InsaneSecurity

CVE-2016-4056 – Stored Cross-Site Scripting in TYPO3 Bookmarks

2016-02-24T10:00:00+00:00

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in TYPO3 Bookmarks
CVE ID: CVE-2016-4056
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Vendor: TYPO3
Products: TYPO3 Core (6.2.x)
Advisory Release Date: 24 February 2016
Advisory URL: https://labs.integrity.pt/advisories/cve-pending-stored-cross-site-scripting-in-typo3-bookmarks
Credits: Discovery by Filipe Reis <fr[at]integrity.pt>

2. Vulnerability Summary

TYPO3 core is vulnerable to stored cross-site scripting when a bookmark is created.

3. Technical Details

This Stored-XSS can be exploited when a new bookmark is created.

To replicate this issue we go to any page and click on “Create a bookmark to this page”.

Click OK.

And now grab the POST request that is being passed to the server and change the module” parameter to your payload.

The response of this request will be the following:

Now the page will redirect and the Stored-XSS will be there.

4. Vulnerable Versions

TYPO3 6.2.x

5. Solution

Update to TYPO3 6.2.19 or latest.

6. Vulnerability Timeline

February 15, 2016 — Bug reported to TYPO3
February 15, 2016 — TYPO3 team acknowledges the vulnerability
February 23, 2016 — TYPO3 team releases a new version
February 24, 2016 — Public disclosure

CVE-2015-7342 - Multiple SQL Injection in JNews Joomla Component

2015-10-28T10:03:00+00:00

1. Vulnerability Properties

Title: Multiple SQL Injection in JNews Joomla Component
CVE ID: CVE-2015-7342
CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Vendor: Joobi
Products: JNews Core(8.3.1)
Advisory Release Date: 28 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7342
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

JNews component is vulnerable to Multiple SQL Injection, inside the backoffice.

3. Technical Details

#1 – SQL Injection (error based):

To replicate the issue go to:

Administration > Components > JNews > Templates > > upload thumbnail

Upload a thumbnail and grab the request and inject into the filename parameter.

With this we get the following response (as you can see on the response we broke the SQL query):

Now we inject with our SQL query into the parameter filename:

And we get the response with the proof.

#2 – SQL Injection (error based):

To replicate the issue go to:

Administration > Components > JNews > Queue > Search Field

Do a search and grab the request, the injection point is the parameter mailingsearch:

With this we get the following response (as you can see on the response we broke the SQL query):

Now we inject with our SQL query into the parameter mailingsearch:

And we get the response with the proof.

#3 – SQL Injection (error based):

To replicate the issue go to:

Administration > Components > JNews > Subscribers > Search Field
Administration > Components > JNews > Newsletters > Search Field

Do a search and grab the request, the injection point is the parameter emailsearch:

With this we get the following response (as you can see on the response we broke the SQL query):

Now we inject with our SQL query into the parameter emailsearch:

And we get the response with the proof.

4. Vulnerable Versions

JNews 8.3.1

5. Solution

Update to JNews 8.5.0 or latest.

6. Vulnerability Timeline

September 01, 2015 — Bug reported to Joobi
September 02, 2015 — Joobi team acknowledges the vulnerability
September 20, 2015 — Joobi team releases a new version
October 28, 2015 — Public disclosure

7. References

http://www.joobi.co/blog/jnews-8-5-x-released.html

CVE-2015-7340 - SQL Injection in JEvents Joomla Component

2015-10-28T10:01:00+00:00

1. Vulnerability Properties

Title: SQL Injection in JEvents Joomla Component
CVE ID: CVE-2015-7340
CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Vendor: JEvents
Products: JEvents (3.4.0RC5)
Advisory Release Date: 28 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7340
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

JEvents component is vulnerable to SQL Injection on new events, inside the backoffice.

3. Technical Details

To replicate the issue go to:

Administration > Components > JEvents > Manage Events > New

Create an event and click on Save.
Get the request and change the parameter evid to a value > 0 (this should be the future id of the event. If this is the first time creating the event 1 should be the value to insert).
Note: Check if the parameter updaterepeats is 1, if not change it to 1.

With this we get the following response (as you can see on the response we broke the SQL query):

This corresponds on the code to: /joomla/administration/com_jevents/controllers/icalevent.php

Now we inject with our SQL query into the parameter evid:

And we get the response with the proof.

