Expanding the Attack Surface: React Native Android Applications

栏目: IT技术 · 发布时间: 4年前

内容简介:React Native is a mobile application framework that is most commonly used to develop applications for Android and iOS by enabling the use of React and native platform capabilities. These days, it’s become increasingly popular to use React across platforms

React Native is a mobile application framework that is most commonly used to develop applications for Android and iOS by enabling the use of React and native platform capabilities. These days, it’s become increasingly popular to use React across platforms on all of your properties (sometimes the same code), including any mobile applications a company has to offer.

When performing recon, we typically focus on expanding the attack surface as much as possible. This often means delving into applications that have been written for mobile platforms, in order to find further API endpoints, or other juicy information such as sensitive credentials in the form of API keys.

The end goal of this blog post is to be able to go from the APK to the React Native JavaScript that can be analysed further for API routes and sensitive credentials being leaked.

Typically, when reversing an Android application, it is decompiled using dex2jar and then analysed using JD-GUI . When dealing with React Native applications, this can be useful if the application has any native code that you would like to analyse, but most of the time, the core logic of the application lies in the React JavaScript that can be obtained without needing to use dex2jar.

Note: dex2jar works by transpiling Java bytecode into Dalvik bytecode, and as a result, a clean and valid output isn’t always guaranteed, so don’t be afraid to use the smali tool to delve the Dalvik bytecode instead.

Obtaining JavaScript from a React Native APK

For this example, I’m going to be extracting the JavaScript from the following React Native application:

com.react_native_examples

Once you’ve downloaded the APK above, extract it to a new folder using the following command:

unzip React\ Native\ Examples_v1.0_apkpure.com.apk -d ReactNative

Browse to the newly created ReactNative folder, and find the assets folder. Inside this folder, it should contain index.android.bundle . This file will contain all of the React JavaScript in a minified format.

The power of map files

If you are able to find a file called index.android.bundle.map , you will be able to analyse the source code in an unminified format. map files contain the source mapping that allows you to map minified identifiers. If the React Native application you are reversing has the map file included within the assets folder, you can take advantage of this by creating a file named index.html in the same directory with the following within it:

<script src="index.android.bundle"></script>

Save this file and then open it in Google Chrome. Open up the Developer Toolbar (Command+Option+J for OS X or Control+Shift+J for Windows), and click on “Sources”. You should see a neatly mapped out JavaScript file, split up into folders and files that make up the main bundle:

Expanding the Attack Surface: React Native Android Applications
Analysing index.android.bundle in Chrome DevTools taking advantage of an included map file

The search for sensitive credentials and endpoints

A pattern that is popular with React Native applications, is the use of a third party database such as Firebase. In the past, there have been a number of applications found to be improperly using Firebase’s authentication model and including an API key that is too permissive, within their React Native application.

This was the case in the Donald Daters application which was found to be vulnerable to this attack vector and blogged about here .

The following strings can be grepped for in order to extract the Firebase API key from the index.android.bundle :

FIREBASE_API_KEY
FIREBASE_AUTH_DOMAIN
FIREBASE_DB_URL
FIREBASE_BUCKET
apiKey

For example:

❯ grep -rnis 'apiKey' index.android.bundle
... omitted for brevity ...

initializeApp({apiKey:"AIzaSyDokhX9fzFlJMfXjwbiiG-2fGDhi4kLPFI",
authDomain:"react-native-examples-bcc4d.firebaseapp.com",
databaseURL:"https://react-native-examples-bcc4d.firebaseio.com",
projectId:"react-native-examples-bcc4d",
storageBucket:"",
messagingSenderId:"928497342409"});

... omitted for brevity ...

In addition to finding Firebase credentials, the index.android.bundle file can also be analysed for API endpoints. In a React Native application I was reversing, I was able to find a number of API endpoints by browsing through the un-minified JavaScript in Chrome:

Expanding the Attack Surface: React Native Android Applications
Finding API endpoints by traversing through un-minified source

Interfacing with Firebase

The following Python script can be used to interface with the Firebase database. Before using this script, install pyrebase using pip install pyrebase .

import pyrebase

config = {
  "apiKey": "FIREBASE_API_KEY",
  "authDomain": "FIREBASE_AUTH_DOMAIN_ID.firebaseapp.com",
  "databaseURL": "https://FIREBASE_AUTH_DOMAIN_ID.firebaseio.com",
  "storageBucket": "FIREBASE_AUTH_DOMAIN_ID.appspot.com",
}

firebase = pyrebase.initialize_app(config)

db = firebase.database()

print(db.get())

The above script will authenticate to a given Firebase database and then print out the contents of the database. This is only possible when the API key provided to this script has permissions to read the database. To test other actions on the database, such as writing to the database, refer to the Pyrebase documentation which can be found here .

Conclusion

Through the information in this blog post, you should now be able to analyse the JavaScript of React Native Android applications with ease. Sensitive credentials and API endpoints can often be extracted from React Native applications by analysing the JavaScript packed into the APK file of the application. The JavaScript packed within a React Native application can trivially be obtained by extracting the APK and opening the index.android.bundle file in the assets folder.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

移动Web前端高效开发实战

移动Web前端高效开发实战

iKcamp / 电子工业出版社 / 2017-9 / 89.00

移动互联网的兴起和快速普及,给前端开发人员带来了前所未有的新机遇。移动Web前端技术作为整个技术链条中重要的一环,却乱象丛生。《移动Web前端高效开发实战:HTML 5 + CSS 3 + JavaScript + Webpack + React Native + Vue.js + Node.js》是一本梳理移动前端和Native客户端技术体系的入门实战书。 《移动Web前端高效开发实战:HTML......一起来看看 《移动Web前端高效开发实战》 这本书的介绍吧!

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具