June 24, 2024

Episode 7

Announcing the Android Security Research Playbook

Authors: Jacob Swinsinski and Hahna Kane Latonick

Welcome to the Android Security Research Playbook (ASRP) Blog Series! For those who are unfamiliar with the ASRP, it is a getting started guide for security researchers that aims to kickstart and support their Android security research journey. We will chronologically follow the order in which the ASRP is depicted as we apply it to a real-world target. Be sure to check out the following resources to follow alongside this blog series!

If you’re new to Android, we provide an overview of its architecture and applications to help get you up to speed on how it works. Without further ado, let’s dive right into the first stage of the Android security research process, which is Reconnaissance!

What is Reconnaissance?

Reconnaissance is the process of researching your target before carrying out any type of analysis, enumeration, or exploitation of any kind. This involves performing Open-Source Intelligence (OSINT) to gain a foundational understanding of how the target works. We will walk through the following ASRP plays to illustrate steps of the Reconnaissance process:

Play 00: Gather Open-Source Resources
Play 01: Contextualize the History of the Target
Play 02: Discover any Known CVE’s
Play 03: Curate List of Capabilities
Play 04: Find Sources for the APK

Introducing our Target

We will be examining the target application, VLC for Android, an open-source, cross-platform media player. Its software allows end-users to play music, watch videos, and more. The current version is 3.5.4 as of the writing of this post. Its source code is also publicly available, allowing us to review its design and implementation. Now that we have introduced our target, the following sections are going to apply the ASRP Reconnaissance Plays to our target software.

Diving Into the ASRP

The Reconnaissance process that we are going to cover includes gathering open-source resources, contextualizing the history of the target, discovering known common vulnerabilities and exposures (CVEs), and obtaining the target’s Android Package Kit (APK) file.

Play 00: Gather Open-Source Resources

First, we will conduct passive reconnaissance, specifically Open-Source Intelligence (OSINT) on the target. We will start with the official website of VLC for Android to see what information it provides. We observe that VideoLAN offers a community forum, a wiki providing additional information, mailing lists for announcements and notifications, an FAQ page, press releases, and a security center describing various security bulletins and advisories. We can utilize these resources to gain valuable insights into VLC for Android, its development, security, user base, and more.

In visiting its open-source repository, VLC for Android is well-documented and actively maintained with over 17K commits and 376 tags. By reviewing its README, we learn how the project is structured, its architecture, and how to access its bug tracker and IRC channel.

To uncover more information about our target, we can leverage the OSINT Framework, which is focused on gathering information from free tools and resources.

It can be utilized in several different ways. For example, we can use the Google Advanced Search to tailor our search engine queries about potential security vulnerabilities or issues.

In addition, we can employ Google “Dorks”, which are advanced search queries that use special operators and keywords to discover particular information about VLC that Google typically wouldn’t show you. The Google Hacking Database is also a curated repository of crafted Google Dork queries that can allow or inspire researchers to identify relevant queries that are aligned to their research objectives. From the information aggregated from the efforts of Play 00, be sure to keep these resources stored for easy reference later!

Play 01: Contextualize the History of the Target

It is important to understand the history of our target from why our target exists in the first place to how it has evolved to the present day. This will help illuminate design, implementation, and security decisions made by the developers of the target software. This information will reveal how often the target is updated, its complexity, and what security mitigations may need to be bypassed. In addition, the collection of this information will start to reveal the target’s attack surface and potentially new areas to investigate for vulnerabilities.

By investigating its source code repository, we identified the NEWS file, which provides verbose insight on all changes dating back to the first release. Its CHANGELOG also points to this file and provides us with extremely valuable information about its software development.

Play 02: Discover any Known CVE’s

This play is undoubtedly one of the most important plays as it grants us introspection as to how the target has been exploited in the past; perhaps opening the door for verifying if the mitigations put in place for the previously disclosed vulnerabilities are effective enough. For example, a remote access vulnerability affecting VLC was found through Google Dorking:

Upon digging further, we can see the merge request and visually identify the vulnerabilities associated with this particular bug followed by a mitigating patch.

This vulnerability was also labeled as “Remote access” and “Security”. Using these labels, we uncovered additional critical vulnerabilities affecting the application that were recently reported.

Alternatively, we can utilize resources in the “Exploit & Advisories” category of the OSINT Framework, such as the MITRE’s Official CVE List, National Vulnerability Database (NVD), and CVE Details to support this effort in pinpointing known vulnerabilities associated with our target. In addition, Exploit-DB may reveal existing exploits that are publicly available for known vulnerabilities in the VLC media player. This information can prove useful in identifying similar yet new vulnerabilities that haven’t been discovered and reported yet.

Play 03: Curate List of Capabilities

It is important to understand the target’s features and capabilities. Useful questions to consider include:

What is the target capable of?
What does it offer to the user?
How does the target store or transmit information?

Finding answers to these questions will help shape the strategies used to propel our security research. Looking at the official website, VLC for Android is described as follows:

“VLC for Android is a full port of VLC media player to the Android™ platform. It can play any video and audio files, network streams and DVD ISOs, like the classic version of VLC. VLC features a full music player, a media database, equalizer and filters, and numerous other features.”

In addition, its website specifies the following features:

Lastly, the VLC for Android wiki is a gold mine for a comprehensive feature set and descriptions of its interfaces. This information can then be organized and summarized into a list or table, grouping its features and capabilities into categories that help illuminate the target’s attack surface and potential attack vectors of interest.

Play 04: Find Sources for the APK

We will wrap up our blog post by identifying sources that will allow us to obtain our target’s Android Package Kit (APK) file. This will enable us to perform static and dynamic analysis, as described in later sections of the ASRP. We have a few choices as to where we can search for and download the VLC for Android APK:

Google Play Store
VideoLAN mirrors
Third-party sources, such as APKMirror, APKPure, or APKCombo.
Build from source using GitLab or GitHub.

Ultimately, the choice is yours as to where you obtain the APK. Just be mindful of the versions you download as they can vary from source to source.

Conclusion

Thank you so much for taking the time to read the first installment of our ASRP blog series. In this blog post, you learned about some of the key steps of the Reconnaissance process when investigating an Android application. Remember to check out the ASRP for additional details to further support and facilitate your Android security research!

Page updated

Report abuse