Breaking Android Apps (Freakend 2016)

Breaking Android Apps (Freakend 2016)

In this session we will learn how to analyse Android applications from a security point of view. We will dive into a bunch of security analysis methodologies you can approach, which will allow you to find vulnerabilities. For every analysis, we will explain the tools needed, how to use them and different protections you can apply in order to avoid the security holes found.

3c2bdd16c0ea8511dc254b8497a06f78?s=128

Pablo Guardiola

March 04, 2016
Tweet

Transcript

  1. eaking A roid A ps BY PABLO GUARDIOLA

  2. TWITTER @Guardiola31337 BLOG pguardiola.com

  3. SECURITY???

  4. None
  5. Android SECURITY Analysis ENVIRONMENT Android SDK

  6. Android SECURITY Analysis ENVIRONMENT Android SDK SDK Manager (android)

  7. Android SECURITY Analysis ENVIRONMENT Android SDK SDK Manager (android) AVD

    Manager (android avd)
  8. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

    (android) AVD Manager (android avd)
  9. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

    (android) AVD Manager (android avd) HAXM
  10. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

    (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM
  11. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps:

    SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM
  12. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps:

    SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM Python
  13. $ emulator -avd Android511 -scale 0.9 -no-boot-anim -partition-size 384 -qemu

    -redir tcp:22222::22 Android EMULATOR
  14. $ adb -d (device) $ adb -e (emulator) $ adb

    -s <device_id> $ adb devices $ adb pull <remote-file> <local-file> $ adb logcat $ adb install file.apk $ adb shell [command] $ adb push <local-file> <remote-file> $ adb uninstall com.package.name $ adb forward tcp:<local_port> tcp:<device_port> Android Debug Bridge
  15. > geo fix <LAT> <LON> > redir list > redir

    add tcp:22222:22 $ nc localhost 5554 > network status > sms send <PHONE_NUMBER> <MSG> > network delay [gprs | edge | …] > power ac [on | off] > power display > network speed <up> <down> > gsm call <PHONE_NUMBER> Android Emulator CONSOLE
  16. $ adb -s emulator-5554 push su /system/bin/su $ adb -s

    emulator-5554 install supersu_v2.46.apk $ adb -s emulator-5554 shell mount -o remount,rw /system $ adb -s emulator-5554 start-server $ adb -s emulator-5554 shell chmod 0755 /system/xbin/su $ adb -s emulator-5554 shell mount -o remount,ro /system $ adb -s emulator-5554 shell su --install $ adb -s emulator-5554 shell chmod 0755 /system/bin/su $ adb -s emulator-5554 push su /system/xbin/su $ adb -s emulator-5554 shell “su --daemon&” $ adb -s emulator-5554 shell setenforce 0 ROOT Android Emulator
  17. Security Analysis METHODOLOGIES BEHAVIORAL

  18. Security Analysis METHODOLOGIES BEHAVIORAL STATIC

  19. Security Analysis METHODOLOGIES BEHAVIORAL STATIC DYNAMIC

  20. BEHAVIORAL Analysis NETWORK

  21. NETWORK Analysis CAPTURE and INTERCEPT network TRAFFIC End-points Data transmitted

    Protocols and ports Encoding Encryption DETERMINE
  22. EVALUATING traffic and certificate validation Does app VALIDATE ANY “TRUSTED”

    certificate? Does app ACCEPT ANY certificate as VALID? Does app CONTINUE after a certificate WARNING or ERROR? Does app LEVERAGE certificate PINNING? WHERE is the LOCAL certificate copy?
  23. Android EMULATOR $ emulator -avd Android511 -scale 0.9 -http-proxy 127.0.0.1:8081

    -no-boot-anim -partition-size 384 -qemu -redir tcp:22222::22
  24. Run BURP proxy $ java -jar burpsuite_free_v1.6.28.jar Proxy > Options

    > Proxy Listeners > Add > Binding > Port 8081 All interfaces
  25. Let’s hack!!!

  26. None
  27. None
  28. Network PROTECTIONS HTTPS - TLS: Digital certificate + CA Self-signed

    server certificate Missing intermediate CA Unknown CA Verifying server certificate: HttpsURLConnection Not relay on end-user trust decisions Use a custom X509TrustManager Not relay on root or intermediate authority chains Certificate Pinning
  29. Network PROTECTIONS ENCRYPTING network connections Change to “false” NetworkSecurityPolicy Is

    clear-text network traffic allowed? Android Marshmallow StrictMode detectCleartextNetwork DETECT and LOG Unencrypted traffic android:usesCleartextTraffic https://koz.io/android-m-and-the-war-on-cleartext-traffic/
  30. BEHAVIORAL Analysis NETWORK FILESYSTEM

  31. FYLESYSTEM Analysis INSPECT App SANDBOX /data/data/com.organization.app DISABLE backup SENSITIVE DATA

    <manifest>
 <application
 android:allowBackup="false">
 </application>
 </manifest>
  32. Get a BACKUP $ java -jar abe.jar unpack backup.ab backup.tar

    $ adb shell pm list packages | grep “<NAME>” $ adb backup -apk -obb com.organization.app $ tar xvf backup.tar
  33. None
  34. Storing PROTECTIONS INTERNAL storage Encrypt data with a key not

    available from the app EXTERNAL storage Perform input validation CONTENT PROVIDERS Keep them private android:exported="false" Android keystore supported 4.3+
  35. BEHAVIORAL Analysis NETWORK FILESYSTEM LOGGING

