitive data, including the flag, was extracted from the ContentProvider.
Conclusion
The BeetleBug application contains multiple insecure implementations that reflect common Android security issues, including hardcoded secrets, insecure storage mechanisms, component exposure, and injection vulnerabilities. These findings align with several categories of the OWASP Mobile Top 10 and demonstrate the importance of secure coding practices in Android application development.