[Marcos Placona] I just hacked your app!

Transcript

1. I just hacked your app

2. Watch this

3. PWNED

4. Marcos Placona @marcos_placona github.com/mplacona androidsecurity.info

5. NOT

6. None

7. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum euismod

   ipsum et semper vestibulum. In congue, risus ac lobortis commodo, arcu elit congue nisi, e ullamcorper diam quam in est. Quisque nec lectus eget metus pharetra placerat. Quisque nisi lorem, convallis eget lobortis quis, suscipit eu sem. Sed ligula purus, lacinia quis ultrices at, sollicitudin at lacus. Duis porta hendrerit semper. Sed vitae mauris fringilla, porta turpis facilisis, facilisis risus. Integer quis lobortis velit. Vivamu ut placerat ex. Nunc est purus, pretium vitae hendrerit fringilla, molestie at tortor. Vestibulum vel purus et urna hendrerit pretium et quis nunc. Fusce sit amet neque in justo elementum rutrum ut nec metus. Fusce sollicitudin, dui vel molestie aliquam, ligula leo fringilla augue, a luctus quam sem sed tortor. Vivamus mattis nisi purus, si amet efficitur lectus mollis nec. Etiam consectetur, nisl eu euismod posuere, justo neque vehicula ex, nec lobortis augue neque id mi. Ut aliquam odio ac turpis condimentum porttitor. Mauris ut est eu sapien tempor congue. Proin ipsum sem, cursus quis magna eu, finibus fringilla nulla. Vestibulum viverra felis ac arcu iaculis condimentum. Aenean mattis magna non ipsum viverra accumsan. Suspendisse potenti. Nam quis dapibus ipsum. Integer at tortor ac neque semper consectetur. Donec vitae mattis felis, quis

8. elementum dolor fringilla eu. Nulla luctus arcu et egestas ultrices.

   Quisque dignissim lacinia vehicula. Suspendisse vitae nisl dapibus, dapibus elit quis, efficitur ex. Done interdum est purus, nec tempor risus sollicitudin tincidunt. Vestibulum accumsan sed libero ut tincidunt. Interdum et malesuada fames ac ante ipsum primis in faucibus. Vestibulum vitae consectetur ex, vitae viverra felis. Sed vitae imperdiet turpis. Donec eget velit sagittis, hendrerit ante id, aliquet libero. Proin pulvinar ornare consectetur. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Proin consequat tincidunt risus et aliquam. Donec vel vulputate sem, sed ornare lorem. Curabitur a maximus urna, ut blandit tellus. Suspendisse I haven’t nisl a ultricies semper. Cras really purus mollis vestibulum rhoncus. Sed hacked your orci, imperdiet vitae pharetra app, tincidunt laoreet lacus Vivamus posuere nisl diam, ut efficitur mauris facilisis vehicula. Vestibulum risus veli tincidunt a libero a, vestibulum tincidunt orci. Pellentesque in finibus est. Praesent tempus tortor ac magna iaculis, sed cursus quam venenatis. Quisque pharetra euismod auctor.

9. Sue-y /s(j)uːi/ 1. To become annoyed with someone who broke

   your toy without permission and want to sue them for that. “Company X got all ‘sue-y’ on me when I hacked their app and showed the world"
10. None
11. None
12. None

13. Kuba Gretzki http://bit.ly/hack4beer

14. loyalty \ˈlȯi(-ə)l-tē\

15. loyalty + =

16. loyalty HTTP Proxy

17. POST /users/461845f5d03e6c052a43afbc/points Accept: application/json Accept-Language: en-gb X-App-Version: 1.28.0 User-Agent: Dalvik/2.1.0

    (Linux; U; Android 6.0.1;) ... Content-Type: application/json; charset=UTF-8 Content-Length: 375 Host: api.eatapp.com Connection: Keep-Alive Accept-Encoding: gzip { "authentication_token":"boKUp9vBHNAJp7XbWZCK", "latitude":..., "longitude":..., "point":{ "isDoneByGesture":false, "main_beacon":{ "major":38995, "minor":12702, "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8" }, "place_id":"450", "promoted_products_ids":[ {"id":"647035946536601578040000"}, {"id":"647035946536601578040000"}, ] } }

