android security by ravi-rai

Android SecurityBy – Ravi Rai

Google Android Linux + Java + Google’s Magic = Android Open distribution model

Android Market, Amazon Appstore, Verizon V Cast

Application capabilities are granted by permission

User settings to enable/disable installation from untrusted source

Rooting

Key Terms DVM – All application run’s under a

virtual environment is called davalik virtual environment

DVM executes files in format is called .dex

You Could use utility provided by SDK itself called adb

Basics Commands # adb devices ( List down all connected

devices ) # adb shell ( shell interaction) # ps ( List out all process’s)

File SystemBinaries as Command /system/bin /system/xbinApplication data/data/appApp need to buy/data/app-private /

Android package (.apk) Default extension of android

application . It is archived file contains all necessary

files and folders Files and folders can be extracted using

7zip or winrar

Apk File structureAPK

Classes.dex

Androidmanifest.xml

Resources.arsc

Res AssetsLib Meta-

inf

Screen Lock /Pattern Lock Cracking Location of pattern lock and screen lock

(/data/system)

# cd /data/system#lsGesture. KeyPassword .Key#rm gesture.key (Note – phone should be rooted)

Auditing android application

Content Provider leakage Content Provider – All application use

content provider to store data within application .

Unless restriction has been there any content provider can access with permission by using defined content provider

All providers have unique resource identifier (URI) in order to identify query

Content Provider leakage (Cont.)

All content provider tool need to be registered in andoidmanifest.xml

Use apktool to decompile androidmanifest.xml file

Testing for content provider leakage Step 1 # apktool d appname.apk (It will list

out all files of android application)Step 2 # grep –R ‘content://’ android

manifest(Check into manifest file and use grep command to search for key words of content providers

Testing for content provider leakage (Cont) Step 3 #adb install vulnerable-app.apk adb shell content query -uri Install application in emulator in order to

query and confirm vulnerability

Dozer for Automatic testing of content leakage # Dozer console connect Dz> run app.provided.finduri ( It will search for content provider in

android manifest file)

Countermeasure Configuration of android manifest.xml is

Android:exported =false

Insecure File storage No correct permissions leads to this

issue Many application store very sensitive

information in application file Generally game scores and credit points

store in local memory Loosely configured permission can allow

other application’s to read data

Steps #adb shells #cd /data/data #ls –l ( to see all file permissions) #Ls –l

/data/data/com.ravi.example/file’s/userinfo.xml

#Grep ‘password ‘/data/data/com.ravi.example/file’s/userinfo.xml

Countermeasure Provide proper permission and properly

hash and salt values

Path Traversal Vulnerability A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.

Tools Tool – Dozer dz> run app.provider.finduri Dz> run app.provider.read:\\content

Check for android file system and possible search inside base system

21

Client Side Injection• Apps using browser libraries

• Pure web apps• Hybrid web/native apps

• Some familiar faces• XSS and HTML Injection• SQL Injection

• New and exciting twists• Abusing phone dialer + SMS• Abusing in-app payments

Impact

• Device compromise

• Toll fraud

• Privilege escalation

22

M4- Client Side Injection Garden Variety XSS…. With access

to:

Testing Injection Dz> run app.provider.query (URI)

projection “* from sqlite_master where type = ‘table’ ; --

Thank youQuestion ?????????????