Huawei AppGallery - zollak/pentest-notes GitHub Wiki

Huawei App Gallery testing

Download apk: https://appgallery7.huawei.com/#/app/C27162

Install apk

Using emulator

List available devices:

MacBook-Pro:~ zollak$ avdmanager list avd | grep Name:
    Name: Nexus4_API15_Android4.0.3_x86
    Name: Nexus4_API16_Android4.1_x86
    Name: Nexus5X_API24_Andoid7.0_x86_64
    Name: Nexus6_API26_Android8.0_x86_64
    Name: Nexus_5X_API29_Android10.0_x86_64
    Name: Samsung_API17_Android4.2_x86
    Name: Samsung_API18_Android4.3_x86
    Name: Pixel3a_API23_Android6.0_x86_64

Try with API 29 (Android 10.0) x86_64 emulator image

MacBook-Pro:~ zollak$ emulator Nexus_5X_API29_Android10.0_x86_64

Architecture failure:

MacBook-Pro:test zollak$ adb install com.huawei.appmarket.2004241411.apk
Performing Streamed Install
adb: failed to install com.huawei.appmarket.2004241411.apk: Failure [INSTALL_FAILED_NO_MATCHING_ABIS: Failed to extract native libraries, res=-113]

Which architecture we have:

MacBook-Pro:test zollak$ apktool d com.huawei.appmarket.2004241411.apk
I: Using Apktool 2.3.1 on com.huawei.appmarket.2004241411.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /Users/zollak/Library/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

MacBook-Pro:test zollak$ ls -la com.huawei.appmarket.2004241411/lib/
total 0
drwxr-xr-x   5 zollak  staff  160 May 26 11:54 .
drwxr-xr-x  12 zollak  staff  384 May 26 11:54 ..
drwxr-xr-x   7 zollak  staff  224 May 26 11:54 arm64-v8a
drwxr-xr-x   7 zollak  staff  224 May 26 11:54 armeabi
drwxr-xr-x   7 zollak  staff  224 May 26 11:54 armeabi-v7a

Note: we only have ARM based architecture in the APK.

Install ARM 64 v8a System Image in Android Studio:

  • Google APIs ARM 64 v8a System Image (system-images;android-25;google_apis;arm64-v8a)

Preparing "Install Google APIs ARM 64 v8a System Image (revision: 17)". Downloading https://dl.google.com/android/repository/sys-img/google_apis/arm64-v8a-25_r17.zip

MacBook-Pro:test zollak$ avdmanager list avd | grep Name:
    Name: API25_Android_7.1.1_arm64-v8a
    Name: Nexus4_API15_Android4.0.3_x86
    Name: Nexus4_API16_Android4.1_x86
    Name: Nexus5X_API24_Andoid7.0_x86_64
    Name: Nexus6_API26_Android8.0_x86_64
    Name: Nexus_5X_API29_Android10.0_x86_64
    Name: Samsung_API17_Android4.2_x86
    Name: Samsung_API18_Android4.3_x86
    Name: Pixel3a_API23_Android6.0_x86_64
MacBook-Pro:test zollak$ emulator API25_Android_7.1.1_arm64-v8a

It was extremely slow...

Install ARM EABI v7a System Image in Android Studio:

  • Google APIs ARM EABI v7a System Image (system-images;android-25;google_apis;armeabi-v7a)

Preparing "Install Google APIs ARM EABI v7a System Image (revision: 17)". Downloading https://dl.google.com/android/repository/sys-img/google_apis/armeabi-v7a-25_r17.zip

It was extremely slow...

Using pyisical device

Try with Samsung GT-I9300 (S3), Android 4.

Device is rooted. Worked with Mac and Kali as well.

MacBook-Pro:test zollak$ adb devices
List of devices attached
32308610077521fb	device
emulator-5554	device

MacBook-Pro:test zollak$ adb -s 32308610077521fb shell
shell@m0:/ $ su
root@m0:/ # uname -a
Linux localhost 3.0.31-2713958 #1 SMP PREEMPT Wed Jul 16 17:22:49 KST 2014 armv7l GNU/Linux
root@m0:/ # exit
shell@m0:/ $ exit

MacBook-Pro:test zollak$ adb -s 32308610077521fb install com.huawei.appmarket.2004241411.apk
Performing Push Install
com.huawei.appmarket.2004241411.apk: 1 file pushed, 0 skipped. 10.9 MB/s (34688993 bytes in 3.040s)
	pkg: /data/local/tmp/com.huawei.appmarket.2004241411.apk
Failure [INSTALL_FAILED_OLDER_SDK]

Too old Android version...

