Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Breaking Android Apps (Freakend 2016)

Breaking Android Apps (Freakend 2016)

In this session we will learn how to analyse Android applications from a security point of view. We will dive into a bunch of security analysis methodologies you can approach, which will allow you to find vulnerabilities. For every analysis, we will explain the tools needed, how to use them and different protections you can apply in order to avoid the security holes found.

Pablo Guardiola

March 04, 2016
Tweet

More Decks by Pablo Guardiola

Other Decks in Programming

Transcript

  1. eaking
    A roid
    A ps
    BY PABLO GUARDIOLA

    View full-size slide

  2. TWITTER
    @Guardiola31337
    BLOG
    pguardiola.com

    View full-size slide

  3. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK

    View full-size slide

  4. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    SDK Manager (android)

    View full-size slide

  5. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    SDK Manager (android)
    AVD Manager (android avd)

    View full-size slide

  6. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    SDK Manager (android)
    AVD Manager (android avd)

    View full-size slide

  7. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    SDK Manager (android)
    AVD Manager (android avd)
    HAXM

    View full-size slide

  8. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    SDK Manager (android)
    AVD Manager (android avd)
    Tools: adb, monitor, aapt…
    HAXM

    View full-size slide

  9. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    Analysis apps: SuperSU, RootChecker, ProxyDroid
    SDK Manager (android)
    AVD Manager (android avd)
    Tools: adb, monitor, aapt…
    HAXM

    View full-size slide

  10. Android SECURITY
    Analysis ENVIRONMENT
    Android SDK
    Android Emulator
    Analysis apps: SuperSU, RootChecker, ProxyDroid
    SDK Manager (android)
    AVD Manager (android avd)
    Tools: adb, monitor, aapt…
    HAXM
    Python

    View full-size slide

  11. $ emulator -avd Android511
    -scale 0.9
    -no-boot-anim
    -partition-size 384
    -qemu -redir tcp:22222::22
    Android EMULATOR

    View full-size slide

  12. $ adb -d (device)
    $ adb -e (emulator)
    $ adb -s
    $ adb devices
    $ adb pull
    $ adb logcat
    $ adb install file.apk
    $ adb shell [command]
    $ adb push
    $ adb uninstall com.package.name
    $ adb forward tcp: tcp:
    Android Debug Bridge

    View full-size slide

  13. > geo fix
    > redir list
    > redir add tcp:22222:22
    $ nc localhost 5554
    > network status
    > sms send
    > network delay [gprs | edge | …]
    > power ac [on | off]
    > power display
    > network speed
    > gsm call
    Android Emulator CONSOLE

    View full-size slide

  14. $ adb -s emulator-5554 push su /system/bin/su
    $ adb -s emulator-5554 install supersu_v2.46.apk
    $ adb -s emulator-5554 shell mount -o remount,rw /system
    $ adb -s emulator-5554 start-server
    $ adb -s emulator-5554 shell chmod 0755 /system/xbin/su
    $ adb -s emulator-5554 shell mount -o remount,ro /system
    $ adb -s emulator-5554 shell su --install
    $ adb -s emulator-5554 shell chmod 0755 /system/bin/su
    $ adb -s emulator-5554 push su /system/xbin/su
    $ adb -s emulator-5554 shell “su --daemon&”
    $ adb -s emulator-5554 shell setenforce 0
    ROOT Android Emulator

    View full-size slide

  15. Security Analysis
    METHODOLOGIES
    BEHAVIORAL

    View full-size slide

  16. Security Analysis
    METHODOLOGIES
    BEHAVIORAL
    STATIC

    View full-size slide

  17. Security Analysis
    METHODOLOGIES
    BEHAVIORAL
    STATIC
    DYNAMIC

    View full-size slide

  18. BEHAVIORAL
    Analysis
    NETWORK

    View full-size slide

  19. NETWORK
    Analysis
    CAPTURE and INTERCEPT network TRAFFIC
    End-points
    Data transmitted
    Protocols and ports
    Encoding
    Encryption
    DETERMINE

    View full-size slide

  20. EVALUATING
    traffic and certificate validation
    Does app VALIDATE ANY “TRUSTED” certificate?
    Does app ACCEPT ANY certificate as VALID?
    Does app CONTINUE after a certificate WARNING or ERROR?
    Does app LEVERAGE certificate PINNING?
    WHERE is the LOCAL certificate copy?

