Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Android Security CA edition

jmortegac
May 12, 2016
Technology
2
170

Testing Android Security CA edition

Testing Android Security Codemotion Amsterdam edition

jmortegac

May 12, 2016
Tweet

More Decks by jmortegac

See All by jmortegac
Evolution of security strategies in K8s environments
jmortega
0
5
Implementing Observability for Kubernetes
jmortega
0
9
Computación distribuida usando Python
jmortega
0
36
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
0
60
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
0
33
Tips and tricks for data science projects with Python
jmortega
0
36
Sharing secret keys in Docker containers and K8s
jmortega
0
84
Implementing cert-manager in K8s
jmortega
0
120
Python para equipos de ciberseguridad(pycones)
jmortega
0
88

Other Decks in Technology

See All in Technology
Traversing the GraphQL AST and Calculating Query Costs
joere
0
300
Route 53のSLAだけ100%なんだ
motsuhiro131
0
210
Learning from performance improvements on GraphQL Ruby
mtsmfm
1
320
SRE成熟度評価におけるポストモーテムLv.3ガイドライン
shotatsuge
7
1.1k
[2023년 9월 세미나] 실무자가 알려주는 데이터 분석가 취업 준비 완벽 가이드
datarian
0
570
モチベーションサイクルという観点でQAをしよう
mixi_engineers
PRO
1
110
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
130
Airplay
elcuervo
0
120
Boot verification in Android
prashantspol
0
190
物理シミュレーションと数理最適化の知見を導入した機械学習手法
yellowshippo
1
810
Janus
bkuhlmann
0
290
Androidアプリの良いユニットテストを考える / Thinking about good unit tests for Android apps
tkmnzm
3
1.3k

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
650
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
870
Fireside Chat
paigeccino
18
2.2k
Scaling GitHub
holman
455
140k
Clear Off the Table
cherdarchuk
81
300k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
18k
Robots, Beer and Maslow
schacon
154
7.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
What's new in Ruby 2.0
geeforr
336
30k
Testing 201, or: Great Expectations
jmmastey
26
6k
The Invisible Customer
myddelton
113
12k

Transcript

  1. Testing Android Security
    José Manuel Ortega
    @jmortegac
    AMSTERDAM 11-12 MAY 2016

    View Slide

  2. https://speakerdeck.com/jmortega
    http://jmortega.github.io

    View Slide

  3. AGENDA
    ▪ Development Cycle
    ▪ Static and Dynamic Analysis
    ▪ Components Security
    ▪ Hybrid Automatic tools
    ▪ Best Practices & OWASP

    View Slide

  4. DEVELOPMENT CYCLE

    View Slide

  5. WHITE BOX /BLACK BOX






    View Slide

  6. TESTING ANDROID SECURITY

    View Slide

  7. FORENSICS

    View Slide

  8. FORENSICS






    View Slide

  9. STATIC ANALYSIS







    View Slide

  10. CODE REVIEW / SOURCE CODE ANALYSIS

    View Slide

  11. ANDROID LINT

    View Slide

  12. ANDROID STUDIO INSPECT CODE

    View Slide

  13. ANDROID SONAR PLUGIN

    View Slide

  14. ANDROID SONAR PLUGIN >RULES

    View Slide

  15. SONAR SECURITY

    View Slide

  16. ANDROWARN

    View Slide

  17. QARK
    ▪ Quick Android Review Kit
    ▪ https://github.com/linkedin/qark
    ▪ Static code analysis tool
    ▪ Look for potential vulnerabilities

    View Slide

  18. QARK
    ▪ Identifies permissions and exported components
    (activities,services..) on Manifest
    ▪ Looks for WORLD_READABLE and
    WORLD_WRITABLE files
    ▪ Looks for X.509 certificates validation issues

    View Slide

  19. QARK

    View Slide

  20. QARK REPORT

    View Slide

  21. REVERSE ENGINEERING
    ▪ Decompile dalvik to smali
    ▪ classes.dex in APK
    ▪ APKTOOL
    ▪ DEX2JAR
    ▪ Java Decompiler

