Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Breaking Android Apps (Freakend 2016)

Pablo Guardiola
March 04, 2016
Programming
8
480

Breaking Android Apps (Freakend 2016)

In this session we will learn how to analyse Android applications from a security point of view. We will dive into a bunch of security analysis methodologies you can approach, which will allow you to find vulnerabilities. For every analysis, we will explain the tools needed, how to use them and different protections you can apply in order to avoid the security holes found.

Pablo Guardiola

March 04, 2016
Tweet

More Decks by Pablo Guardiola

See All by Pablo Guardiola
Our Journey from Java to Kotlin-first!
guardiola31337
0
2k
From 0 to 100: Fine-tune all the things!
guardiola31337
1
87
Manual documentation is dead. Long live automated documentation!
guardiola31337
1
320
Building a DSL... In Kotlin
guardiola31337
10
930
Embrace The Journey
guardiola31337
1
130
The Developer Journey Codemotion 2016
guardiola31337
6
270
Da Real Fragmentation Explained Codemotion 2016
guardiola31337
6
460
Elegant?? Unit Testing (Mobilization 2016)
guardiola31337
0
260
Elegant?? Unit Testing (Droidcon Berlin 2016)
guardiola31337
5
1.5k

Other Decks in Programming

See All in Programming
失敗から学ぶオーナーシップ欠乏症への処方箋 #phperkaigi #d
77web
0
210
ウォーターフォールに思えたプロジェクトにあったアジャイルの要素
kubotak
1
190
Structure for Enterprise-Scale Angular Applications: Nx Monorepos, Micro Frontends, and Module Federation
manfredsteyer
PRO
0
160
#phperkaigi【実録】「PHP_CodeSniffer」で始める快適コードレビューライフ/codereviewlife
mrstsgk
0
310
Larastan に自作 OSS ライブラリのテストをぶっ壊された話
mpyw
0
150
The Art of Unit Testing
dicoding
0
610
どこでも動くWebフレームワークをつくる
yusukebe
13
6.8k
LayerXにおける ChatGPTを活用したPoC事例 / layerx-poc-with-chatgpt
yuya4
7
17k
時間を気にせず普通にカンニングもしつつ ISUCON12 本選問題を PHP でやってみる
sji
0
1.3k
DroidKaigi 2022のカンファレンスアプリを眺める
monaapk
2
120
OAuth for Java Developers - IntelliJ IDEA Live Stream 2023
mraible
PRO
0
240
Prompt Engineering 勉強会 / 2023.03.21 GPT-4 Prompt 報告会
smiyawaki0820
19
8.8k

Featured

See All Featured
What the flash - Photography Introduction
edds
64
10k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
32
20k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
15
5.6k
The Brand Is Dead. Long Live the Brand.
mthomps
48
3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
46
14k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k
Pencils Down: Stop Designing & Start Developing
hursman
114
10k
Raft: Consensus for Rubyists
vanstee
130
5.8k
Robots, Beer and Maslow
schacon
154
7.4k
Product Roadmaps are Hard
iamctodd
39
7.9k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k

Transcript

  1. eaking
    A roid
    A ps
    BY PABLO GUARDIOLA

    View Slide

  2. TWITTER
    @Guardiola31337
    BLOG
    pguardiola.com

    View Slide

  3. SECURITY???

    View Slide

  4. View Slide

  5. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK

    View Slide

  6. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    SDK Manager (android)

    View Slide

  7. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    SDK Manager (android)
    AVD Manager (android avd)

    View Slide

  8. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    SDK Manager (android)
    AVD Manager (android avd)

    View Slide

  9. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    SDK Manager (android)
    AVD Manager (android avd)
    HAXM

    View Slide

  10. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    SDK Manager (android)
    AVD Manager (android avd)
    Tools: adb, monitor, aapt…
    HAXM

    View Slide

  11. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    Analysis apps: SuperSU, RootChecker, ProxyDroid
    SDK Manager (android)
    AVD Manager (android avd)
    Tools: adb, monitor, aapt…
    HAXM