    View full-size slide

  21. Android
    EMULATOR
    $ emulator -avd Android511
    -scale 0.9
    -http-proxy 127.0.0.1:8081
    -no-boot-anim
    -partition-size 384
    -qemu -redir tcp:22222::22

    View full-size slide

  22. Run BURP
    proxy
    $ java -jar burpsuite_free_v1.6.28.jar
    Proxy > Options > Proxy Listeners > Add >
    Binding > Port 8081 All interfaces

    View full-size slide

  23. Let’s hack!!!

    View full-size slide

  24. Network
    PROTECTIONS
    HTTPS - TLS: Digital certificate + CA
    Self-signed server certificate
    Missing intermediate CA
    Unknown CA
    Verifying server certificate: HttpsURLConnection
    Not relay on end-user trust decisions
    Use a custom X509TrustManager
    Not relay on root or intermediate authority chains
    Certificate Pinning

    View full-size slide

  25. Network
    PROTECTIONS
    ENCRYPTING network connections
    Change to “false” NetworkSecurityPolicy
    Is clear-text network traffic allowed?
    Android Marshmallow
    StrictMode detectCleartextNetwork
    DETECT and LOG Unencrypted traffic
    android:usesCleartextTraffic
    https://koz.io/android-m-and-the-war-on-cleartext-traffic/

    View full-size slide

  26. BEHAVIORAL
    Analysis
    NETWORK
    FILESYSTEM

    View full-size slide

  27. FYLESYSTEM
    Analysis
    INSPECT App SANDBOX
    /data/data/com.organization.app
    DISABLE backup SENSITIVE DATA

    android:allowBackup="false">



    View full-size slide

  28. Get a
    BACKUP
    $ java -jar abe.jar unpack backup.ab backup.tar
    $ adb shell pm list packages | grep “”
    $ adb backup -apk -obb com.organization.app
    $ tar xvf backup.tar

    View full-size slide

  29. Storing
    PROTECTIONS
    INTERNAL storage
    Encrypt data with a key not available from the app
    EXTERNAL storage
    Perform input validation
    CONTENT PROVIDERS
    Keep them private
    android:exported="false"
    Android keystore supported 4.3+

    View full-size slide

  30. BEHAVIORAL
    Analysis
    NETWORK
    FILESYSTEM
    LOGGING

    View full-size slide

  31. LOGGING
    Analysis
    $ adb logcat -s (Filters by )
    $ adb shell
    > logcat
    $ adb logcat
    $ adb logcat -c (Clear log)
    $ adb logcat -d (Show log and stop)
    $ adb logcat -d | findstr /I /R “http https user pass…”
    $ adb logcat -d -b main > main.txt (Main log)

    View full-size slide

  32. Logging
    PROTECTIONS
    LOGS should NOT contain SENSITIVE info
    BEFORE 4.1 (API 16) 3rd party apps
    could ACCESS system LOGS
    Be careful with Log.d() statements

    View full-size slide

  33. STATIC
    Analysis
    Retrieving APKs

    View full-size slide

  34. RETRIEVING
    APKs
    /data/app/*.apk
    /system/[priv-]app/*.apk
    DOWNLOADING
    http://apps.evozi.com/apk-downloader/
    https://apkpure.com/
    ROOTED device

    View full-size slide

  35. Retrieving APKs
    aapt (build-tools)
    STATIC
    Analysis

    View full-size slide

  36. aNDROID aSSET
    pACKAGING tOOL
    $ aapt dump permissions app.apk (App permissions)
    $ aapt list -a app.apk (List app contents)
    $ aapt dump xmltree app.apk AndroidManifest.xml (non-xml)
    $ aapt dump strings app.apk (App strings)
    $ aapt dump resources app.apk (App resources)
    $ aapt package …
    INSPECT APK contents
    CHANGE APK contents

    View full-size slide

  37. Retrieving APKs
    aapt (build-tools)
    Manifest.xml analysis
    STATIC
    Analysis

    View full-size slide

  38. Manifest.xml
    Analysis
    API levels
    Android permissions
    App components declaration
    AXMLPrinter2
    $ java -jar AXMLPrinter2.jar
    AndroidManifest.xml > AndroidManifest.xml.txt

    View full-size slide

  39. STATIC
    Analysis
    Retrieving APKs
    aapt (build-tools)
    Manifest.xml analysis
    Decompiling apps

    View full-size slide

  40. DECOMPILING
    Apps
    Understand FUNCTIONALITY
    Understand app COMPONENTS
    Inspect source CODE
    Perform SENSITIVE searches

    View full-size slide

  41. DECOMPILING
    Apps
    dex2jar
    enjarify
    jd-gui
    jadx
    $ sh d2j-dex2jar.sh base.apk
    $ sh enjarify.sh base.apk -o base.jar
    $ java -jar jd-gui-1.4.0.jar
    $ bin/jadx-gui lib/jadx-core-*.jar

