Android Penetration Testing

Transcript

1. Android penetration testing By Abhay Kumar 1

2. Who Am I Abhay Kumar From Nalanda, Bihar Working at

   Castellumlabs HYD 2

3. Into to Android 3 BASED ON LINUX KERNEL IT IS

   OPEN-SOURCE SOFTWARE PLATFORM AND OS FOR MOBILES DEVICES ANDROID HAS ITS OWN VIRTUAL MACHINE, DVM (DALVIK VIRTUAL MACHINE), WHICH IS USED FOR EXECUTING THE ANDROID APPLICATION

4. Android Architecture 4

5. 5

6. 6

7. App components 7 Activity • To be simple an activity

   represents a single screen with a user interface. Content Provider • Content Provider component supplies data from one application to others on request. Services • A service is a component that runs in the background to perform long-running operations or to perform work for remote processes. Broadcast Receiver • A broadcast receiver is a component that responds to system-wide broadcast announcements.

8. Android Testing Requrements • Android Studio , Genymotion • ADB

   • Jdax • Apktool • Objection , Frida • Drozer • Db Browser for SQLite • Burp Suite 8

9. Android Debug Bridge • Android Debug Bridge (adb) is a

   versatile command-line tool that lets you communicate with a device. • Imp Commands Used in ADB • adb shell • adb devices • adb install • adb pull • adb push • adb forward 9

10. Drozer • Drozer allows you to search for security vulnerabilities

    in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ Inter Process Communication(IPC) endpoints and the underlying OS. 10

11. Types of Testing in android STATIC TESTING DYNAMIC TESTING 11

12. Static Testing Reverse Engineering Leads to Source Code & Application

    Piravcy Insecure Application Certificate Signing Insecure Permission Requested Androidmainfest.xml Insecure Data Storage (Data/data) Data logging in log file Exploiting Debuggable Applications Component Exploitation 12

13. Reverse Engineering Testing for lack of obfuscation (reverse engineering). Checking

    for Application Decompilation Application build contains obsolete files Unauthorized code modification 13

14. Insecure Application Certificate Signing You can add your own certificate

    inside the application 14

15. Insecure Permission Requested 15

16. •Androidmainfest.xml BACKUP is set to TRUE DEBUG is set to

    TRUE Activities exported=true Services exported=true Broadcast Recivers exported=true content providers exported=true Search for API Key 16

17. Insecure Data Storage (Data/data) •Insecure data storage in shared preferences

    •insecure data storage in databases •Insecure data storage in Temporary file •Insecure data storage in sd card/ Internal Storage 17

18. Data logging in log file Adb logcat | grep ps_id

    of apk 18

19. Exploiting Debuggable Applications 19

20. Component Exploitation • Content providers:Path Traversal(clientside) • Directory browsing •

    Backing up Application Data • Data Extratction using DEBUG • Invoking Exported Activities • Invoking Exported Services • Invoking Exported Broadcast Receivers • Invoking Exported Content Providers • Intent spoofing • Intent spoofing validation bypass 20

21. Dynamic testing Application Works on Rooted Device. SSL unpining SQL

    Injection Cross-Site Scripting OTP Brute Force & Strength OTP Brute Force & Strength Lack of Authentication OTP Expiry. Improper Error Handling. 21

22. SSL unpining • SSL Pinning is a technique that we

    use in the client side to avoid man-in-the-middle attack by validating the server certificates again even after SSL handshaking. • Implementation-MITM attack( Man in the Middle Attack) or sniffing data. • Identification • Common Errors "The client failed to negotiate an SSL connection to example.com:443: Received fatal alert_certificate_unknown" 22

23. How to Do SSL unpining 23

24. Using Frida Server 24

25. Automating Static Analyis using MobSF • Mobile Security Framework (MobSF)

    is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. 25

26. Seting Up MoboSF • git clone https://github.com/MobSF/Mobile- Security-Framework-MobSF.git • cd

    Mobile-Security-Framework-MobSF • ./setup.sh • ./run.sh 127.0.0.1:8000 26

27. 27