    View Slide

  12. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    Analysis apps: SuperSU, RootChecker, ProxyDroid
    SDK Manager (android)
    AVD Manager (android avd)
    Tools: adb, monitor, aapt…
    HAXM
    Python

    View Slide

  13. $ emulator -avd Android511
    -scale 0.9
    -no-boot-anim
    -partition-size 384
    -qemu -redir tcp:22222::22
    Android EMULATOR

    View Slide

  14. $ adb -d (device)
    $ adb -e (emulator)
    $ adb -s
    $ adb devices
    $ adb pull
    $ adb logcat
    $ adb install file.apk
    $ adb shell [command]
    $ adb push
    $ adb uninstall com.package.name
    $ adb forward tcp: tcp:
    Android Debug Bridge

    View Slide

  15. > geo fix
    > redir list
    > redir add tcp:22222:22
    $ nc localhost 5554
    > network status
    > sms send
    > network delay [gprs | edge | …]
    > power ac [on | off]
    > power display
    > network speed
    > gsm call
    Android Emulator CONSOLE

    View Slide

  16. $ adb -s emulator-5554 push su /system/bin/su
    $ adb -s emulator-5554 install supersu_v2.46.apk
    $ adb -s emulator-5554 shell mount -o remount,rw /system
    $ adb -s emulator-5554 start-server
    $ adb -s emulator-5554 shell chmod 0755 /system/xbin/su
    $ adb -s emulator-5554 shell mount -o remount,ro /system
    $ adb -s emulator-5554 shell su --install
    $ adb -s emulator-5554 shell chmod 0755 /system/bin/su
    $ adb -s emulator-5554 push su /system/xbin/su
    $ adb -s emulator-5554 shell “su --daemon&”
    $ adb -s emulator-5554 shell setenforce 0
    ROOT Android Emulator

    View Slide

  17. Security Analysis
    METHODOLOGIES
    BEHAVIORAL

    View Slide

  18. Security Analysis
    METHODOLOGIES
    BEHAVIORAL
    STATIC

    View Slide

  19. Security Analysis
    METHODOLOGIES
    BEHAVIORAL
    STATIC
    DYNAMIC

    View Slide

  20. BEHAVIORAL
    Analysis
    NETWORK

    View Slide

  21. NETWORK
    Analysis
    CAPTURE and INTERCEPT network TRAFFIC
    End-points
    Data transmitted
    Protocols and ports
    Encoding
    Encryption
    DETERMINE

    View Slide

  22. EVALUATING
    traffic and certificate validation
    Does app VALIDATE ANY “TRUSTED” certificate?
    Does app ACCEPT ANY certificate as VALID?
    Does app CONTINUE after a certificate WARNING or ERROR?
    Does app LEVERAGE certificate PINNING?
    WHERE is the LOCAL certificate copy?

    View Slide

  23. Android
    EMULATOR
    $ emulator -avd Android511
    -scale 0.9
    -http-proxy 127.0.0.1:8081
    -no-boot-anim
    -partition-size 384
    -qemu -redir tcp:22222::22

    View Slide

  24. Run BURP
    proxy
    $ java -jar burpsuite_free_v1.6.28.jar
    Proxy > Options > Proxy Listeners > Add >
    Binding > Port 8081 All interfaces

    View Slide

  25. Let’s hack!!!

    View Slide

  26. View Slide

  27. View Slide

  28. Network
    PROTECTIONS
    HTTPS - TLS: Digital certificate + CA
    Self-signed server certificate
    Missing intermediate CA
    Unknown CA
    Verifying server certificate: HttpsURLConnection
    Not relay on end-user trust decisions
    Use a custom X509TrustManager
    Not relay on root or intermediate authority chains
    Certificate Pinning

    View Slide

  29. Network
    PROTECTIONS
    ENCRYPTING network connections
    Change to “false” NetworkSecurityPolicy
    Is clear-text network traffic allowed?
    Android Marshmallow
    StrictMode detectCleartextNetwork
    DETECT and LOG Unencrypted traffic
    android:usesCleartextTraffic
    https://koz.io/android-m-and-the-war-on-cleartext-traffic/