18. POST /users/461845f5d03e6c052a43afbc/points Accept: application/json Accept-Language: en-gb X-App-Version: 1.28.0 User-Agent: Dalvik/2.1.0

    (Linux; U; Android 6.0.1;) ... Content-Type: application/json; charset=UTF-8 Content-Length: 375 Host: api.eatapp.com Connection: Keep-Alive Accept-Encoding: gzip { "authentication_token":"boKUp9vBHNAJp7XbWZCK", "latitude":..., "longitude":..., "point":{ "isDoneByGesture":false, "main_beacon":{ "major":38995, "minor":12702, "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8" }, "place_id":"450", "promoted_products_ids":[ {"id":"647035946536601578040000"}, {"id":"647035946536601578040000"} ] } }

19. POST /users/461845f5d03e6c052a43afbc/points Accept: application/json Accept-Language: en-gb X-App-Version: 1.28.0 User-Agent: Dalvik/2.1.0

    (Linux; U; Android 6.0.1;) ... Content-Type: application/json; charset=UTF-8 Content-Length: 375 Host: api.eatapp.com Connection: Keep-Alive Accept-Encoding: gzip { "authentication_token":"boKUp9vBHNAJp7XbWZCK", "latitude":..., "longitude":..., "point":{ "isDoneByGesture":false, "main_beacon":{ "major":38995, "minor":12702, "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8" }, "place_id":"450", "promoted_products_ids":[ {"id":"647035946536601578040000"}, {"id":"647035946536601578040000"} ] } }
20. None
21. None
22. None

23. stop!

24. • Encrypt all the values • Utilise security features when

    they exist • Certificate pinning • DO NOT TRUST THE DEVICE

25. Encrypt all the values dependencies { compile 'com.scottyab:aescrypt:0.0.1' } String

    password = "password"; String message = "hello world"; try { String encryptedMsg = AESCrypt.encrypt(password, message); }catch (GeneralSecurityException e){ //handle error } String password = "password"; String encryptedMsg = "2B22cS3UC5s35WBihLBo8w=="; try { String messageAfterDecrypt = AESCrypt.decrypt(password, encryptedMsg); }catch (GeneralSecurityException e){ //handle error - could be due to incorrect password or tampered encryptedMsg }

26. Caveat: Your keys will end up in GitHub

27. • Encrypt all the values • Utilise security features when

    they exist • Certificate pinning • DO NOT TRUST THE DEVICE

28. Utilise security features when they exist

29. • Encrypt all the values • Utilise security features when

    they exist • Certificate pinning • DO NOT TRUST THE DEVICE

30. Certificate pinning String hostname = "publicobject.com"; CertificatePinner certificatePinner = new

    CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build(); OkHttpClient client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build(); Request request = new Request.Builder() .url("https://" + hostname) .build(); client.newCall(request).execute(); http://bit.ly/android-certificate-pinning

31. Certificate pinning String hostname = "publicobject.com"; CertificatePinner certificatePinner = new

    CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build(); OkHttpClient client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build(); Request request = new Request.Builder() .url("https://" + hostname) .build(); client.newCall(request).execute(); http://bit.ly/android-certificate-pinning

32. Certificate pinning String hostname = "publicobject.com"; CertificatePinner certificatePinner = new

    CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build(); OkHttpClient client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build(); Request request = new Request.Builder() .url("https://" + hostname) .build(); client.newCall(request).execute(); http://bit.ly/android-certificate-pinning

33. • Encrypt all the values • Utilise security features when

    they exist • Certificate pinning • DO NOT TRUST THE DEVICE

34. Someone will decompile your app

35. And when they do…

36. –Every Developer “But I need magic strings”

37. Options http://bit.ly/SafeKey Encrypt Make sure you encrypt or at least

    encode them Server Get your keys of a server you own

38. Store in the NDK http://bit.ly/NDKStorage

39. start!

