1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Black hat android?

Discussion in 'Black Hat SEO Tools' started by 4starsoftware, Jun 18, 2012.

  1. 4starsoftware

    4starsoftware Newbie

    Joined:
    Nov 16, 2011
    Messages:
    46
    Likes Received:
    16
    Just wondering,partly because im learning to program apps,are there currently any bh android apps? Ive looked and havent found any. Any that you'd like to see available?
     
  2. Dally

    Dally Junior Member

    Joined:
    Dec 9, 2010
    Messages:
    151
    Likes Received:
    64
    Location:
    UK
    What would you mean by a black hat android app? Do you mean like a bots and stuff or apps created by people on BlackHatWorld?
     
    • Thanks Thanks x 1
  3. smash-wear.nl

    smash-wear.nl Regular Member

    Joined:
    Jun 10, 2009
    Messages:
    223
    Likes Received:
    77
    sound´s nice, gps position hack,
     
    • Thanks Thanks x 1
  4. 4starsoftware

    4starsoftware Newbie

    Joined:
    Nov 16, 2011
    Messages:
    46
    Likes Received:
    16
    Both,actually. I use my droid a lot and would like to see if i could do some of my bookmarking,pinging and keyword research on it. Havent seen those kind of apps.
     
  5. Chris22

    Chris22 Regular Member

    Joined:
    Sep 29, 2010
    Messages:
    400
    Likes Received:
    1,059
    Haven't been developing, but I've been doing a good deal of reverse engineering work with android lately.
     
    • Thanks Thanks x 1
  6. 4starsoftware

    4starsoftware Newbie

    Joined:
    Nov 16, 2011
    Messages:
    46
    Likes Received:
    16
    Interesting, can you elaborate at all about what you've been reverse engineering?

     
  7. Chris22

    Chris22 Regular Member

    Joined:
    Sep 29, 2010
    Messages:
    400
    Likes Received:
    1,059
    Been digging around the internals of some popular apps looking for ways to bank from them, particularly instant messaging clients such as dating/flirting apps. The goal is to be able to connect to these networks via a desktop connection for now.
     
    • Thanks Thanks x 1
  8. markhenry121

    markhenry121 Elite Member

    Joined:
    Oct 14, 2011
    Messages:
    2,149
    Likes Received:
    239
    From Google app market, i download and checking, it's working, it's paid version you can check this

    play.google.com/store/apps/details?id=com.wMYBLACKHATWORLDFORUMAPP
     
  9. Dally

    Dally Junior Member

    Joined:
    Dec 9, 2010
    Messages:
    151
    Likes Received:
    64
    Location:
    UK
    That is actually genius... I'm pretty sure you can do the same thing by spoofing traffic on ios
     
  10. Chris22

    Chris22 Regular Member

    Joined:
    Sep 29, 2010
    Messages:
    400
    Likes Received:
    1,059
    I started my research with iOS, mainly because I have an iPhone. The biggest problem I ran into though was that iOS apps are harder to reverse engineer because all function calls are routed through msgSend(), and you end up with a really annoying/worthless call graph.

    I'll probably release a few tools on here once I'm done :d
     
    • Thanks Thanks x 1
  11. Dally

    Dally Junior Member

    Joined:
    Dec 9, 2010
    Messages:
    151
    Likes Received:
    64
    Location:
    UK
    Can you not just record the traffic going to and from the iPhone and then seeing whether it is possible to exploit it? Ah, I thought they might be, Apple are pretty strict usually.

    Would be awesome if you could, always something that I've looked at getting into
     
  12. Chris22

    Chris22 Regular Member

    Joined:
    Sep 29, 2010
    Messages:
    400
    Likes Received:
    1,059
    You can, but sometimes you hit a security roadblock, so you need to dig deeper :p

    Instagram for example encodes their postdata (for account creation) like this:
    (Hmacsha256 hash of the postdata).{postdata as json}

    So in this case, replicating a http request is not enough. (you need to also install your own security certificate on the iphone so that you can decrypt https traffic)

    The key they use for the hash was returned from a function written in native code. Once you reach this point and find the key you can sign your own requests making them look authentic.

    It's not a case of Apple being strict either, it's just poor language design (in my view)
     
    Last edited: Jun 19, 2012
  13. Dally

    Dally Junior Member

    Joined:
    Dec 9, 2010
    Messages:
    151
    Likes Received:
    64
    Location:
    UK
    Oh right, I bet that hash is pretty hard to decrypt, isn't it? Have you found the key for any applications? I'm thinking about whether or not I want to embark on what sounds like a pretty big project myself

    Is android the same or are they more relaxed about security compared with Apple?
     
  14. Chris22

    Chris22 Regular Member

    Joined:
    Sep 29, 2010
    Messages:
    400
    Likes Received:
    1,059
    It's not about breaking the hash, it was about finding the key so i could sign the data myself.

    This is app specific, different apps have different security measures in place, some have none at all.

    I was just giving that as an example :p