    View Slide

  30. BEHAVIORAL
    Analysis
    NETWORK
    FILESYSTEM

    View Slide

  31. FYLESYSTEM
    Analysis
    INSPECT App SANDBOX
    /data/data/com.organization.app
    DISABLE backup SENSITIVE DATA

    android:allowBackup="false">



    View Slide

  32. Get a
    BACKUP
    $ java -jar abe.jar unpack backup.ab backup.tar
    $ adb shell pm list packages | grep “”
    $ adb backup -apk -obb com.organization.app
    $ tar xvf backup.tar

    View Slide

  33. View Slide

  34. Storing
    PROTECTIONS
    INTERNAL storage
    Encrypt data with a key not available from the app
    EXTERNAL storage
    Perform input validation
    CONTENT PROVIDERS
    Keep them private
    android:exported="false"
    Android keystore supported 4.3+

    View Slide

  35. BEHAVIORAL
    Analysis
    NETWORK
    FILESYSTEM
    LOGGING

    View Slide

  36. LOGGING
    Analysis
    $ adb logcat -s (Filters by )
    $ adb shell
    > logcat
    $ adb logcat
    $ adb logcat -c (Clear log)
    $ adb logcat -d (Show log and stop)
    $ adb logcat -d | findstr /I /R “http https user pass…”
    $ adb logcat -d -b main > main.txt (Main log)

    View Slide

  37. Logging
    PROTECTIONS
    LOGS should NOT contain SENSITIVE info
    BEFORE 4.1 (API 16) 3rd party apps
    could ACCESS system LOGS
    Be careful with Log.d() statements

    View Slide

  38. STATIC
    Analysis
    Retrieving APKs

    View Slide

  39. RETRIEVING
    APKs
    /data/app/*.apk
    /system/[priv-]app/*.apk
    DOWNLOADING
    http://apps.evozi.com/apk-downloader/
    https://apkpure.com/
    ROOTED device

    View Slide

  40. Retrieving APKs
    aapt (build-tools)
    STATIC
    Analysis

    View Slide

  41. aNDROID aSSET
    pACKAGING tOOL
    $ aapt dump permissions app.apk (App permissions)
    $ aapt list -a app.apk (List app contents)
    $ aapt dump xmltree app.apk AndroidManifest.xml (non-xml)
    $ aapt dump strings app.apk (App strings)
    $ aapt dump resources app.apk (App resources)
    $ aapt package …
    INSPECT APK contents
    CHANGE APK contents

    View Slide

  42. Retrieving APKs
    aapt (build-tools)
    Manifest.xml analysis
    STATIC
    Analysis

    View Slide

  43. Manifest.xml
    Analysis
    API levels
    Android permissions
    App components declaration
    AXMLPrinter2
    $ java -jar AXMLPrinter2.jar
    AndroidManifest.xml > AndroidManifest.xml.txt

    View Slide

  44. View Slide

  45. STATIC
    Analysis
    Retrieving APKs
    aapt (build-tools)
    Manifest.xml analysis
    Decompiling apps

    View Slide

  46. DECOMPILING
    Apps
    Understand FUNCTIONALITY
    Understand app COMPONENTS
    Inspect source CODE
    Perform SENSITIVE searches

    View Slide

  47. DECOMPILING
    Apps
    dex2jar
    enjarify
    jd-gui
    jadx
    $ sh d2j-dex2jar.sh base.apk
    $ sh enjarify.sh base.apk -o base.jar
    $ java -jar jd-gui-1.4.0.jar
    $ bin/jadx-gui lib/jadx-core-*.jar

    View Slide

  48. View Slide

  49. Retrieving APKs
    aapt (build-tools)
    Manifest.xml analysis
    Decompiling apps
    Protections
    STATIC
    Analysis

    View Slide

  50. Static
    PROTECTIONS
    Minimize PERMISSIONS required
    Minimize app components EXPOSURE
    Validate Signing CERTIFICATE

