Attacking Android Applications - DigAntCafe - Security Meetup

Transcript

1. Attacking Android Applications Dario Incalza @h4oxer

2. $ whoami @h4oxer • Mobile Security Expert @ ZIONSECURITY •

   Pentesting of mobile applications • Bug bounty hunting • www.darioincalza.be • Tweets @h4oxer

3. ZIONSECURITY • Experts in web, mobile, IoT and infrastructure security

   • Pentesting – architectural and implementation • Secure Software Development • Security Consultancy • HQ in Rotselaar, Belgium • www.zionsecurity.com @h4oxer

4. Outline • Android Applications 101 • Attack Surfaces • Attacking

   Applications Statically • Attacking Applications Dynamically • Countermeasures @h4oxer

5. Android Applications 101 @h4oxer

6. Android Platform Stack @h4oxer Linux Kernel Hardware Abstraction Layer (HAL)

   Native C/C++ Libraries Android Runtime (ART) Core libraries Java API Framework Applications

7. Android Application • .apk - Android Package • Uploaded to

   Play Store or sideloaded • Can be dumped from the device • A regular .zip file • Always signed @h4oxer

8. APK Content @h4oxer AndroidManifest.xml resources.arsc classes.dex res assets Native C/C++

   - .so files

9. Build Process @h4oxer Source Code Resource Files Jar Libraries AAR

   Libraries Compilers DEX Files Compiled Res

10. DEX Bytecode • Register-based bytecode • Executed by Dalvik /

    ART Runtime • Compiled to native code - dex2oat • Can be reversed to Java source • Smali bytecode – intermediate bytecode @h4oxer

11. Smali Bytecode @h4oxer

12. Attack Surfaces @h4oxer

13. Attack Models • Reverse engineering offline & online • App

    on device – without root • App on device – with root • Man-in-the-Middle • Physical access to device @h4oxer

14. Research Questions • How does the app handle authentication? •

    Access tokens, storage credentials, proper session management • How does the app store user data? • Cryptography, storage location, API keys, exposed content providers • How does the app communicate? • HTTP, HTTPS, Certificate pinning • How does the app protect itself? • Obfuscation, dynamic checks @h4oxer

15. @h4oxer

16. Attacking Applications Statically @h4oxer

17. Reverse Engineering Process @h4oxer APK .so libraries Classes.de x Resources

    Xml resources unzip AAPT Java Source Smali bytecode dex2jar Baksmali/smal i X86/ARM/x86- 64 Radare2/Hopper/IDAPro

18. $ aapt d xmltree file.apk AndroidManifest.xml @h4oxer

19. $ aapt d xmltree file.apk AndroidManifest.xml @h4oxer

20. $ apktool d file.apk @h4oxer

21. Bytecodeviewer @h4oxer

22. DroidGraph @h4oxer https://github.com/DarioI/droidgraph

23. Cryptography 101 • Symmetric Crypto = one key for encryption/decryption

    • AES, 3DES, Blowfish, … • Public-key Crypto = private and public key • Encrypt with private key and decrypt with public key = digital signature • Encrypt with public key and decrypt with private key = confidentiality @h4oxer

24. Locate Cryptography • Which crypto library is used? • Android,

    BouncyCastle, SpongyCastle, etc. • Does it use a hardcoded crypto key? • Does it use broken crypto? • MD5, RC4, AES in EBC, etc. • Where does it store cryptography keys? @h4oxer

25. Locate Cryptography • In Smali bytecode • Ljavax/crypto/Cipher; • Ljavax/crypto/spec/PBEKeySpec;

    • Ljavax/crypto/SecretKey; @h4oxer

26. Locate Cryptography grep -r "Ljavax/crypto/Cipher" <smali> @h4oxer

27. Locate Cryptography @h4oxer

28. @h4oxer

29. Attacking Applications Dynamically @h4oxer

30. Motivation • App might protect itself • Need runtime information

    • Trigger other code execution paths @h4oxer

31. Tools • Hooking Frameworks • LD_PRELOAD, Frida, xPosed,… • Emulators

    • Android SDK, Genymotion, Nathan Emulator • Debuggers • Radare2, IDA Pro, GDB, JDB, … • MiTM Proxies • Mitmproxy, Burp, Charles, … @h4oxer

32. Frida • Dynamic instrumentation toolkit • Debug a live process

    • Loads JavaScript (JS) Engine • Write, inject and execute JS script to interact • Server (on phone) and client (on pc) code @h4oxer

33. Frida – frida_client.py @h4oxer scriptname = sys.argv[1] # get script

    fd = open(scriptname, "r") # open script procname = sys.argv[2] # get process # define callback function def on_message(message, data): print(message) print(data) #Connect to Frida on the phone session = frida.get_usb_device().attach(procname) #Create script script = session.create_script(fd.read()) fd.close() script.on('message', on_message) script.load()

34. Frida – hooks.js @h4oxer Dalvik.perform(function () { var WebView =

    Dalvik.use("android.webkit.WebView"); WebView.loadUrl.overload("java.lang.String").implementation = function (s) { send(s.toString()); this.loadUrl.overload("java.lang.String").call(this, s); }; }); $ python frida_client.py hooks.js com.example.webview

35. xPosed Framework • Framework for hooking method calls • Implemented

    as hooking modules • Separate APK file that hooks into other running applications • Disadvantage: need to build APK for hooking • xPosed bridge jar is injected in every application @h4oxer

36. xPosed Framework @h4oxer public class Example implements IXposedHookLoadPackage { public

    void handleLoadPackage(final LoadPackageParam lpparam) { if (!lpparam.packageName.equals("com.example.webview")) return; findAndHookMethod("android.webkit.WebView”, lpparam.classLoader, "loadUrl","java.lang.String", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param){ String url = (String) param.args[0]; XposedBridge.log("URL:"+ url); } @Override protected void afterHookedMethod(MethodHookParam param) { // this will be called after } }); } }

37. SSL 101 • SSL Certificate = cryptographically secured piece of

    information • Certificates are issued by CAs • Android device trusts a set of root Cas • SSL Validation = check if certificate from server is trusted @h4oxer

38. Problem @h4oxer Applicatio n MiTM Server Identify? Identify? Returns Cert

    Returns MiTM Cert

39. MiTM Attack • Allows you to test/discover/fuzz APIs • Install

    trusted user certificate • Trusted by all applications on < Android 6.0 • Install trusted system certificate • User certificates are not trusted by all apps on Android 6.0+ • Requires root @h4oxer

40. MiTM Attack @h4oxer $ emulator –avd mitm_device –http-proxy http://localhost:3030 $

    mitmproxy –p 3030

41. MiTM Attack @h4oxer

42. Countermeasures @h4oxer

43. Countermeasures • Static Protection • Obfuscators • Packers @h4oxer •

    Dynamic Protection • Root Detectors • Emulator Detectors • Integrity Checkers • SSL Pinning

44. SafetyNet API • Google’s opinion on device • Result -

    JWT – JSON Web Token • Result: compatible or not • Can be cryptographically verified • Good protection against dynamic attacks @h4oxer

45. SafetyNet API - Insecure @h4oxer

46. SafetyNet API - Secure @h4oxer

47. Key Take Aways • Think about a secure design •

    Apply a layered approach to security • Make sure you hack you application first @h4oxer

48. QA? Thank you! @h4oxer

49. @h4oxer

50. @h4oxer