How to Hack an App

10 April

When we think about securing an app, it is more important to think about how apps are hacked and why they are hacked. In this post, I want to bring forward certain simple practices which should enable App developers to secure the application and make it tougher for hackers to misuse the app.

Find the end-point

A majority of apps depend on HTTP or HTTPS based API’s to fetch or update user’s data. The first step for a hacker is to find the end-point of the server. There are multiple ways to achieve this

1. Using a web proxy, there are multiple software and apps like burrpsuite , Wireshark, fiddler etc which capture request and response for the app.

2. Decompilation of App, the binary of the App can be decompiled and analyzed to find request and response specifications for the App.

Break the end-point

Once request and response to App are captured, we can manipulate parameters to misguide backend server. For example:

Assume that request is http://backend/profile/user/1223

Now it is possible that hacker can simply change user Id from 1223 to 1224 and get other user’s data. Many developers tend to keep userId is incremental value and this becomes even riskier as a hacker can simply write a program to increment user id’s and steal all the user’s details from the system.

Another way to manipulate the API’s is altering the response, many of the web proxy software give this ability to interrupt the response and change the contents of it. For example, consider a payment app :

In a badly designed API, App will get a response like below in case of invalid transaction

{ ‘response’ : ‘invalid transaction’ }

If one can interrupt this response and change ‘invalid transaction’ to ‘success’ then App will feed that transaction was successful and provide the service or product to end user.

User Session Hijacking

Most of the Apps keep the user logged to increase the engagement. They use server generated unique tokens which authenticate and identifies the user for subsequent API transactions.

If a hacker has access to the device he can quickly identify token and use the same token to log in from another device.

Brute Force Hack

Many users tend to keep simple passwords and there are many tools which will attempt to break into an app using a list of most popular password combinations.

Many apps send a 4-5 digit PIN to end user’s device for authentication, if there is no strong check on re-try attempts then one can definitely try out all possible combinations to reset the password.

Manipulating Infrastructure Vulnerability

Assume the app uses IP for HTTP communication, it is possible for a hacker to try out other ports and common url patterns like /admin, / manager, /phpMyAdmin etc to get access these developer tools and eventually access the data.

To summarize, these are only just of a few ways to hack an app with least amount of technical knowledge. There are furthermore advanced methods like MAC Spoofing, Reading local cache files and manipulating OS and network vulnerabilities which are mostly used by advanced hackers.