4. Vulnerable Versions

JEvents (3.4.0RC5)

5. Solution

Upgrade to JEvents 3.4.0 RC6 or latest version

6. Vulnerability Timeline

September 01, 2015 — Bug reported to JEvents
September 01, 2015 — JEvents team acknowledges the vulnerability
September 02, 2015 — JEvents team releases a new version
October 28, 2015 — Public disclosure

7. References

https://www.jevents.net/download-area/jevents/item/jevents-3-4

CVE-2015-7338 - SQL Injection in AcyMailing Joomla Component

2015-10-28T10:00:00+00:00

1. Vulnerability Properties

Title: SQL Injection in AcyMailing Joomla Component
CVE ID: CVE-2015-7338
CVSSv3 Base Score: 6.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Vendor: Acyba
Products: AcyMailing
Advisory Release Date: 28 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7338
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

AcyMailing component is vulnerable to SQL Injection on export controller, inside the backoffice.

3. Technical Details

To replicate the issue go to:

Joomla > Components > AcyMailing > Users > Export (and make the export)

Then grab the request from the export and modify it by adding the two missing parameters:

exportdatageoloc[geolocation_longitude]=test&exportgeolocorder=’

Note: The array position from explortdatageoloc must be an existing column from acymailing_geolocation table.

With this we get the following response (as you can see on the response we broke the SQL query):

Now we inject with our SQL query into the parameter exportgeolocorder.

And we get the response with the proof.

4. Vulnerable Versions

AcyMailing (4.9.4).

5. Solution

Upgrade to AcyMailing 4.9.5 or latest.

6. Vulnerability Timeline

September 01, 2015 — Bug reported to Acyba
September 02, 2015 — Acyba team acknowledges the vulnerability
October 14, 2015 — Acyba team releases a new version
October 28, 2015 — Public disclosure

7. References

https://www.acyba.com/acymailing/68-acymailing-changelog.html

CVE-2015-7344 - Cross-Site Scripting in Hicksdhop Joomla Component

2015-10-15T10:03:00+00:00

1. Vulnerability Properties

Title: Cross-Site Scripting in HikaShop Joomla Component
CVE ID: CVE-2015-7344
CVSSv3 Base Score: 2.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)
Vendor: HikaShop
Products: HikaShop
Advisory Release Date: 15 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7344
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

Hikashop’s Plugin is vulnerable to Cross-site scripting (XSS) on update controller, inside the backoffice.

3. Technical Details

This XSS can only be exploited in the control panel, so it’s not that critical.

Anyway, as you can see in the source code, there are three viariables that receive values from getString.

By looking at the documentation you can see that:

Fetches and returns a given filtered variable. The string filter deletes ‘bad’ HTML code, if not overridden by the mask. This is currently only a proxy function for getVar().

By “mask” they mean this:

TL;DR; “Converts the input to a plain text string; strips all tags / attributes.”

So, you can’t use tags like "><script>alert(1)</script> or "><img src=X onerror=alert(1)> but you can close the string with a “quote” and keep writing some html attributes.

To replicate this XSS you can use the following payload: "onmouseover%3d"alert('XSS')" (for example) in front of any of the three vulnerable parameters (field_id, field_type, field_namekey).

Request:

Response:

The original url request is:
http://<joomla url>/administrator/index.php?option=com_hikashop&ctrl=update&task=state&tmpl=component&field_type=address_country&field_id=address_state&field_namekey=address_state&namekey=country_Portugal_171

Below you can see an image of the XSS on one of those fields.

4. Vulnerable Versions

2.5.0

5. Solution

Update to Hikashop 2.6.0

6. Vulnerability Timeline

September 01, 2015 — Bug reported to Hikashop
September 01, 2015 — Hikashop’s team replied asking for more info
September 24, 2015 — Bug fixed
October 15, 2015 — Public disclosure

CVE-2015-7343 - Reflected Cross-Site Scripting in JNews Joomla Component

2015-10-15T10:02:00+00:00

1. Vulnerability Properties

Title: Cross-Site Scripting in JNews Joomla Component
CVE ID: CVE-2015-7343
CVSSv3 Base Score: 6.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Vendor: Joobi
Products: JNews Core
Advisory Release Date: 28 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7343
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

The Jnews’s Joomla Extension is vulnerable to Reflected Cross-Site Scripting in the mailingsearch parameter.

3. Technical Details

By submiting the following POST request, it is possible to inject javascript code in the server response that will be executed when the page is loaded.

Request

Response

Webpage

This vulnerability can be exploited from the back-end of joomla (/administrator), but it also can be exploited by using a simple Registered account.

