The Android App Pin feature is where the vulnerability may be accessed once it has already been exploited.Android app pinning was first referred to as’screen pinning’ when it was first introduced with Android 5.0 Lollipop (API level 21) on November 12, 2014. On Android smartphones, this powerful security feature improves the user’s ability to regulate their privacy and protect their data.

Users are given the ability to restrict their mobile device to a single program via the use of a feature known as “app pinning,” which effectively restricts their access to other apps and sensitive data. This capability proved to be quite useful in situations where keeping a highly concentrated work environment, dealing with public terminals, or sharing a device were all necessary requirements. When this is done, it stops unauthorized users from accessing personal data, programs, and settings, which contributes to an overall more secure digital experience.

The following procedures are often included when implementing app pinning as a method of application management:

Users may enable this feature by going to the Settings menu on their smartphone and selecting the Security and Privacy menu followed by the More Security Settings menu and then selecting the App Pinning option. After it has been enabled, users will be able to choose whatever app they want to pin.

Launching the chosen application is the first step in the pinning process, which allows users to enter pinned mode. This operation will permanently lock the device within the user interface of the chosen app.

When using the pinned mode, you won’t be able to interact with any other applications since they will be momentarily hidden from view. If you try to move to another app, access notifications, or perform any other function while the pinned app is open, the device will remind you that you are in the wrong app and keep you there.

Exiting Pinned Mode Users often need to give an extra layer of authentication in order to quit this mode. This may take the form of inputting a pre-set PIN, pattern, or password, or it can be accomplished via the use of biometric recognition (such as fingerprints or face recognition). Because of this additional degree of security, only users who are permitted to do so are able to exit the pinned app environment.

Pinning an Android app has many advantages, including the following:

Pinned mode protects users’ privacy and security by preventing unwanted access to private information, data, and programs that are deemed particularly sensitive.

Public Terminals: App pinning is important in scenarios like kiosks or shared devices since it confines users to a single program, hence decreasing the danger of illegal access and data exposure. This may be accomplished by pinning the application to the home screen of the device.

Focus and Productivity: Users may establish focused work environments by restricting the capabilities of their device to a single application that is task-oriented. This can increase their level of productivity.

Pinning an app to the home screen allows parents to limit their children’s access to just those games and programs that are suitable for their age or those that are instructive.

In a nutshell, Android app pinning, which was formerly referred to as “screen pinning,” was launched with Android 5.0 Lollipop and offers comprehensive control over the functionality and access of the device. It provides increased security, privacy, and focused interaction with digital information by designating a certain app as the one that may be used and needing authentication in order to leave that mode.

There is a logic mistake in the code that makes it possible for a general purpose NFC reader to read the whole card number and expiration data even while the screen on the device is locked. This problem can be found in the HostEmulationManager.java file, which is located in the onHostEmulationData section. This might result in the leaking of local information without the need of any extra execution rights. Exploitation may occur without the participation of the user.

According to Google’s calculations, the severity of this vulnerability is rather high.Along with his discoveries, the hacker was kind enough to submit a proof-of-concept attack, which brought attention to the seriousness of this high-severity vulnerability.

The post Exploiting Android App Pin feature to steal money from mobile wallets apps appeared first on Information Security Newspaper | Hacking News.

• For testing we will use Xiaomi Redmi Note 4 – Android 7.0 Nougat.
• Download apk from https://play.google.com/store/apps/details?id=com.eakteam.networkmanager.free&hl=en

• This apk also comes with paid version. But you can do many task with freeware.
• Simply download & install network manager apk.
• Then click on the Network Manager apk.

• Network Manager APK shows basic IP details.

• Network Manager gives tons of features for diagnosing any local network.

• Starting with Universal Scanner. This scanner gives options like IP lookup, DNS Lookup, SSL/TLS Analyzer, Ports Scanner, Whois, Trace route.

• We have scanned hack.me for showing that how network manager works. For gathering basic info of any website, user can use universal scanner.
• Such information can be used in information gathering phase of pentesting.
• Gathering details with whois.

• Whois is the first step to know any information about any URL. It gives information about website registration details, hosting domain etc.
• Network manager gives an option to connect using SSH.
• For testing we have connected with Linux system. For connection, enter the username & password.

• Click on connect as you click on connect, it will open terminal session.

• SSH can be used for accessing any server from any location.
• Checking the speedtest with network manager.

• Checking the speedtest before using it gathering information can be helpful.
• Using the Web Crawler in network manager. This will crawl much information until stopped.

• Web crawler which is required for finding bugs in any website. Website crawler shows the all the external, internal links & even shows the images, files & scripts which are found in website crawling.
• Find the arp cache. This helps to know how many users are connected on the network.

• Above shows the connected users with their MAC addresses. Attacker can gather mac addresses from the network. And can be used in ARP-poisoning attacks.
• Checking the url before opening it on the browser. Network manager

• Above shows that hackthissite.org is safe to visit. For checking any suspicious URL. Users can use URL check safe browsing.
• Analyzing SSL – Checking whether URL is secured with SSL or not.

• Above shows the SSL certificate version with SSL Cipher.
• Another option is Port scanner, which shows the open ports of the target URL. Certifiedhacker.com is used for testing.

• Above shows the open ports of the certifiedhacker.com. The more ports are open, the more website can be vulnerable.
• IP calculator can also be used to gives info on how many users can be handled by an network.

• Above screenshot refers 254 are available addresses.

The post Use your Mobile phone to start Basic Pentesting appeared first on Information Security Newspaper | Hacking News.