Try with LG-M160, Android 6.0.1

Non-rooted device, but developer mode was enabled on the phone. It worked only with Kali. In adb on Mac did not recognized the phone.

root@alive # adb devices
List of devices attached
LGM160ad93067c	device

root@alive # adb shell
shell@lv1:/ $ uname -a
Linux localhost 3.10.49-g1731123 #1 SMP PREEMPT Tue Dec 5 12:57:59 KST 2017 armv7l
shell@lv1:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

root@alive # adb install com.huawei.appmarket.2004241411.apk 
com.huawei.appmarket.2004241411.apk: 1 file pushed. 3.0 MB/s (34688993 bytes in 10.978s)
	pkg: /data/local/tmp/com.huawei.appmarket.2004241411.apk
Success

root@alive # adb shell pm list packages | grep huawei
package:com.huawei.appmarket

root@alive # adb shell pm path com.huawei.appmarket
package:/data/app/com.huawei.appmarket-1/base.apk

Finally uninstall the App Gallery application:

root@alive # adb uninstall com.huawei.appmarket
Success

Test phase 1

Remarks:

  • no Huawei ID required to use Huawei App Gallery application
  • it was possible to update package with Google Play if we installed app with App Gallery -> that shows that the application signed by the same developer and no additional content has been injected in the App Gallery store
  • the application content could be different based on the differences beetwen Google Play store and Huawei App Gallery

Cam Scanner

  1. Install app from App Gallery.
  2. Download app binary (APK) from device to further analysis.

root@alive # adb shell pm list packages | grep scan
package:com.intsig.camscanner

root@alive # adb shell pm path com.intsig.camscanner
package:/data/app/com.intsig.camscanner-1/base.apk

root@alive # adb pull /data/app/com.intsig.camscanner-1/base.apk com.intsig.camscanner.apk
/data/app/com.intsig.camscanner-1/base.apk: 1 file pulled. 3.8 MB/s (69349008 bytes in 17.531s)

root@alive # ls -la com.intsig.camscanner.apk
-rw-r--r-- 1 501 dialout 69349008 May 26  2020 com.intsig.camscanner.apk

version: 5.19.3.20200513

  1. Update app from Play Store.

It was detected the app has been installed already!


root@alive # adb shell pm list packages | grep scan
package:com.intsig.camscanner

Note: after update the package name was same. Only the path was different.

  1. Download app binary (APK) from device to further analysis.

root@alive # adb shell pm path com.intsig.camscanner
package:/data/app/com.intsig.camscanner-2/base.apk
package:/data/app/com.intsig.camscanner-2/split_config.armeabi.apk

root@alive # adb pull /data/app/com.intsig.camscanner-1/base.apk com.intsig.camscanner-1.apk
adb: error: remote object '/data/app/com.intsig.camscanner-1/base.apk' does not exist

root@alive # adb pull /data/app/com.intsig.camscanner-2/base.apk com.intsig.camscanner-2_base.apk
/data/app/com.intsig.camscanner-2/base.apk: 1 file pulled. 3.8 MB/s (51030822 bytes in 12.893s)
  1. Compare package content with Jadx GUI

MacBook-Pro:test1 zollak$ jadx-gui camscanner/com.intsig.camscanner.apk
MacBook-Pro:test1 zollak$ jadx-gui camscanner/com.intsig.camscanner-2_base.apk

Runtastic

  1. Install app from App Gallery.
  2. Download app binary (APK) from device.

root@alive # adb shell pm list packages | grep run
package:com.runtastic.android
root@alive # adb shell pm path com.runtastic.android
package:/data/app/com.runtastic.android-1/base.apk
root@alive # adb pull /data/app/com.runtastic.android-1/base.apk com.runtastic.android-appgallery.apk
  1. Update app from Play Store.
  2. Download app binary (APK) from device .

root@alive # adb shell pm list packages | grep run
package:com.runtastic.android
root@alive # adb shell pm path com.runtastic.android
package:/data/app/com.runtastic.android-2/base.apk
package:/data/app/com.runtastic.android-2/split_config.armeabi_v7a.apk
package:/data/app/com.runtastic.android-2/split_config.en.apk
package:/data/app/com.runtastic.android-2/split_config.hdpi.apk
root@alive # adb pull /data/app/com.runtastic.android-2/base.apk com.runtastic.android-base.apk

Test phase 2

The main differences between phase1 and phase 2 are the method of the second install. In case of the phase 1 was update from store but in phase2 it was reinstall after remove.