    View Slide

  22. APK STRUCTURE

    View Slide

  23. DISASSEMBLY AND DECOMPILATION

    View Slide

  24. JADX-GUI

    View Slide

  25. APKTOOL

    View Slide

  26. DYNAMIC ANALYSIS TOOLS

    View Slide

  27. WIRESHARK

    View Slide

  28. BURP SUITE
    ▪ Intercepting network traffic
    ▪ HTTP proxy tool
    ▪ Able to intercept layer traffic and allows users to
    manipulate the HTTP request and response

    View Slide

  29. DROZER
    ▪ https://labs.mwrinfosecurity.com/tools/drozer/
    ▪ Find vulnerabilities automatically
    ▪ Automate security testing
    ▪ Interact with your Apps with debugging
    disabled

    View Slide

  30. INSIDE DROZER

    View Slide

  31. DROZER

    View Slide

  32. DROZER PACKAGE INFO
    ▪ app.package.info

    View Slide

  33. DROZER COMMANDS

    View Slide

  34. DROZER CONTENT PROVIDERS

    View Slide

  35. FINDING SQL INJECTION IN CONTENT PROVIDERS

    View Slide

  36. EXPLOITING SQL INJECTION VULNERABILITY

    View Slide

  37. ANDROID MANIFEST
    android:debuggable=true
    android:exported=true

    View Slide

  38. ANDROID MANIFEST EXPORTED ATTRIBUTE



    View Slide

  39. COMPONENTS SECURITY
    ▪ AndroidManifest.xml
    ▪ Activities
    ▪ Content Providers
    ▪ Services
    ▪ Shared Preferences
    ▪ Webview

    View Slide

  40. LOG INFORMATION
    public static final boolean SHOW_LOG =
    BuildConfig.DEBUG;
    public static void d(final String tag, final String
    msg) {
    if (SHOW_LOG)
    Log.d(tag, msg);
    }

    View Slide

  41. THRID PARTY LIBRARIES

    View Slide

  42. VULNERABILITIES IN CORDOVA 3.5

    View Slide

  43. SECURITY IN CONTENT PROVIDERS
    ▪ Components provide a standardized interface
    for sharing data between applications
    ▪ URI addressing scheme
    ▪ Can perform queries equivalent to SELECT,
    UPDATE,INSERT, DELETE

    View Slide

  44. SQLCIPHER
    ▪ SQLCipher is a SQL extension that provides
    transparent AES encryption of database files
    ▪ 256-bit AES Encrypt SQLite database
    ▪ http://sqlcipher.net/sqlcipher-for-android

    View Slide

  45. SECURED PREFERENCES
    ▪ https://github.com/scottyab/secure-preferences
    ▪ Encrypt your app’s shared preferences
    ▪ Android Share Preferences wrapper that
    provides encryption for keys and values

    View Slide

  46. SECURED PREFERENCES

    View Slide

  47. DATA STORAGE

    View Slide

  48. PROTECTING DATA FILES

    View Slide

  49. SECURE COMMUNICATIONS
    ▪ Ensure that all sensitive data is encrypted
    ▪ Certificate pinning for avoid MITM attacks

    View Slide

  50. CERTIFICATES
    SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER
    TrustManager where checkServerTrusted() always
    returns true

    View Slide

  51. CERTIFICATE PINNING

    View Slide

  52. X.509 CERTIFICATES

    View Slide

  53. HTTPS Connection

    View Slide

  54. HTTPS Connection

    View Slide

  55. ENCRYPT NETWORK REQUESTS
    ▪ Best practice is to always encrypt network
    communications
    ▪ HTTPS and SSL can protect against MitM attacks
    and prevent casual sniffing traffic.
    ▪ Server certificate validity is checked by default

    View Slide

  56. VALIDATE SERVER CERTIFICATE
    ▪ https://www.ssllabs.com/ssltest

    View Slide

  57. CHECK CERTIFICATES TOOLS
    ▪ OpenSSL
    ▪ Keytool
    ▪ Jarsigner

    View Slide

  58. Runtime Permissions
    ▪ All permissions granted at install time
    ▪ Dangerous permissions require user
    confirmation
    ▪ Prompt for dangerous permissions at
    runtime
    ▪ Granted/revoked by permission group
    ▪ Managed per app, per user
    ▪ /data/system/users/0/runtime-permissions.xml

