Download - Pentesting Android Applications
whoami
Pentester at Integrity S.A.
Web applications, Mobile applications and Infrastructure.
BSc in Management Information Technology and OSCP.
Photography addicted.
- Environment Setup- Tools Of The Trade- App Analysis- Developers Heads Up
Up next...
Physical Equipment Android SDK Emulator Android x86
Environment Setup
Android x86
Environment Setup
Hint
Mouse inside VM : Disable Mouse Integration (Host+i)
Portrait Resolution : Edit /mnt/grub/menu.lst andinsert UVESA_MODE=320X480 DPI=160
Black screen(locked screen): ACPI Shutdown(Host+h)
Android Shell: Ctrl+F1 / Ctrl+F7
- Root your device *- Allow Unknown Sources (Settings-
>Security)- Install proxy app
(ProxyDroid,AutoProxy,etc...)- Connect to favorite proxy server (Burp
Proxy,Fiddler,etc...)*Physical approach only
Environment Setup
Android SDK
Software Development Kit containing api libraries and developer tools to build, test and debug Android apps.
For our context, the more important ones are adb,aapt,ddms and the emulator.
http://developer.android.com/sdk/
Tools Of The Trade
Android Debug Bridge (ADB)
Command-line tool to communicate with emulator instance or connected physical/virtual device.
http://developer.android.com/sdk/
adb devicesadb connectadb shelladb installadb push | pull.....
Usefull commands:
Tools Of The Trade
Dalvik Debug Monitor Server(DDMS)
Debugging tool that provides port-forwarding,screen capture, heap dump, logcat, file manager and many other features.
http://developer.android.com/sdk/
Tools Of The Trade
QtADB
Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..*
http://qtadb.wordpress.com/
*Requires aapt that comes with Android SDK.
Tools Of The Trade
Tool for converting .dex Android format to .class Java format.
https://code.google.com/p/dex2jar/
dex2jarTools Of The Trade
Java Decompiler with GUI to display java source code of class files.
http://jd.benow.ca/
JD-GUITools Of The Trade
Extract plain-text AndroidManifest.xml from APK.
https://code.google.com/p/xml-apk-parser/
APKParserTools Of The Trade
Tool to analyse app behaviour during runtime and help to identify potential security issues.
https://github.com/iSECPartners/Introspy-Android
Introspy-Android + Introspy-Analyser
Tool to Generate HTML reports based on the database generated by Introspy-Android.
Tools Of The Trade
Tool to bypass SSL certificate pinning for mostapplications *
https://github.com/iSECPartners/Android-SSL-TrustKiller
Android-SSL-TrustKiller
*Custom pinning implementations may need custom hooking
Tools Of The Trade
Install Cydia Substrate + AndroidSSLTrustKillerHint
Turn off SSLTrustKiller:
#1#2
(Bypassing Pinning)
Android-SSL-TrustKillerTools Of The Trade
Proxy Server CA CertificateHint (Validate Pinning)
#1 Browse to proxy server address anddownload certificate
#2 Open file viaFile Manager
#3 Save Certificate
Validate PinningTools Of The Trade
Android-SSL-TrustKillerTools Of The Trade
http://youtu.be/8NwbmSI9OWo
DEMO
Security testing framework, great to determine app attack surface and interact with it.
https://www.mwrinfosecurity.com/products/drozer/
Drozer(ex-mercury)Tools Of The Trade
Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend.
http://portswigger.net/burp/
Burp SuiteTools Of The Trade
Android Environment Sandboxing
/data/data/app1 /data/data/app2
Process UID (10000) Process UID (10001)
APP1
Dalvik
APP2
Dalvik
App Analysis
Android Application ComponentsApp Analysis
Activities
Services
Broadcast Receivers
Content Providers
Zip Archive
Contains Dalvik class files, assets, resources and AndroidManifest.xml
Stored at /data/app
Android Application Package File (.apk)App Analysis
Presents information about the app to the system.
Describes app components
Define permissions
AndroidManifest.xmlApp Analysis
XML format file with key-value pairs.
App settings.
Shared PreferencesApp Analysis
Single file relational database used to store application data and settings.
SQLite DatabasesApp Analysis
OWASP Top 10 Mobile Risks
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
. . . . . . . . .
App Analysis
GoatDroidApp Analysis
FourGoats is a location-based social network built for sharing everything about your life witheveryone. Using FourGoats, you can check in at various places, earn loyalty rewards, and seewhat your friends are doing as well as where they are doing it.
FourGoats also provides an API to other applications to allow their users to share even moreof their activities than ever before!
https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
App AnalysisThe Lost Art of Keeping a Secret
http://youtu.be/QJF-pvpRSFE
DEMO
App AnalysisThe Lost Art of Keeping a Secret
Developers Heads Up
• Insecure Data Storage- Shared Preferences without MODE_WORLD_READABLE.
- Sensitive information should not be stored. If needed, should be encryptedfrom derivation of user Password/PIN and not with hardcoded encryption keys.Still vulnerable to offline brute-force. Enforce strong password policy.
• Insufficient Transport Layer Protection- Apply SSL/TLS transport in channels that the app transmits sensitive
information to the backend.
- Implement Certificate Pinning if very sensitive information is transmitted.
• Client Side Injection- Only export components(Activities,Services,Broadcast Receivers, ContentProviders) that make sense and that cannot bypass access controls and leakInternal information.
• Lack of Binary Protection- Obfuscate your code, at minimum with ProGuard. Dont make your attackerlife easier.
Developers Heads Up