July 30, 2024
Episode 8
Spoofing Mint Browser
Examining Vulnerabilities in Android Applications
Author: Hahna Kane Latonick
Introduction
Welcome to Part 2 of our Android Security Research Playbook (ASRP) blog series. In Part 1, we introduced the ASRP and the importance of first conducting reconnaissance of your target Android application (“app”). We specifically covered using Open-Source Intelligence (OSINT) to gather as much information as possible about the target application, so that we understand how the application works and what vulnerabilities have been publicly reported. In this post, we are going to describe the second stage of the ASRP where we will be performing static analysis of a vulnerable Android application.
What is Static Analysis?
Static analysis involves examining the source or binary code of a program without executing it. This allows us to gain greater insight into the design and implementation of the program, and what potential security vulnerabilities may exist due to design issues or implementation errors. We will walkthrough the following ASRP plays to illustrate steps of the Static Analysis process:
Play 05: Understand the APK’s Design and Compiler: APKiD
Play 06: Decompress and Decode the APK: Apktool
Play 07: Decompile the APK: JADX
Play 08: Examine the APK File Structure: Android Studio
Introducing our Target
We will be examining the target application, Mint Browser, which is a web browser for Android phones and developed by Xiaomi Inc. Some of its key features include ad blocking, incognito mode for privacy, video downloading, and being lightweight. Using the Static Analysis Plays of the ASRP, we’re going to investigate a URL spoofing vulnerability in Mint Browser version 1.6.1, which was reported as CVE-2019-10875 and later patched in version 1.6.3.
Diving Into the ASRP
The Static Analysis process that we are going to cover includes understanding the design and compiler of the Android Package Kit (APK), decompressing and decompiling the APK, examining the APK file structure, and identifying the URL spoofing vulnerability in the software.
Play 05: Understand the APK’s Design and Compiler: APKiD
APKiD is like PEiD, but for APK files, outputting what compilers, packers, obfuscators, and security mechanisms are used by the APK. This play illuminates APK design elements and potential issues that may need to be addressed throughout the security research process. When we run APKiD against the Mint Browser v1.6.1 APK, its output reveals that the application consists of anti-debugging and anti-virtual machine (VM) checks that may prevent dynamic analysis and virtualization of the software. It was compiled with R8, a modern code shrinker and optimizer developed by Google that is highly efficient at reducing app size, improving performance, and obfuscating code to some extent. However, APKiD didn't find the typical markers it expects to see for the R8 compiler and annotated the result as suspicious. It’s also worth noting that the output of APKiD did not indicate the APK’s use of other obfuscators and packers which can prevent or hinder the static analysis process, including reverse engineering.