    View Slide

  59. Group permissions on Android M

    View Slide

  60. Permissions FLOW on Android M

    View Slide

  61. Permissions on Android M

    View Slide

  62. Permissions on Android M

    View Slide

  63. OBFUSCATION
    ▪ The obfuscator can use several techniques to protect
    a Java/Android application:
    ▪ change names of classes, methods, fields
    ▪ modify the control flow
    ▪ code optimization
    ▪ dynamic code loading
    ▪ change instructions with metamorphic technique

    View Slide

  64. PROGUARD
    ▪ File shrinker: detects and removes unused
    classes, fields, methods,and attributes
    ▪ Optimizer: optimizes bytecode and removes
    unused instructions
    ▪ Obfuscator: renames classes, fields, and
    methods using short meaningless names

    View Slide

  65. OBFUSCATION WITH PROGUARD

    View Slide

  66. OBFUSCATION WITH PROGUARD

    View Slide

  67. HYBRID AUTOMATIC ONLINE TOOLS
    ▪ SandDroid
    ▪ ApkScan
    ▪ Visual Threat
    ▪ TraceDroid
    ▪ CopperDroid
    ▪ APK Analyzer
    ▪ ForeSafe
    ▪ AndroTotal
    ▪ NowSecure Lab

    View Slide

  68. VULNERABILTIY ANALYSIS

    View Slide

  69. HYBRID AUTOMATIC ONLINE TOOLS
    ▪ http://sanddroid.xjtu.edu.cn/#home

    View Slide

  70. SANDROID

    View Slide

  71. SANDROID

    View Slide

  72. TRACEDROID

    View Slide

  73. NOWSECURE LAB

    View Slide

  74. NOWSECURE LAB

    View Slide

  75. NOWSECURE LAB

    View Slide

  76. BEST PRACTICES
    ▪ Don’t hardcode sensitive information
    ▪ Don’t store sensitive information
    ▪ Don’t store at easily readable location like
    memory card
    ▪ Encrypt the stored data
    ▪ Implement SSL

    View Slide

  77. BEST PRACTICES
    ▪ Protect the webserver against application layer
    attacks
    ▪ Prefer encryption over encoding or obfuscation
    ▪ Sanitize inputs, use prepared statements
    (protection against sql injection)

    View Slide

  78. BEST PRACTICES

    View Slide

  79. Android Secure Coding Checklist
    ▪ Use least privilege in request permissions
    ▪ Don’t unnecessarily export components
    ▪ Handle intents carefully
    ▪ Justify any custom permissions
    ▪ Mutually authenticate services
    ▪ Use APIs to construct ContentProvider URIs
    ▪ Use HTTPS
    ▪ Follow best practices from OWASP project http://owasp.
    org/index.php/OWASP_Mobile_Security_Project

    View Slide

  80. OWASP MOBILE TOP 10 RISKS

    View Slide

  81. OWASP MOBILE TOP 10 RISKS

    View Slide

  82. Open Android Security Assesment Methodology

    View Slide

  83. PENTESTING TOOLS / SANTOKU LINUX
    o
    o
    o

    View Slide

  84. PENTESTING TOOLS / NOWSECURE
    ▪ https://www.nowsecure.com/resources/freetools/

    View Slide

  85. REFERENCES
    ▪ http://proguard.sourceforge.net
    ▪ http://code.google.com/p/dex2jar
    ▪ http://code.google.com/p/android-apktool
    ▪ https://labs.mwrinfosecurity.com/tools/drozer
    ▪ http://sqlcipher.net/sqlcipher-for-android
    ▪ https://www.owasp.org/index.
    php/OWASP_Mobile_Security_Project
    ▪ https://developer.android.
    com/training/articles/security-tips.html

    View Slide

  86. BOOKS

    View Slide

  87. BOOKS

    View Slide

  88. Thanks!
    @jmortegac
    AMSTERDAM 9-12 MAY 2016

    View Slide