4. Vulnerable Versions

8.3.1

5. Solution

Update to 8.5.0

6. Vulnerability Timeline

September 01, 2015 — Bug reported to Joobi
September 02, 2015 — Jnews’s team replied asking more info
September 24, 2015 — Jnews’s team releases a new version
October 28, 2015 — Public disclosure

CVE-2015-7341 - Bypass File Upload Restriction in JNews Joomla Component

2015-10-15T10:01:00+00:00

1. Vulnerability Properties

Title: Bypass File Upload Restriction in JNews Joomla Component
CVE ID: CVE-2015-7341
CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
Vendor: Joobi
Products: JNews
Advisory Release Date: 15 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7341
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

This vulnerability may lead a user to upload a malicious php file to gain control over the web server.

3. Technical Details

3.1- Unrestricted file upload [Subscribers]:

To this first upload form, we don’t even need to bypass the upload filter. Go to:

Administration > Components > Jnews > Subscribers > Import

Choose an .php file. Upload.

The test.php file will be upload to the server at the location: media/com_jnews/uploadtest.php

Please note that there is a simple bug here too, instead of saving the uploaded file into the upload folder, the component just attach the word *upload at the beginning of the file name.

That’s all folks. Just need to issue an request to your webshell.

GET Request: /bin/ls -la ../.. && id

Server Response of the previous command:

3.2- Unrestricted file upload [Templates]:

Here you can upload a simple zip file with a malicious php file inside:

The content of the zip file needs to respect the following structure:

Note: The index.html file needs to be inside the zip file too.

That’s it. Got your shell, just need to use it under /media/com_jnews/templates/<zip-folder>/<shell.php>

GET Request: /bin/ls -la ../.. && id

Server Response of the previous command:

3.3- Bypass file extension filter

Some functions of Jnews allows you to upload files to the server, however they’re filtered by their extension.

The code located at lib.upload.php is responsable for this validation and it’s vulnerable. You can bypass it by simple upload a .htaccess file with php code inside or simple use the .php5 extension.

So let’s check the code below:

Default value of $exts is [“php”,”phtm”,”phtml”,”php3,”inc”,”exe”,”dmg”]

Since jnews are using an blacklist filter approach, you can simple upload a file that doesn’t match with any of the extensions above.

4. Vulnerable Versions

8.3.1

5. Solution

Update to 8.5.0

6. Vulnerability Timeline

September 01, 2015 — Bug reported to Joobi
September 02, 2015 — Jnews’s team replied asking more info
September 24, 2015 — Jnews’s team releases a new version
October 15, 2015 — Public disclosure

CVE-2015-7339 - Bypass File Upload Restriction in JCE Joomla Component

2015-10-15T10:00:00+00:00

1. Vulnerability Properties

Title: Bypass File Upload Restriction in JCE Joomla Component
CVE ID: CVE-2015-7339
CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
Vendor: Joomla Content Editor
Products: JCE
Advisory Release Date: 15 October 2015
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7339
Credits: Discovery by Fábio Pires <fp[at]integrity.pt>, Filipe Reis <fr[at]integrity.pt>, Vitor Oliveira <vo[at]integrity.pt>

2. Vulnerability Summary

This issue allows a malicious user to bypass the file upload validation, from version 2.5.0 to 2.5.2.

3. Technical Details

By using the JCE’s File Browser available on

Administration > Components > JCE Editor > Control Panel > File Browser

you will be able to bypass the upload validation system in order to upload a malicious image file with some php code in the exif headers (comments field).

In the source code of /com_jce/editor/libraries/classes/browser.php you can find the following validations:

This code will check every uploaded file and look if the string <?php is inside it, but it will only check the short open tag version in the files specified on preg_match function.

So, if you upload an image with a short open tag code, and save it as a php file, you will be able to bypass this validation system.

In order to explain the process, here are some images:

1– Create an image file using short open tags and some php code in the comment field.

2– Upload the image file and change the name field to a php file extension. (bypass javascript validation)

3– The server will respond with a 200 OK, letting you know that the file was sucessfully uploaded.

4– Uploaded file will be in the folder you specified on upload-dir field.

5– File can be executed and remote code execution can be done.

This issue can become more critical if you allow users to use JCE plugin as a primary plugin for comments.

This vulnerability has been patched in the JCE version 2.5.3.