40. • Add tampering detection • Check your app’s signature •

    Check for rooted device • Check for emulator • Check if the app is debuggable

41. Tampering detection // myPackageName should decode at runtime to "com.yourpackagename"

    // google should decode at runtime to "com.android.vending"; // amazon should decode at runtime to "com.amazon.venezia"; public boolean isHacked(Context context, String myPackageName, String google, String amazon) { //Crooks renamed your app? if (context.getPackageName().compareTo(myPackageName != 0) return true; // BOOM! //Rogues relocated your app? String installer = context.getPackageManager().getInstallerPackageName(myPackageName); if (installer == null) return true; // BOOM! if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0) return true; // BOOM! return false; } http://bit.ly/android-tampering-detection

42. Tampering detection // myPackageName should decode at runtime to "com.yourpackagename"

    // google should decode at runtime to "com.android.vending"; // amazon should decode at runtime to "com.amazon.venezia"; public boolean isHacked(Context context, String myPackageName, String google, String amazon) { //Crooks renamed your app? if (context.getPackageName().compareTo(myPackageName != 0) return true; // BOOM! //Rogues relocated your app? String installer = context.getPackageManager().getInstallerPackageName(myPackageName); if (installer == null) return true; // BOOM! if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0) return true; // BOOM! return false; } http://bit.ly/android-tampering-detection

43. • Add tampering detection • Check your app’s signature •

    Check for rooted device • Check for emulator • Check if the app is debuggable

44. private static final int VALID = 0; private static final

    int INVALID = 1; private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846"; public static int checkAppSignature(Context context) { try { PackageInfo packageInfo = context.getPackageManager() .getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES); for (Signature signature : packageInfo.signatures) { byte[] signatureBytes = signature.toByteArray(); MessageDigest md = MessageDigest.getInstance("SHA"); md.update(signature.toByteArray()); //compare signatures if (SIGNATURE.equals(APP_SIGNATURE)){ return VALID; }; } } catch (Exception e) { //assumes an issue in checking signature., but we let the caller decide on what to do. } return INVALID; } Check your app’s signature http://bit.ly/AndroidTampering

45. Only a matter of time

46. Only a matter of time

47. • Add tampering detection • Check your app’s signature •

    Check for rooted device • Check for emulator • Check if the app is debuggable

48. private static boolean canExecuteCommand(String command) { try { int exitValue

    = Runtime.getRuntime().exec(command).waitFor(); if (exitValue != 0) return false; else return true; } catch (Exception e) { return false; } } Check for rooted device
49. None

50. Hooking

51. Hooking public class SystemUiHack implements IXposedHookLoadPackage { public void handleLoadPackage(final

    LoadPackageParam lpparam) throws Throwable { if (!lpparam.packageName.equals("com.android.systemui")) return; findAndHookMethod("com.android.systemui.statusbar.policy.Clock", lpparam.classLoader, "updateClock", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { TextView tv = (TextView) param.thisObject; String text = tv.getText().toString(); tv.setText(text + " :)"); tv.setTextColor(Color.RED); } }); } }

52. • Add tampering detection • Check your app’s signature •

    Check for rooted device • Check for emulator • Check if the app is debuggable

53. Build.FINGERPRINT.startsWith("generic") Check for emulator

54. • Add tampering detection • Check your app’s signature •

    Check for rooted device • Check for emulator • Check if the app is debuggable

55. public static boolean isDebuggable(Context context){ return (context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE) !=

    0; } Check if the app is debuggable

56. Debuggable app

57. None

58. Things to look at • Protect your apps with tools

    like ProGuard and DexGuard. • Look at the SafetyNet API by Google • Implement Network Security Configuration http://bit.ly/SafeKey

59. ProGuard DexGuard • Installed by default • Name Obfuscation •

    Code Optimisation • Removal of Redundant Code • FREE • Class Encryption • Call Hiding through Reflection • String Encryption • Certificate Checks • Debug Detection • Emulator Detection • Root Detection • Tamper Detection • Costs $$$

60. Things to look at • Protect your apps with tools

    like ProGuard and DexGuard. • Look at the SafetyNet API by Google • Implement Network Security Configuration http://bit.ly/SafeKey

61. SafetyNet API by Google

62. Things to look at • Protect your apps with tools

    like ProGuard and DexGuard. • Look at the SafetyNet API by Google • Implement Network Security Configuration http://bit.ly/SafeKey

63. Network Security Configuration

64. None
65. None

66. Marcos Placona @marcos_placona [email protected] Thanks github.com/mplacona androidsecurity.info