2019-04-22 ../../

Lab on IG Learner APK

Table of Contents

1 Lab Goals

The purpose of this lab is (i) Learn more of Android Internals related to security.

2 Background

  1. This is a lab in the course on Android Internals and Security.
  2. This is a "capture the flag" style trainer app. See Refs for "What is CTF?"
  3. IG Learner is an app released at Shmoocon 2013 by Intrepidus Group. It was on Google Play last time (2015) I checked, but not in 2016.
  4. FOSS http://github.com/intrepidusgroup/ig-learner. Studying the source code of IG Learner is expected. It can be built by us. But non-trivial to do so. Web search: https://www.google.com/search?&q=ig-learner.apk
  5. Here is a local link for our use in this lab, downloaded from "somewhere". [I checked the APK to some extent, and I believe it to be harmless. You may want to try it first in an AVD.] It does not require a rooted device.
    1. IG-Learner.APK 285592 bytes; md5sum = 693051abdf0f7034a64527762240af21; sha1sum = 37f2bc34 af48b99f c34d382d d2dcb8c2 ac0a01ca; sha256sum = 5ee56c83 641c6ec7 66e677d3 4df3b8c1 c15c2fc9 2b9685de 371963be 1be7420c

3 Tasks

  1. The IG-Learner app is divided into 8 lessons, shown below as Tasks. Feel free to go through the lessons in any order you wish. Walk through before beginning to work on it as a "lab".
  2. Tapping on a Lesson # displays a "see the instructions" button. Click on it to read a task to do. You are expected to finish the task and submit your answer at the bottom. The instructions are summarized below.


Figure 1: Screenshot of IG-Learner Opening

3.1 Task: Android Logging Secrets

This exercise is about Android’s logging. Learn logcat cmd. In the middle of the log that this app generates is the line you are tasked to find.

3.2 Task: Screwy File Permissions

The app creates a world-readable file. Your task is to find its full path name.

3.3 Task: URI Handlers Craziness

Click on the "Request URI", and a hyperlink will be displayed in the WebView window. When you click on the hyperlink, you will see that it is LOCKED. Your task is to get this unlocked.

The decompiled class of this activity is ok, but non-trivial to see what is happening when we click on the generated link.

3.4 Task: SSL Man in the Middle

Your task is to intercept the token sent by this app to a web server via https (http over SSL, not plain http). So, you need to find a way to decrypt the traffic.

3.5 Task: Advanced MITM

This lesson requires that you understand digital certificates, pinning, and the Man-in-the-Middle exploit. The app has hardcoded with the fingerprint of the certificate issued by a valid server. It will find that the received certificate does not match the fingerprint. Your task is to bypass this error.

3.6 Task: Encryption vs Encraption

This exercise concentrates on key management and why relying on client-side encryption to generate secrets is not a good idea. The Lesson6Activity class has encryptNumberWithAES(). It uses AES, with a hard coded key.

3.7 Task: Providers Shared with the World

Look up what content providers are. Data leakage is the focus of this lesson. Examine the details of permissions and the authority of com.intrepidusgroup.learner.contentprovider Construct/ Discover the Content URI for this.

3.8 Task: Malicious Intent

We wish to manipulate an Intent so that a hidden activity gets displayed. You need to figure out how the intent is parsed and checked.

4 Submission

  1. Submit into Pilot dropbox named IG-Learner.

4.1 Standard Deliverables

  1. Your answers to any five of the exercises presented by IG-learner. Include a page or so of how you arrived at your answers.
  2. Related annotated screenshots.

4.2 Bonus Deliverables

  1. Your answers to all eight of the exercises and annotated screenshots.
  2. Get all eight correct and get an A. On your own (no surfing, no external help). It will be hard for me to not give you an A in the course.


This version (Apr 22, 2019) is an editorial revision of what was online as of Mar 2019.

6 References

  1. IG Learner APK
    1. http://github.com/intrepidusgroup/ig-learner Source repository. Required Browsing.
    2. https://www.nccgroup.trust/us/about-us/resources/ig-learner-walkthrough/ This is a nicely detailed walk through. May 2015. Uses Mercury/ drozer tool. Recommended Reading.
    3. sahisvrg@gmail.com, YouTube video playlist on IG-Learner, 2015. Do include a review in your report. Recommended Watching.
    4. http://blog.isis.poly.edu/ctf/2013/03/03/android-security-101-ig-learner/ is a tutorial titled "Android Security 101 – IG Learner" Mar 3, 2013 by nitin.jami, with a byline of "5 minute read" {pmateti: haha!}. This only discusses the first 3 "lessons" of the APK. Required Reading.
    5. http://infosecevents.net/2013/03/04/2819/ has/had several links related to IG-Learner, but no longer working. {pmateti: archive.org}
  2. Tim Harmon, Cyber Security Capture The Flag (CTF): What Is It?, September 2016, Cisco Blogs.
  3. Mercury/ Drozer https://github.com/mwrlabs/drozer "Drozer (formerly Mercury) is the leading security testing framework for Android." 2013. {pmateti: MS Thesis anyone?}

7 End

Copyright © 2019 Dr Prabhaker Mateti • 2019-04-22