4. Vulnerable Versions

From 2.5.0 to 2.5.2

5. Solution

Update to 2.5.3 or latest version available

6. Vulnerability Timeline

September 01, 2015 — Bug reported to JCE
September 01, 2015 — JCE’s team reply with patched version to test
September 02, 2015 — JCE’s team releases a new version
October 15, 2015 — Public disclosure

7. References

https://www.joomlacontenteditor.net/news/item/jce-253-released

Open Redirect in LinkedIn and Yahoo

2015-09-24T10:00:00+00:00

This all started as any other day. As Pentesters, we come across many types of platforms and frameworks and because of that there is a need on trying to keep up with the developers.

This time, Vitor Oliveira (@r0t1v) had to test a Node.js application. After some research he had found a great website with node.js vulnerabilities, https://nodesecurity.io. Since the client webapp was using express.js, the next thing was to look for vulnerabilities that express.js had.

After a while he found a open-redirect vulnerability that had been disclosed by Pierre-Élie Fauché (https://nodesecurity.io/advisories/serve-static-open-redirect).

“When using serve-static middleware version < 1.7.2 and it’s configured to mount at the root it creates an open redirect on the site.

For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to //www.google.com/%2e%2e, which some browsers interpret as http://www.google.com/%2e%2e.”

Note: This vulnerability doesn’t work in Google Chrome but works in Firefox and Opera.

Testing in the client app, and indeed was vulnerable.

After a couple of days, me (@fjreis) and Fábio Pires (@fabiopirespt) joined Vitor and decided to search for the top websites that were using express.js. Yahoo and the mobile website from Linkedin were two of the websites that we have found.

We started with Linkedin mobile website: https://touch.www.linkedin.com/

Issuing the request in burp suite we found that it was not working with two slashes (as Pierre describes in his vulnerability), so we tested with 4 slashes and this is what we got:

Request

Response

Open redirect, yey!

Proof of Concept

Android: https://vimeo.com/126193891
iOS: https://vimeo.com/126193892

Report timeline

April 28, 2015 - Bug reported to Linkedin
April 28, 2015 - Confirmation from Linkedin’s security team
May 28, 2015 - Pinged Linkedin team
May 28, 2015 - Bug fixed
September 24, 2015 - Public disclosure

Now the story with Yahoo is more fun. We found two websites from Yahoo using express.js:

developer.yahoo.com

Request

Response

publish.yahoo.com

Request

Response

Proof of Concept

Android: https://vimeo.com/126305222
iOS: https://vimeo.com/126320994
Android: https://vimeo.com/126305223

Report timeline

May 28, 2015 - Bug reported to Yahoo
May 28, 2015 - Yahoo’s security team tells to report in HackerOne
May 28, 2015 - Bug reported to HackerOne
May 28, 2015 - Response from HackerOne: “Thank you for your submission to Yahoo! We are aware of this functionality on our site and it is working as designed. Open redirects have been out of scope since January 1st, 2014. Please continue to send us vulnerability reports!”
September 24, 2015 - Public disclosure

Both websites are still vulnerable

Getting to know Android (Part 2) - Setting up your testing environment

2013-05-16T10:00:00+00:00

As we previously referenced, in this second part series we’re going to show you how to setup a testing environment for running android applications. For testing purposes we are going to use a virtual environment, but you can use a real phone. If you are trying to use a real phone much will be the same with one exception, the creation of the virtual android phone.

3. Setting up the testing environment

We are going to split the installation of the testing lab in parts for easy understanding and better debugging if any errors appear. Also, we are using the latest Ubuntu 13.10 (64 bits) as our Operating System. If you need help installing Ubuntu, there are many useful site to walk you through the process.

3.1- Setting up Java

Once the machine is created, the first you will need to do is install Java. You can chose to install the official JDK from Oracle or the OpenJDK. for our series we will install the OpenJDK.

First up download and install Java through apt-get:

$ sudo apt-get install openjdk-7-jre openjdk-7-jdk

To confirm if the installation was successful we should get an output like the following:

$ java -version 
java version "1.7.021" 
OpenJDK Runtime Environment (IcedTea 2.3.9) (7u21-2.3.9-1ubuntu1) 
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode) 
$ javac -version 
javac 1.7.021

Optional: For ease of use, let’s set our JAVA_HOME environment variable.