    View Slide

  51. DYNAMIC
    Analysis
    Manipulating components

    View Slide

  52. Manipulating
    COMPONENTS
    Evaluate AndroidManifest
    Inspect source code
    Custom code to invoke components
    drozer

    View Slide

  53. drozer
    $ drozer console connect
    Run Embedded Server from drozer Agent
    $ adb forward tcp:31415 tcp:31415
    $ adb install agent.apk (drozer Agent)
    dz> run app.package.debuggable (List debuggable apps)
    dz> run app.activity.start --component
    com.organization.name com.organization.name.Activity
    dz> run app.package.info -a com.organization.name (App info)
    dz> list (List available modules)
    dz> run app.package.list (List all apps installed)
    dz> run app.package.attacksurface com.organization.name
    (App attack surface)

    View Slide

  54. View Slide

  55. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps

    View Slide

  56. DEBUGGING
    Apps
    CONTROL execution
    Debuggable apps Play Store ≈5%
    Tools: AS or Device Monitor
    dz> run app.package.debuggable -f com.organization.name
    android:debuggable=“true”

    View Slide

  57. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps
    Manipulating apps

    View Slide

  58. Disassembling
    APPS
    Disassembly + Re-assembly = Valid app
    Disable emulator or root detection
    Force HTTP instead of HTTPS
    Change app functionality

    View Slide

  59. $ apktool b (dist)

    $ apktool d .apk
    Disassembling
    APPS
    apktool
    $ jarsigner -verify -verbose -certs target.apk
    $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -
    keystore keys/keyName.keystore target.apk keyNameAlias
    $ keytool -genkey -v -keystore keys/keyName.keystore -alias
    keyNameAlias -keyalg RSA -keysize 2048 -validity 7300
    Sign, verify and align APK
    $ zipalign -v 4 target.apk target-aligned.apk

    View Slide

  60. View Slide

  61. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps
    Manipulating apps
    MitM

    View Slide

  62. Man in the
    Middle
    Manipulate HTTP(S) traffic:
    Requests/Responses
    Burp
    ProxyDroid

    View Slide

  63. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps
    Manipulating apps
    MitM
    Protections

    View Slide

  64. Dynamic
    PROTECTIONS
    WebView: Be careful with
    setJavaScriptEnabled()

    View Slide

  65. Dynamic
    PROTECTIONS
    WebView: Be careful with
    setJavaScriptEnabled()
    Check Emulation

    View Slide

  66. Check
    EMULATION
    public boolean checkEmulation() {
    TelephonyManager mng = (TelephonyManager)
    getApplicationContext()
    .getSystemService(Context.TELEPHONY_SERVICE);
    if (mng.getSimOperatorName().equals("Android") ||
    mng.getNetworkOperatorName().equals("Android")) {
    return true;
    }
    return false;
    }

    View Slide

  67. Dynamic
    PROTECTIONS
    WebView: Be careful with
    setJavaScriptEnabled()
    Check Emulation
    Check Debugging

    View Slide

  68. Check
    DEBUGGING
    public boolean checkDebugging() {
    if (Debug.isDebuggerConnected()) {
    return true;
    }
    return false;
    }

    View Slide

  69. CONCLUSIONS
    We should BE HACKERS
    from time to time

    View Slide

  70. CONCLUSIONS
    We should BE HACKERS
    from time to time
    It’s EASY

    View Slide

  71. CONCLUSIONS
    It’s EASY
    SECURITY means QUALITY
    QUALITY means SUCCESS
    We should BE HACKERS
    from time to time

    View Slide

  72. Thank you!
    @Guardiola31337
    pguardiola.com
    [email protected]

    View Slide

  73. REFERENCES
    http://developer.android.com/
    https://portswigger.net/burp/
    https://koz.io/android-m-and-the-war-on-cleartext-traffic/
    https://code.google.com/archive/p/android4me/downloads
    https://github.com/pxb1988/dex2jar
    https://github.com/google/enjarify
    https://github.com/java-decompiler/jd-gui
    https://github.com/skylot/jadx
    https://labs.mwrinfosecurity.com/tools/drozer/
    http://ibotpeaches.github.io/Apktool/

    View Slide