Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking Android Applications

Attacking Android Applications

In this talk we aim at showing how easy it is to reverse engineer an Android application. We show how to perform static analysis on an application. Secondly, we illustrate how applications are attacked dynamically in orde to investigate or alter the program flow of the application. Attendees walk away with tools and information to perform basic pentesting techniques on their own applications.

Dario Incalza

April 26, 2017
Tweet

More Decks by Dario Incalza

Other Decks in Technology

Transcript

  1. $ whoami @h4oxer • Mobile Security Expert @ ZIONSECURITY •

    Pentesting of mobile applications • Bug bounty hunting • www.darioincalza.be • Tweets @h4oxer
  2. ZIONSECURITY • Experts in web, mobile, IoT and infrastructure security

    • Pentesting – architectural and implementation • Secure Software Development • Security Consultancy • HQ in Rotselaar, Belgium • www.zionsecurity.com @h4oxer
  3. Outline • Android Applications 101 • Attack Surfaces • Attacking

    Applications Statically • Attacking Applications Dynamically • Countermeasures @h4oxer
  4. Android Platform Stack @h4oxer Linux Kernel Hardware Abstraction Layer (HAL)

    Native C/C++ Libraries Android Runtime (ART) Core libraries Java API Framework Applications
  5. Android Application • .apk - Android Package • Uploaded to

    Play Store or sideloaded • Can be dumped from the device • A regular .zip file • Always signed @h4oxer
  6. Build Process @h4oxer Source Code Resource Files Jar Libraries AAR

    Libraries Compilers DEX Files Compiled Res
  7. DEX Bytecode • Register-based bytecode • Executed by Dalvik /

    ART Runtime • Compiled to native code - dex2oat • Can be reversed to Java source • Smali bytecode – intermediate bytecode @h4oxer
  8. Attack Models • Reverse engineering offline & online • App

    on device – without root • App on device – with root • Man-in-the-Middle • Physical access to device @h4oxer
  9. Research Questions • How does the app handle authentication? •

    Access tokens, storage credentials, proper session management • How does the app store user data? • Cryptography, storage location, API keys, exposed content providers • How does the app communicate? • HTTP, HTTPS, Certificate pinning • How does the app protect itself? • Obfuscation, dynamic checks @h4oxer
  10. Reverse Engineering Process @h4oxer APK .so libraries Classes.de x Resources

    Xml resources unzip AAPT Java Source Smali bytecode dex2jar Baksmali/smal i X86/ARM/x86- 64 Radare2/Hopper/IDAPro
  11. Cryptography 101 • Symmetric Crypto = one key for encryption/decryption

    • AES, 3DES, Blowfish, … • Public-key Crypto = private and public key • Encrypt with private key and decrypt with public key = digital signature • Encrypt with public key and decrypt with private key = confidentiality @h4oxer
  12. Locate Cryptography • Which crypto library is used? • Android,

    BouncyCastle, SpongyCastle, etc. • Does it use a hardcoded crypto key? • Does it use broken crypto? • MD5, RC4, AES in EBC, etc. • Where does it store cryptography keys? @h4oxer
  13. Motivation • App might protect itself • Need runtime information

    • Trigger other code execution paths @h4oxer
  14. Tools • Hooking Frameworks • LD_PRELOAD, Frida, xPosed,… • Emulators

    • Android SDK, Genymotion, Nathan Emulator • Debuggers • Radare2, IDA Pro, GDB, JDB, … • MiTM Proxies • Mitmproxy, Burp, Charles, … @h4oxer
  15. Frida • Dynamic instrumentation toolkit • Debug a live process

    • Loads JavaScript (JS) Engine • Write, inject and execute JS script to interact • Server (on phone) and client (on pc) code @h4oxer
  16. Frida – frida_client.py @h4oxer scriptname = sys.argv[1] # get script

    fd = open(scriptname, "r") # open script procname = sys.argv[2] # get process # define callback function def on_message(message, data): print(message) print(data) #Connect to Frida on the phone session = frida.get_usb_device().attach(procname) #Create script script = session.create_script(fd.read()) fd.close() script.on('message', on_message) script.load()
  17. Frida – hooks.js @h4oxer Dalvik.perform(function () { var WebView =

    Dalvik.use("android.webkit.WebView"); WebView.loadUrl.overload("java.lang.String").implementation = function (s) { send(s.toString()); this.loadUrl.overload("java.lang.String").call(this, s); }; }); $ python frida_client.py hooks.js com.example.webview
  18. xPosed Framework • Framework for hooking method calls • Implemented

    as hooking modules • Separate APK file that hooks into other running applications • Disadvantage: need to build APK for hooking • xPosed bridge jar is injected in every application @h4oxer
  19. xPosed Framework @h4oxer public class Example implements IXposedHookLoadPackage { public

    void handleLoadPackage(final LoadPackageParam lpparam) { if (!lpparam.packageName.equals("com.example.webview")) return; findAndHookMethod("android.webkit.WebView”, lpparam.classLoader, "loadUrl","java.lang.String", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param){ String url = (String) param.args[0]; XposedBridge.log("URL:"+ url); } @Override protected void afterHookedMethod(MethodHookParam param) { // this will be called after } }); } }
  20. SSL 101 • SSL Certificate = cryptographically secured piece of

    information • Certificates are issued by CAs • Android device trusts a set of root Cas • SSL Validation = check if certificate from server is trusted @h4oxer
  21. MiTM Attack • Allows you to test/discover/fuzz APIs • Install

    trusted user certificate • Trusted by all applications on < Android 6.0 • Install trusted system certificate • User certificates are not trusted by all apps on Android 6.0+ • Requires root @h4oxer
  22. Countermeasures • Static Protection • Obfuscators • Packers @h4oxer •

    Dynamic Protection • Root Detectors • Emulator Detectors • Integrity Checkers • SSL Pinning
  23. SafetyNet API • Google’s opinion on device • Result -

    JWT – JSON Web Token • Result: compatible or not • Can be cryptographically verified • Good protection against dynamic attacks @h4oxer
  24. Key Take Aways • Think about a secure design •

    Apply a layered approach to security • Make sure you hack you application first @h4oxer