$ sudo nano /etc/environment

And add the following line, and then save the file:

JAVA_HOME="/usr/lib/jvm/java-1.7.0-openjdk-amd64"

3.2- Setting up Android SDK

Now that we have Java installed it’s time to install the Android SDK and it can be found here. The Android SDK provides you the API libraries and developer tools necessary to build, test, and debug apps for Android. There are two versions that you can download, the SDK only or the ADT Bundle. We recommend you to download the ADT Bundle because it comes with most of the needed tools pre-set. It contains:

Eclipse + ADT plugin;
Android SDK Tools;
Android Platform-tools;
The latest Android platform;
The latest Android system image for the emulator.

Download it to a folder of your choosing. Then open a terminal and navigate to the folder you downloaded the ADT Bundle and unpack it.

$ unzip adt-bundle-linux-x86_64-20130219.zip

Now, we will run the android file (this file is located under sdk/tools/ directory). This will launch the Android SDK and AVD Manager. The AVD Manager provides a graphical user interface in which you can create and manage Android Virtual Devices (AVDs), which are required by the Android Emulator.

$ ./android

As you can see by the image the Android SDK Tools and the Android SDK Platform-tools are already installed. Now we are going to select the Android 4.2.2 (API 17), this will be the platform that we will be using to emulate, then click on Install accept the licence agreements and wait for it to be installed (You can always change the SDK Platform later).

You will probably get and error at the end of the installation saying:

Stopping ADB server failed (code -1). 
Unable to run 'adb': Cannot run program "/home/android/Documents/adt-bundle-linux-x86_64-20130219/sdk/platform-tools/adb": error=2, No such file or directory. 
Starting ADB server failed (code -1).

This is because the phones aren’t 64bit, so there is no 64bit version of adb. You need the ia32-libs.

$ sudo apt-get install ia32-libs

After that it all should go smooth.

Optional: We recommend adding the tools/ and platform-tools/ folders to the PATH environment variable (Add the full path to the those folders).

$ sudo nano /etc/environment

So, your PATH should look like:

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/maluko/Documents/adt-bundle-linux-x8664-20130219/sdk/platform-tools:/home/maluko/Documents/adt-bundle-linux-x8664-20130219/sdk/tools"

Don’t forget to save the file.

3.3- Setting up Proxy

There are many proxies that can be used, like WebScarab, ZAP or Burp. For our series we are going to use Burp. So, let’s download the program from http://portswigger.net/burp/downloadfree.html.

Download it to a folder of your choosing, once it is done test if it work:

$ java -jar burpsuitefreev1.5.jar

And you should have a window like the following image. If you do, and you got no errors in the terminal then it’s all go to continue.

4. Starting your emulator and configuring your proxy

By now you should have a general knowledge about Android, and have the basic tools to create an Android Virtual Device and connect it through a proxy so that you can see what is going on with the applications installed on that Android. So as we said the first thing to do is create the AVD.

4.1- Create an AVD

To start up, we need to run the android file (located in the sdk/tools/ directory). This will launch the Android SDK and AVD Manager.

$ ./android

Under “Tools” select “Manage AVDs…” and then press “New…”.

A new window will appear, in this window we are going to fill in the data for the new AVD (this can vary based on personal needs):

Name: testavd;
Device: 4.0” WVGA (480 x 800: hdpi);
Target: Android 4.2.2, API 17;
CPU/ABI: ARM (armebi-v7a);
SD Card: Optional (We will leave this blank);
Snapshot: Checked;

Press OK to finish.

And like that, we have created our first Android Virtual Device. Now, before we start our emulator, we will want to start up our proxy.

4.2- Starting your Proxy

To start with, navigate to the folder that you downloaded your Burp Proxy and run the command.

$ java -jar burpsuitefreev1.5.jar

Within Burp, we have a few configurations that we want to confirm:

Proxy Listeners:
- Under the option tab “Proxy”, we need to ensure that a proxy listener is running. If we have some network issues with the application, one thing to try is the “support invisible proxying for non-aware clients”. For now, we will leave it unchecked.
Upstream Proxy Servers:
- If you are working in a corporate environment, you will likely have a proxy server standing between you and the Internet. In that case you will need to go to the “Options” tab, and scroll down to “Upstream Proxy Servers”. Click on “Add” and enter the settings for your proxy server and you should be set.

4.3- Starting your AVD

Previously we created our AVD, but just creating it isn’t enough. We need to start it, and for that we need the following command:

$ emulator -avd testavd -http-proxy http://127.0.0.1:8080

Note: The option -http-proxy http://127.0.0.1:8080 is the setup for using our proxy from within the avd.

After this your AVD should start and look like the following image.