  36. LOGGING Analysis $ adb logcat -s <TAG> (Filters by <TAG>)

    $ adb shell > logcat $ adb logcat $ adb logcat -c (Clear log) $ adb logcat -d (Show log and stop) $ adb logcat -d | findstr /I /R “http https user pass…” $ adb logcat -d -b main > main.txt (Main log)
  37. Logging PROTECTIONS LOGS should NOT contain SENSITIVE info BEFORE 4.1

    (API 16) 3rd party apps could ACCESS system LOGS Be careful with Log.d() statements
  38. STATIC Analysis Retrieving APKs

  39. RETRIEVING APKs /data/app/*.apk /system/[priv-]app/*.apk DOWNLOADING http://apps.evozi.com/apk-downloader/ https://apkpure.com/ ROOTED device

  40. Retrieving APKs aapt (build-tools) STATIC Analysis

  41. aNDROID aSSET pACKAGING tOOL $ aapt dump permissions app.apk (App

    permissions) $ aapt list -a app.apk (List app contents) $ aapt dump xmltree app.apk AndroidManifest.xml (non-xml) $ aapt dump strings app.apk (App strings) $ aapt dump resources app.apk (App resources) $ aapt package … INSPECT APK contents CHANGE APK contents
  42. Retrieving APKs aapt (build-tools) Manifest.xml analysis STATIC Analysis

  43. Manifest.xml Analysis API levels Android permissions App components declaration AXMLPrinter2

    $ java -jar AXMLPrinter2.jar AndroidManifest.xml > AndroidManifest.xml.txt
  44. None
  45. STATIC Analysis Retrieving APKs aapt (build-tools) Manifest.xml analysis Decompiling apps

  46. DECOMPILING Apps Understand FUNCTIONALITY Understand app COMPONENTS Inspect source CODE

    Perform SENSITIVE searches
  47. DECOMPILING Apps dex2jar enjarify jd-gui jadx $ sh d2j-dex2jar.sh base.apk

    $ sh enjarify.sh base.apk -o base.jar $ java -jar jd-gui-1.4.0.jar $ bin/jadx-gui lib/jadx-core-*.jar
  48. None
  49. Retrieving APKs aapt (build-tools) Manifest.xml analysis Decompiling apps Protections STATIC

    Analysis
  50. Static PROTECTIONS Minimize PERMISSIONS required Minimize app components EXPOSURE Validate

    Signing CERTIFICATE …
  51. DYNAMIC Analysis Manipulating components

  52. Manipulating COMPONENTS Evaluate AndroidManifest Inspect source code Custom code to

    invoke components drozer
  53. drozer $ drozer console connect Run Embedded Server from drozer

    Agent $ adb forward tcp:31415 tcp:31415 $ adb install agent.apk (drozer Agent) dz> run app.package.debuggable (List debuggable apps) dz> run app.activity.start --component com.organization.name com.organization.name.Activity dz> run app.package.info -a com.organization.name (App info) dz> list (List available modules) dz> run app.package.list (List all apps installed) dz> run app.package.attacksurface com.organization.name (App attack surface)
  54. None
  55. DYNAMIC Analysis Manipulating components Debugging apps

  56. DEBUGGING Apps CONTROL execution Debuggable apps Play Store ≈5% Tools:

    AS or Device Monitor dz> run app.package.debuggable -f com.organization.name android:debuggable=“true”
  57. DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps

  58. Disassembling APPS Disassembly + Re-assembly = Valid app Disable emulator

    or root detection Force HTTP instead of HTTPS Change app functionality
  59. $ apktool b <target-app> (dist) <Modify the app assembly code>

    $ apktool d <target-app>.apk Disassembling APPS apktool $ jarsigner -verify -verbose -certs target.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 - keystore keys/keyName.keystore target.apk keyNameAlias $ keytool -genkey -v -keystore keys/keyName.keystore -alias keyNameAlias -keyalg RSA -keysize 2048 -validity 7300 Sign, verify and align APK $ zipalign -v 4 target.apk target-aligned.apk
  60. None
  61. DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps MitM

  62. Man in the Middle Manipulate HTTP(S) traffic: Requests/Responses Burp ProxyDroid

  63. DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps MitM Protections

  64. Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled()

  65. Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled() Check Emulation

  66. Check EMULATION public boolean checkEmulation() { TelephonyManager mng = (TelephonyManager)

    getApplicationContext() .getSystemService(Context.TELEPHONY_SERVICE); if (mng.getSimOperatorName().equals("Android") || mng.getNetworkOperatorName().equals("Android")) { return true; } return false; }
  67. Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled() Check Emulation Check

    Debugging
  68. Check DEBUGGING public boolean checkDebugging() { if (Debug.isDebuggerConnected()) { return

    true; } return false; }
  69. CONCLUSIONS We should BE HACKERS from time to time

  70. CONCLUSIONS We should BE HACKERS from time to time It’s

    EASY
  71. CONCLUSIONS It’s EASY SECURITY means QUALITY QUALITY means SUCCESS We

    should BE HACKERS from time to time
  72. Thank you! @Guardiola31337 pguardiola.com guardiola31337@gmail.com

  73. REFERENCES http://developer.android.com/ https://portswigger.net/burp/ https://koz.io/android-m-and-the-war-on-cleartext-traffic/ https://code.google.com/archive/p/android4me/downloads https://github.com/pxb1988/dex2jar https://github.com/google/enjarify https://github.com/java-decompiler/jd-gui https://github.com/skylot/jadx https://labs.mwrinfosecurity.com/tools/drozer/

    http://ibotpeaches.github.io/Apktool/