android application assessment - sans application...assessing mobile apps (1) ... android...
TRANSCRIPT
Android Application Assessment- © 2013 Christopher Crowley
1
Android Application Assessment
Inspecting Android Applications for Known Issues
Android Application Assessment - © 2013 Christopher Crowley
2
Assessing Mobile Apps (1)
• Risk from mobile applications– Low – app poses little or no threat to
device and data on device– Moderate – app poses some threat to
device protective measures and data stored on device
– High – app is likely to circumvent device protective measures and/or exfiltrate private data
● All address book data to a server● Intent with poor filtering
Android Application Assessment - © 2013 Christopher Crowley
3
Assessing Mobile Apps (2)
• Checklist of actions to perform for mobile app assessment
• Checklists are effective in this context• Helps to build in house knowledge for
ongoing assessment, once the org starts to assess apps, you are responsible to do so for evermore…
Android Application Assessment - © 2013 Christopher Crowley
4
Threats
• Primary threat to Android devices is mobile malware
– SMS premium rate messages cost people money
– Private Data Theft• Pen test objective is to model the
threats associated with running the apps
• Non-malware threats use the same methods as malware
Android Application Assessment - © 2013 Christopher Crowley
5
Two Types of Assessments
• Behavioral– Use a sandbox environment– Watch file access, network traffic, SMS messages,
Calls– Easier when dealing with obfuscated code– App may not misbehave while you’re watching
• Static Code Analysis– More challenging– More thorough (if done properly)– Can detect latent behaviors, long running timers
and triggered events
Android Application Assessment - © 2013 Christopher Crowley
6
Checklist
• Checklists are lame• But checklists have proven to be
extremely effective at preventing mistakes in routine (and important) tasks
– Pre-flight checklist– Medical Checklist
Android Application Assessment - © 2013 Christopher Crowley
7
Android Static Analysis - 1
• Android Static Analysis– Applications for Android come
in the form of Android Packages (APK)
– APKs contain a Dalvik Executable (DEX), a Manifest, and other files
– DEX is bit code compiled Java code● We can use two different approaches to
extract Java code from DEX files
Android Application Assessment - © 2013 Christopher Crowley
8
Android Static Analysis - 2
• Android Static Analysis– This is a challenging thing to do!– There are some tools that are
available to help with automation– Look at a few of these, then dig into
a manual method
Android Application Assessment - © 2013 Christopher Crowley
9
Automated Analysis - 1
• Stowaway– Online assessment, requires
upload of the apk file to the server at http://www.android-permissions.org/
– Gives a listing of the permissions requested, and if the permissions are actually used
Android Application Assessment - © 2013 Christopher Crowley
10
Automated Analysis - 2
• Androwarn– Static assessment– Produces HTML report of
potentially sensitive actions basedon the function calls present in the code
– Available from: https://github.com/maaaaz/androwarn
Android Application Assessment - © 2013 Christopher Crowley
11
Manual Analysis
• Back to manual– Manual code inspection provides
the most thorough assessment– Requires the most skill– Objective is to help you develop a
methodology for quickly scouring code for known suspicious functions
– We’ll use Eclipse and FindBugs™ to accomplish this
Android Application Assessment - © 2013 Christopher Crowley
12
Eclipse
• Eclipse is a development environment
• Provides opportunity for code review– But this is manual– Need to know java fairly well to know
what to look for– We can help resolve this with
FindBugs™
Android Application Assessment - © 2013 Christopher Crowley
13
FindBugs™
• FindBugs™ is a suite of checks for known programming flaws
• It is intended to help programmers to avoid known, common errors
• We are going to adapt it to our purpose of looking for code that is suspicious and warrants review
Android Application Assessment - © 2013 Christopher Crowley
14
Install Eclipse
• http://www.eclipse.org/downloads• Download
eclipse classic
• Install default
● Next, next, finish ;-)
Android Application Assessment - © 2013 Christopher Crowley
15
Install FindBugs™ - 1
• Eclipse: Help->“Install New Software…”
Android Application Assessment - © 2013 Christopher Crowley
16
Install FindBugs™ - 2
• Click Add…• Enter “FindBugs
update site” (no quotes) for the name
• Enter “http://findbugs.cs.umd.edu/eclipse” (no quotes) as the Location
• Click “OK”
Android Application Assessment - © 2013 Christopher Crowley
17
Install FindBugs™ - 3
• Click “Select All”• Click “Next”
Android Application Assessment - © 2013 Christopher Crowley
18
Install FindBugs™ - 4
• Accept the warning
Android Application Assessment - © 2013 Christopher Crowley
19
Dalvik to Java - 1
• Now we need to have java code to import into eclipse
• We will use the APK filesto inspect the code.
• There are two main ways to do this– Dex2jar– Smali / apktool
Android Application Assessment - © 2013 Christopher Crowley
20
Dalvik to Java - 2
• Use dex2jar.bat to get readable,but non-executable java code
• Use smali and apktool to get executable, but difficult to readjava code
• You will probably end up doing both, as each is useful in its own way
Android Application Assessment - © 2013 Christopher Crowley
21
APK disassembly – smali
• Smali and apktool method• Results in code that can be
modified and recompiled
Android Application Assessment - © 2013 Christopher Crowley
22
APK disassembly – Dex2jar
• Dex2jar method
Android Application Assessment - © 2013 Christopher Crowley
23
Sidebar – Android Package downloads
• Where can you get the code to assess?
– Download .apk file from internet– Move application to removable sdcard,
then remove sdcard and copy– Copy .apk file from rooted android device
• Malware– http://contagiominidump.blogspot.com is
a repository of known android malware● Good material to practice with, but be careful with
malware!
Android Application Assessment - © 2013 Christopher Crowley
24
Import code to Eclipse
• 1) Create new project
Android Application Assessment - © 2013 Christopher Crowley
25
Import code to Eclipse
• 1) Import external archive
Android Application Assessment - © 2013 Christopher Crowley
26
Conclusion
• App Assessment is a valuable task to protect individuals and organizations
– Behavioral– Automated code analysis– Static code analysis
• Android has substantial threats from malware
Android Application Assessment - © 2013 Christopher Crowley
27
Contact Info
• [email protected]– LinkedIn e-mail
• +ChrisCrowley– G+
• @CCrowMontance– #Twitter