Note: Sometimes it take several minutes to start an AVD, particularly on older systems or VMs with little RAM.

If you find that you are having troubles connecting to the Internet, you can close out of your AVD and reload it, excluding the “-http-proxy http://127.0.0.1:8080” portion of the command. That will help you to determine if your proxy is the cause of your issues.

The above method is the most consistent way to get your AVD to recognize Burp proxy. If that does not work, you can always try setting it within the AVD:

Menu > Settings > Wireless & networks > More... > Mobile Networks > Access Point Names.

Menu Button > New APN

Here you can configure the Proxy Settings.

Name: Internet
APN: Internet
Proxy: 127.0.0.1
Port: 8080
Username: <N/A>
Password: <N/A>

There are still a few other ways of setting up the Proxy, but these two are the most reliable.

5. Installing Applications in your emulator

Now that we have an AVD running, the only thing missing is applications to test. If we were using an Android device for testing, it could be as simple as going to the Marketplace, searching the app and press the Install button. But we went through the effort of setting up our testing environment, and the Android emulator cannot download applications directly, so we are going to have to think outside of the box to get it.

5.1- Obtain the Android Application Package File (.apk)

In most situations, we should simply ask our project contact to send us the .apk file. But, if for whatever reason that it’s not an option, don’t get your hopes down. What you should do is:

Download the application (for our series we will use the IG Learner from Intrepidus Apps) that you want from the marketplace to the physical Android device;
Download and install a file manager application from the Android Marketplace to the physical Android device. ASTROFileManager is an option;
Using ASTRO, select Menu > Tools > Application Manager/Backup. Check the box next to the target application, then select Menu > Backup. This will save your .apk as “pkg.apk”, in /mnt/sdcard/backups/apps.
Mount the Android device as a USB device, and browse to /mnt/sdcard/backups/apps. Copy the “pkg.apk” file to your local hard drive. (you can rename the file for a more helpful understanding).

If for some reason your Android physical device don’t support the application (like mine… sad times…) or you don’t own a device and you would really want to give this application a try there is a light at the end of the tunnel. I’ve found the git repository of this application and with that we are able to compile the code into the .apk file.

5.2- Compile into an Android Application Package File (.apk)

First of, be sure that you have git installed on your machine. If not, you can install it by doing

$ sudo apt-get install git

After it is installed clone the repository to a folder of your choice. So, go to a folder where you can download and do

$ git clone git://github.com/intrepidusgroup/ig-learner.git

Next run eclipse that is on the eclipse from our Android SDK folder. Go to File > Import…, and select “Existing Android Code Into Workspace” and hit Next.

Browse to the cloned folder and select it, make sure it is selected and hit Finish.

Now we have our source code loaded into eclipse, so the next thing we need to do is to compile it into an .apk file. For that simple right click in the project, browse to Android Tools and select “Export Signed Application Package”. Why do we need to export it as an signed application?

Because the Android system requires that every installed applications be digitally signed with an private key that is maintained by the developer. The Android uses the certificate as a mean to identify the application author and establish an thrust link between applications.

Select the project that you wish to export, in our case it’s “LessonSelectorActivity” and click Next. Now we are asked we want to use an existing keystore or to create one. We still don’t have one so go ahead and create one. Select the location that you want to store it and give it any password that you like and hit Next.

Now you have to fill the fields of the key as you wish. Keep in mind that 25 years is the minimum required to the Validity field. After you are satisfied with your fields click Next.

Finally choose the destination folder and name for our .apk file and hit Finish.

Simple right?

5.3- Install the Android Application Package File (.apk)

We now have an .apk to work it, yuppi!! But what should we do with it? Well, the answer is simple. Let’s install it on our AVD device. Be sure to have your device running. To check if your device is running and available you can use

$ adb devices

And get something similar to:

As you can see it recognized our emulator, and to install the .apk you simply need to do:

$ adb install IG-Learner.apk

Note: If for any reason we had more than one AVD running we could target the .apk installation by doing

$ adb -s "emulator-5554" install IG-Learner.apk

If the application is installed successfully you should see the following,

You can also check it in your AVD as we can see. Pretty simple right?

For now in this matter it’s all. Feel free to create other AVDs, install other applications to train what we done in this part 2 of our android series. For the next part we will be talking about methodologies to test these android applications, the OWASP Mobile Security Project and what tools we should know to help in our application tests.

References:

http://www.symantec.com
http://resources.infosecinstitute.com
Mobile Application Security for Dummies
http://developer.android.com