    View full-size slide

  42. Retrieving APKs
    aapt (build-tools)
    Manifest.xml analysis
    Decompiling apps
    Protections
    STATIC
    Analysis

    View full-size slide

  43. Static
    PROTECTIONS
    Minimize PERMISSIONS required
    Minimize app components EXPOSURE
    Validate Signing CERTIFICATE

    View full-size slide

  44. DYNAMIC
    Analysis
    Manipulating components

    View full-size slide

  45. Manipulating
    COMPONENTS
    Evaluate AndroidManifest
    Inspect source code
    Custom code to invoke components
    drozer

    View full-size slide

  46. drozer
    $ drozer console connect
    Run Embedded Server from drozer Agent
    $ adb forward tcp:31415 tcp:31415
    $ adb install agent.apk (drozer Agent)
    dz> run app.package.debuggable (List debuggable apps)
    dz> run app.activity.start --component
    com.organization.name com.organization.name.Activity
    dz> run app.package.info -a com.organization.name (App info)
    dz> list (List available modules)
    dz> run app.package.list (List all apps installed)
    dz> run app.package.attacksurface com.organization.name
    (App attack surface)

    View full-size slide

  47. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps

    View full-size slide

  48. DEBUGGING
    Apps
    CONTROL execution
    Debuggable apps Play Store ≈5%
    Tools: AS or Device Monitor
    dz> run app.package.debuggable -f com.organization.name
    android:debuggable=“true”

    View full-size slide

  49. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps
    Manipulating apps

    View full-size slide

  50. Disassembling
    APPS
    Disassembly + Re-assembly = Valid app
    Disable emulator or root detection
    Force HTTP instead of HTTPS
    Change app functionality

    View full-size slide

  51. $ apktool b (dist)

    $ apktool d .apk
    Disassembling
    APPS
    apktool
    $ jarsigner -verify -verbose -certs target.apk
    $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -
    keystore keys/keyName.keystore target.apk keyNameAlias
    $ keytool -genkey -v -keystore keys/keyName.keystore -alias
    keyNameAlias -keyalg RSA -keysize 2048 -validity 7300
    Sign, verify and align APK
    $ zipalign -v 4 target.apk target-aligned.apk

    View full-size slide

  52. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps
    Manipulating apps
    MitM

    View full-size slide

  53. Man in the
    Middle
    Manipulate HTTP(S) traffic:
    Requests/Responses
    Burp
    ProxyDroid

    View full-size slide

  54. DYNAMIC
    Analysis
    Manipulating components
    Debugging apps
    Manipulating apps
    MitM
    Protections

    View full-size slide

  55. Dynamic
    PROTECTIONS
    WebView: Be careful with
    setJavaScriptEnabled()

    View full-size slide

  56. Dynamic
    PROTECTIONS
    WebView: Be careful with
    setJavaScriptEnabled()
    Check Emulation

    View full-size slide

  57. Check
    EMULATION
    public boolean checkEmulation() {
    TelephonyManager mng = (TelephonyManager)
    getApplicationContext()
    .getSystemService(Context.TELEPHONY_SERVICE);
    if (mng.getSimOperatorName().equals("Android") ||
    mng.getNetworkOperatorName().equals("Android")) {
    return true;
    }
    return false;
    }

    View full-size slide

  58. Dynamic
    PROTECTIONS
    WebView: Be careful with
    setJavaScriptEnabled()
    Check Emulation
    Check Debugging

    View full-size slide

  59. Check
    DEBUGGING
    public boolean checkDebugging() {
    if (Debug.isDebuggerConnected()) {
    return true;
    }
    return false;
    }

    View full-size slide

  60. CONCLUSIONS
    We should BE HACKERS
    from time to time

    View full-size slide

  61. CONCLUSIONS
    We should BE HACKERS
    from time to time
    It’s EASY

    View full-size slide

  62. CONCLUSIONS
    It’s EASY
    SECURITY means QUALITY
    QUALITY means SUCCESS
    We should BE HACKERS
    from time to time

    View full-size slide

  63. Thank you!
    @Guardiola31337
    pguardiola.com
    [email protected]

    View full-size slide

  64. REFERENCES
    http://developer.android.com/
    https://portswigger.net/burp/
    https://koz.io/android-m-and-the-war-on-cleartext-traffic/
    https://code.google.com/archive/p/android4me/downloads
    https://github.com/pxb1988/dex2jar
    https://github.com/google/enjarify
    https://github.com/java-decompiler/jd-gui
    https://github.com/skylot/jadx
    https://labs.mwrinfosecurity.com/tools/drozer/
    http://ibotpeaches.github.io/Apktool/

    View full-size slide