Remarks:

  • The application path was same (that is the only differences between phase 1 and phase 2)
  • Signature validation showed that, the application did not changed and came from the same developer.

Cam Scanner

  1. Install application from App Gallery
root@alive # mkdir -p camscanner/{appgallery,googleplay}

root@alive # cd camscanner/appgallery/

root@alive # adb devices
List of devices attached
LGM160ad93067c	device

root@alive # adb shell pm list packages | grep scan

root@alive # adb shell pm list packages | grep scan
package:com.intsig.camscanner

root@alive # adb shell pm path com.intsig.camscanner
package:/data/app/com.intsig.camscanner-1/base.apk

root@alive # adb pull /data/app/com.intsig.camscanner-1/base.apk
/data/app/com.intsig.camscanner-1/base.apk: 1 file pulled. 3.5 MB/s (69349008 bytes in 18.833s)

root@alive # adb uninstall com.intsig.camscanner
Success

root@alive # adb shell pm list packages | grep scan

root@alive #
  1. Install application from Google Play
root@alive # cd ../googleplay/

root@alive # adb shell pm list packages | grep scan

root@alive # adb shell pm list packages | grep scan
package:com.intsig.camscanner

root@alive # adb shell pm path com.intsig.camscanner
package:/data/app/com.intsig.camscanner-1/base.apk
package:/data/app/com.intsig.camscanner-1/split_config.armeabi.apk

root@alive # adb pull /data/app/com.intsig.camscanner-1/base.apk
/data/app/com.intsig.camscanner-1/base.apk: 1 file pulled. 3.7 MB/s (51030822 bytes in 13.045s)

root@alive # adb pull /data/app/com.intsig.camscanner-1/split_config.armeabi.apk
/data/app/com.intsig.camscanner-1/split_config.armeabi.apk: 1 file pulled. 3.6 MB/s (22251450 bytes in 5.963s)

root@alive # adb uninstall com.intsig.camscanner
Success

root@alive # adb shell pm list packages | grep scan

root@alive #
  1. Compare signing

The line with SHA1 is an SHA1 representation of the signing key (certificate). You can compare the two SHA1 lines. If the SHA1s match, the signing key are equivalent.

root@alive # cd ../appgallery/

root@alive # unzip -l base.apk | grep .RSA
     1017  1980-00-00 00:00   META-INF/CERT.RSA

root@alive # unzip -j base.apk META-INF/CERT.RSA -d .
Archive:  base.apk
  inflating: ./CERT.RSA

root@alive # keytool -printcert -file CERT.RSA | tee cert_appgallery.txt
Owner: CN=IntSig, OU="IntSig Information Co.,Ltd", O=www.intsig.com, L=Shanghai, ST=Shanghai, C=CN
Issuer: CN=IntSig, OU="IntSig Information Co.,Ltd", O=www.intsig.com, L=Shanghai, ST=Shanghai, C=CN
Serial number: 4b453cfa
Valid from: Thu Jan 07 02:46:34 CET 2010 until: Fri Oct 10 03:46:34 CEST 2064
Certificate fingerprints:
	 SHA1: 35:73:B5:3F:EB:45:B6:BC:34:F5:6A:BC:AE:55:84:C0:07:1D:F8:54
	 SHA256: 7F:B4:C4:F7:89:B7:25:8F:C6:3D:30:0A:8E:94:F3:93:A6:A8:EC:2F:29:D8:6D:D0:CA:FD:1F:36:34:7E:A2:3F
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

root@alive # cd ../googleplay/

root@alive # unzip -l base.apk | grep .RSA
     1017  1980-00-00 00:00   META-INF/BNDLTOOL.RSA
 
root@alive # unzip -l split_config.armeabi.apk | grep .RSA
     1009  1980-00-00 00:00   META-INF/BNDLTOOL.RSA

root@alive # unzip -j base.apk META-INF/BNDLTOOL.RSA -d .
Archive:  base.apk
  inflating: ./BNDLTOOL.RSA          

root@alive # unzip split_config.armeabi.apk META-INF/BNDLTOOL.RSA
Archive:  split_config.armeabi.apk
  inflating: META-INF/BNDLTOOL.RSA   

