andriod pentesting and malware analysis
DESCRIPTION
null Hyderabad Chapter January 2013 MeetTRANSCRIPT
Srinivasa Rao
Independent Security Researcher
Working for TCS
Co-Author of the book “HACKING S3CRETS”
What we discuss?
Android OS Basics
Understanding APK
Android Security Model
A Brief look into android malwares
Reversing android malwares
Pentesting on Android platform
Demos
Android Rooting
Android Architechture
What is Android?
It is initially developed by Android Inc in 2003 and later acquired by Google in 2005. 2007 – OHA(Open Handset Alliance)
Largest market share
HTC Dream – the first commercially available mobile phone based on android based operating system.
Android is a software stack for mobile devices. The stack consists of An Operating System, Middleware and Key mobile applications
Why Android?
Open source
Anyone can develop apps! No restrictions like Iphone
Runs on Linux 2.6.X kernel
Wherever you go it follows you!! (Tablets, mobile phones, TVs)
Uses SQLITE databases
Official market containing over 7,00,000 apps
Understanding the APK
Nothing but a zip file
Can be extracted with winrar or winzip.
Composed of components such as activities, services,
Broadcast Receivers etc.
Every app contains the extension .APK
Written in Java, with native libraries in C/C++
Understanding the APK
Understanding the APK
Components
Activity Screen to let users interact – Buttons, text view, image view etc.
Service Performs the work in the back ground – playing music
Broadcast receiver Receives and Responds to broadcast announcements
Intents
Content Providers
Binds individual components at runtime
Stores and retrieves the application data – SQLITE databases
Permissions – They Suck!!
Declared in AndroidManifest.xml
XML file contains all the components and permissions
App can only use the declared permissions
Permissions
ACCESSS_COARSE_LOCATION
ACCESS_FINE_LOCATION
CALL_PHONE
CAMERA
CHANGE_WIFI_STATE
READ_CALL_LOG
READ_CONTACTS READ_SMS
Android Security Model
Application 1 UID : 1000 Dalvik VM
Application 2 UID : 1001 Dalvik VM
Application 3 UID : 1002 Dalvik VM
Application 4 UID : 1003 Dalvik VM
Application 5 UID : 1004 Dalvik VM
SYSTEM PROCESS (UID : SYSTEM)
LINUX KERNEL
Dalvik Virtual Machine
It’s a virtual System to run the android apps
Register based instead of stack based
It runs the dex (Dalvik Executables) files
Created by Dan Bornstein
Some popular android malwares
Droid dream
Trojan fake player
iCalender
Geniemi
Making the APK
.java .class .dex .apk
Reversing the APK
.apk .dex .class .java
Reversing tools…
Tools used
APK TOOL. BAKSMALI
DEX2JAR.
JDGUI.
File System Access
•Android Debug Bridge (adb) command
Access a shell. Pull/push files.
Many more.