Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Breaking Android Apps (Freakend 2016)

Breaking Android Apps (Freakend 2016)

In this session we will learn how to analyse Android applications from a security point of view. We will dive into a bunch of security analysis methodologies you can approach, which will allow you to find vulnerabilities. For every analysis, we will explain the tools needed, how to use them and different protections you can apply in order to avoid the security holes found.

Pablo Guardiola

March 04, 2016

More Decks by Pablo Guardiola

Other Decks in Programming


  1. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager

    (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM
  2. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps:

    SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM
  3. Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps:

    SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM Python
  4. $ adb -d (device) $ adb -e (emulator) $ adb

    -s <device_id> $ adb devices $ adb pull <remote-file> <local-file> $ adb logcat $ adb install file.apk $ adb shell [command] $ adb push <local-file> <remote-file> $ adb uninstall com.package.name $ adb forward tcp:<local_port> tcp:<device_port> Android Debug Bridge
  5. > geo fix <LAT> <LON> > redir list > redir

    add tcp:22222:22 $ nc localhost 5554 > network status > sms send <PHONE_NUMBER> <MSG> > network delay [gprs | edge | …] > power ac [on | off] > power display > network speed <up> <down> > gsm call <PHONE_NUMBER> Android Emulator CONSOLE
  6. $ adb -s emulator-5554 push su /system/bin/su $ adb -s

    emulator-5554 install supersu_v2.46.apk $ adb -s emulator-5554 shell mount -o remount,rw /system $ adb -s emulator-5554 start-server $ adb -s emulator-5554 shell chmod 0755 /system/xbin/su $ adb -s emulator-5554 shell mount -o remount,ro /system $ adb -s emulator-5554 shell su --install $ adb -s emulator-5554 shell chmod 0755 /system/bin/su $ adb -s emulator-5554 push su /system/xbin/su $ adb -s emulator-5554 shell “su --daemon&” $ adb -s emulator-5554 shell setenforce 0 ROOT Android Emulator
  7. EVALUATING traffic and certificate validation Does app VALIDATE ANY “TRUSTED”

    certificate? Does app ACCEPT ANY certificate as VALID? Does app CONTINUE after a certificate WARNING or ERROR? Does app LEVERAGE certificate PINNING? WHERE is the LOCAL certificate copy?
  8. Android EMULATOR $ emulator -avd Android511 -scale 0.9 -http-proxy

    -no-boot-anim -partition-size 384 -qemu -redir tcp:22222::22
  9. Run BURP proxy $ java -jar burpsuite_free_v1.6.28.jar Proxy > Options

    > Proxy Listeners > Add > Binding > Port 8081 All interfaces
  10. Network PROTECTIONS HTTPS - TLS: Digital certificate + CA Self-signed

    server certificate Missing intermediate CA Unknown CA Verifying server certificate: HttpsURLConnection Not relay on end-user trust decisions Use a custom X509TrustManager Not relay on root or intermediate authority chains Certificate Pinning
  11. Network PROTECTIONS ENCRYPTING network connections Change to “false” NetworkSecurityPolicy Is

    clear-text network traffic allowed? Android Marshmallow StrictMode detectCleartextNetwork DETECT and LOG Unencrypted traffic android:usesCleartextTraffic https://koz.io/android-m-and-the-war-on-cleartext-traffic/
  12. FYLESYSTEM Analysis INSPECT App SANDBOX /data/data/com.organization.app DISABLE backup SENSITIVE DATA

  13. Get a BACKUP $ java -jar abe.jar unpack backup.ab backup.tar

    $ adb shell pm list packages | grep “<NAME>” $ adb backup -apk -obb com.organization.app $ tar xvf backup.tar
  14. Storing PROTECTIONS INTERNAL storage Encrypt data with a key not

    available from the app EXTERNAL storage Perform input validation CONTENT PROVIDERS Keep them private android:exported="false" Android keystore supported 4.3+
  15. LOGGING Analysis $ adb logcat -s <TAG> (Filters by <TAG>)

    $ adb shell > logcat $ adb logcat $ adb logcat -c (Clear log) $ adb logcat -d (Show log and stop) $ adb logcat -d | findstr /I /R “http https user pass…” $ adb logcat -d -b main > main.txt (Main log)
  16. Logging PROTECTIONS LOGS should NOT contain SENSITIVE info BEFORE 4.1

    (API 16) 3rd party apps could ACCESS system LOGS Be careful with Log.d() statements
  17. aNDROID aSSET pACKAGING tOOL $ aapt dump permissions app.apk (App

    permissions) $ aapt list -a app.apk (List app contents) $ aapt dump xmltree app.apk AndroidManifest.xml (non-xml) $ aapt dump strings app.apk (App strings) $ aapt dump resources app.apk (App resources) $ aapt package … INSPECT APK contents CHANGE APK contents
  18. Manifest.xml Analysis API levels Android permissions App components declaration AXMLPrinter2

    $ java -jar AXMLPrinter2.jar AndroidManifest.xml > AndroidManifest.xml.txt
  19. DECOMPILING Apps dex2jar enjarify jd-gui jadx $ sh d2j-dex2jar.sh base.apk

    $ sh enjarify.sh base.apk -o base.jar $ java -jar jd-gui-1.4.0.jar $ bin/jadx-gui lib/jadx-core-*.jar
  20. drozer $ drozer console connect Run Embedded Server from drozer

    Agent $ adb forward tcp:31415 tcp:31415 $ adb install agent.apk (drozer Agent) dz> run app.package.debuggable (List debuggable apps) dz> run app.activity.start --component com.organization.name com.organization.name.Activity dz> run app.package.info -a com.organization.name (App info) dz> list (List available modules) dz> run app.package.list (List all apps installed) dz> run app.package.attacksurface com.organization.name (App attack surface)
  21. DEBUGGING Apps CONTROL execution Debuggable apps Play Store ≈5% Tools:

    AS or Device Monitor dz> run app.package.debuggable -f com.organization.name android:debuggable=“true”
  22. Disassembling APPS Disassembly + Re-assembly = Valid app Disable emulator

    or root detection Force HTTP instead of HTTPS Change app functionality
  23. $ apktool b <target-app> (dist) <Modify the app assembly code>

    $ apktool d <target-app>.apk Disassembling APPS apktool $ jarsigner -verify -verbose -certs target.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 - keystore keys/keyName.keystore target.apk keyNameAlias $ keytool -genkey -v -keystore keys/keyName.keystore -alias keyNameAlias -keyalg RSA -keysize 2048 -validity 7300 Sign, verify and align APK $ zipalign -v 4 target.apk target-aligned.apk
  24. Check EMULATION public boolean checkEmulation() { TelephonyManager mng = (TelephonyManager)

    getApplicationContext() .getSystemService(Context.TELEPHONY_SERVICE); if (mng.getSimOperatorName().equals("Android") || mng.getNetworkOperatorName().equals("Android")) { return true; } return false; }