root@alive # diff BNDLTOOL.RSA META-INF/BNDLTOOL.RSA
Binary files BNDLTOOL.RSA and META-INF/BNDLTOOL.RSA differ

root@alive # keytool -printcert -file BNDLTOOL.RSA | tee cert_googleplay_base.txt
Owner: CN=IntSig, OU="IntSig Information Co.,Ltd", O=www.intsig.com, L=Shanghai, ST=Shanghai, C=CN
Issuer: CN=IntSig, OU="IntSig Information Co.,Ltd", O=www.intsig.com, L=Shanghai, ST=Shanghai, C=CN
Serial number: 4b453cfa
Valid from: Thu Jan 07 02:46:34 CET 2010 until: Fri Oct 10 03:46:34 CEST 2064
Certificate fingerprints:
	 SHA1: 35:73:B5:3F:EB:45:B6:BC:34:F5:6A:BC:AE:55:84:C0:07:1D:F8:54
	 SHA256: 7F:B4:C4:F7:89:B7:25:8F:C6:3D:30:0A:8E:94:F3:93:A6:A8:EC:2F:29:D8:6D:D0:CA:FD:1F:36:34:7E:A2:3F
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

root@alive # keytool -printcert -file META-INF/BNDLTOOL.RSA | tee cert_googleplay_split_config.armeabi.txt
Owner: CN=IntSig, OU="IntSig Information Co.,Ltd", O=www.intsig.com, L=Shanghai, ST=Shanghai, C=CN
Issuer: CN=IntSig, OU="IntSig Information Co.,Ltd", O=www.intsig.com, L=Shanghai, ST=Shanghai, C=CN
Serial number: 4b453cfa
Valid from: Thu Jan 07 02:46:34 CET 2010 until: Fri Oct 10 03:46:34 CEST 2064
Certificate fingerprints:
	 SHA1: 35:73:B5:3F:EB:45:B6:BC:34:F5:6A:BC:AE:55:84:C0:07:1D:F8:54
	 SHA256: 7F:B4:C4:F7:89:B7:25:8F:C6:3D:30:0A:8E:94:F3:93:A6:A8:EC:2F:29:D8:6D:D0:CA:FD:1F:36:34:7E:A2:3F
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

There is no differences between certs:

root@alive # diff appgallery/cert_appgallery.txt googleplay/cert_googleplay_base.txt 
root@alive # diff appgallery/cert_appgallery.txt googleplay/cert_googleplay_split_config.armeabi.txt 
root@alive #

Runtastic application review

  1. Install application from Google Play

root@alive # mkdir -p runtastic/{appgallery,googleplay}
root@alive # cd runtastic/googleplay/
root@alive # adb shell pm list packages | grep run
root@alive # adb shell pm list packages | grep run
package:com.runtastic.android
root@alive # adb shell pm path com.runtastic.android
package:/data/app/com.runtastic.android-1/base.apk
package:/data/app/com.runtastic.android-1/split_config.armeabi_v7a.apk
package:/data/app/com.runtastic.android-1/split_config.en.apk
package:/data/app/com.runtastic.android-1/split_config.hdpi.apk
root@alive # adb shell 'ls /data/app/com.runtastic.android-1/*.apk' | tr -d '\r'| sed -e 's/^\///' | xargs -n1 adb pull
data/app/com.runtastic.android-1/base.apk: 1 file pulled, 0 skipped. 5.9 MB/s (39777595 bytes in 6.453s)
data/app/com.runtastic.android-1/split_config.armeabi_v7a.apk: 1 file pulled, 0 skipped. 6.0 MB/s (2369211 bytes in 0.378s)
data/app/com.runtastic.android-1/split_config.en.apk: 1 file pulled, 0 skipped. 4.4 MB/s (37210 bytes in 0.008s)
data/app/com.runtastic.android-1/split_config.hdpi.apk: 1 file pulled, 0 skipped. 5.8 MB/s (281764 bytes in 0.046s)
root@alive # adb uninstall com.runtastic.android
Success
root@alive # adb shell pm list packages | grep run
root@alive #
  1. Install application from App Gallery
root@alive # cd ../appgallery/
root@alive # adb shell pm list packages | grep run
root@alive # adb shell pm list packages | grep run
package:com.runtastic.android
root@alive # adb shell pm path com.runtastic.android
package:/data/app/com.runtastic.android-1/base.apk
root@alive # adb pull /data/app/com.runtastic.android-1/base.apk
/data/app/com.runtastic.android-1/base.apk: 1 file pulled. 3.8 MB/s (54486182 bytes in 13.626s)
root@alive # adb uninstall com.runtastic.android
Success
root@alive # adb shell pm list packages | grep run
root@alive #
  1. Compare signing
root@alive # cd ../appgallery/
root@alive # unzip -l base.apk | grep .RSA
      763  1980-00-00 00:00   META-INF/CERT.RSA
root@alive # unzip -j base.apk META-INF/CERT.RSA -d .
Archive:  base.apk
  inflating: ./CERT.RSA              
root@alive # keytool -printcert -file CERT.RSA | tee cert_appgallery.txt
Owner: O=runtastic, L=Linz, C=AT
Issuer: O=runtastic, L=Linz, C=AT
Serial number: 4be4323a
Valid from: Fri May 07 17:31:06 CEST 2010 until: Sun Apr 29 17:31:06 CEST 2040
Certificate fingerprints:
	 SHA1: 4C:2E:6F:55:DF:0C:D6:C6:14:23:26:25:39:BF:F5:58:88:F1:82:3D
	 SHA256: 08:C2:C1:B4:8F:63:32:87:E7:2F:1F:29:F0:FE:66:43:48:B3:FC:E4:C1:2D:DC:8C:AF:A6:64:94:26:8D:94:27
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

root@alive # cd ../googleplay/
root@alive # unzip -l base.apk | grep .RSA
      763  1980-00-00 00:00   META-INF/BNDLTOOL.RSA
root@alive # unzip -l split_config.armeabi_v7a.apk | grep .RSA
      755  1980-00-00 00:00   META-INF/BNDLTOOL.RSA
root@alive # unzip -l split_config.en.apk | grep .RSA
      755  1980-00-00 00:00   META-INF/BNDLTOOL.RSA
root@alive # unzip -l split_config.hdpi.apk | grep .RSA
      755  1980-00-00 00:00   META-INF/BNDLTOOL.RSA
root@alive # mkdir {base,split_config.armeabi_v7a,split_config.en,split_config.hdpi}
root@alive # unzip -j base.apk META-INF/BNDLTOOL.RSA -d base/
Archive:  base.apk
  inflating: base/BNDLTOOL.RSA       
root@alive # unzip -j split_config.armeabi_v7a.apk META-INF/BNDLTOOL.RSA -d split_config.armeabi_v7a/
Archive:  split_config.armeabi_v7a.apk
  inflating: split_config.armeabi_v7a/BNDLTOOL.RSA 
root@alive # unzip -j split_config.en.apk META-INF/BNDLTOOL.RSA -d split_config.en/
Archive:  split_config.en.apk
  inflating: split_config.en/BNDLTOOL.RSA  
root@alive # unzip -j split_config.hdpi.apk META-INF/BNDLTOOL.RSA -d split_config.hdpi/
Archive:  split_config.hdpi.apk
  inflating: split_config.hdpi/BNDLTOOL.RSA
root@alive # for i in $(find . -name '*.RSA' -exec ls {} \;);do keytool -printcert -file $i > $i.crt ;done
root@alive # find . -name '*.crt' -exec ls -la {} \;
-rw-r--r-- 1 501 dialout 466 May 28 16:49 ./split_config.en/BNDLTOOL.RSA.crt
-rw-r--r-- 1 501 dialout 466 May 28 16:49 ./split_config.hdpi/BNDLTOOL.RSA.crt
-rw-r--r-- 1 501 dialout 466 May 28 16:49 ./split_config.armeabi_v7a/BNDLTOOL.RSA.crt
-rw-r--r-- 1 501 dialout 466 May 28 16:49 ./base/BNDLTOOL.RSA.crt

root@alive # diff appgallery/cert_appgallery.txt googleplay/base/BNDLTOOL.RSA.crt 
root@alive # diff appgallery/cert_appgallery.txt googleplay/split_config.armeabi_v7a/BNDLTOOL.RSA.crt 
root@alive # diff appgallery/cert_appgallery.txt googleplay/split_config.en/BNDLTOOL.RSA.crt 
root@alive # diff appgallery/cert_appgallery.txt googleplay/split_config.hdpi/BNDLTOOL.RSA.crt
⚠️ **GitHub.com Fallback** ⚠️