Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I just hacked your app - AppBuilders Switzerland 2017

I just hacked your app - AppBuilders Switzerland 2017

Android security is nowhere near where it should be. I have been able to hack and get sensitive information from a few different apps and I’m just an amateur hacker at best.

In this session we will explore a number of ways an Android app can be exploited and most importantly methods that we can use to avoid these attacks.

Marcos Placona

April 24, 2017
Tweet

More Decks by Marcos Placona

Other Decks in Programming

Transcript

  1. I just hacked
    your app

    View Slide

  2. Watch this

    View Slide

  3. View Slide

  4. PWNED

    View Slide

  5. Marcos Placona
    @marcos_placona
    [email protected]
    github.com/mplacona
    androidsecurity.info

    View Slide

  6. NOT

    View Slide

  7. View Slide

  8. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum euismod ipsum
    et semper vestibulum. In congue, risus ac lobortis commodo, arcu elit congue nisi, e
    ullamcorper diam quam in est. Quisque nec lectus eget metus pharetra placerat.
    Quisque nisi lorem, convallis eget lobortis quis, suscipit eu sem. Sed ligula purus,
    lacinia quis ultrices at, sollicitudin at lacus. Duis porta hendrerit semper. Sed vitae
    mauris fringilla, porta turpis facilisis, facilisis risus. Integer quis lobortis velit. Vivamu
    ut placerat ex. Nunc est purus, pretium vitae hendrerit fringilla, molestie at tortor.
    Vestibulum vel purus et urna hendrerit pretium et quis nunc. Fusce sit amet neque in
    justo elementum rutrum ut nec metus. Fusce sollicitudin, dui vel molestie aliquam,
    ligula leo fringilla augue, a luctus quam sem sed tortor. Vivamus mattis nisi purus, si
    amet efficitur lectus mollis nec. Etiam consectetur, nisl eu euismod posuere, justo
    neque vehicula ex, nec lobortis augue neque id mi. Ut aliquam odio ac turpis
    condimentum porttitor.
    Mauris ut est eu sapien tempor congue. Proin ipsum sem, cursus quis magna eu,
    finibus fringilla nulla. Vestibulum viverra felis ac arcu iaculis condimentum. Aenean
    mattis magna non ipsum viverra accumsan. Suspendisse potenti. Nam quis dapibus
    ipsum. Integer at tortor ac neque semper consectetur. Donec vitae mattis felis, quis

    View Slide

  9. elementum dolor fringilla eu. Nulla luctus arcu et egestas ultrices. Quisque dignissim
    lacinia vehicula. Suspendisse vitae nisl dapibus, dapibus elit quis, efficitur ex. Done
    interdum est purus, nec tempor risus sollicitudin tincidunt. Vestibulum accumsan sed
    libero ut tincidunt.
    Interdum et malesuada fames ac ante ipsum primis in faucibus. Vestibulum vitae
    consectetur ex, vitae viverra felis. Sed vitae imperdiet turpis. Donec eget velit
    sagittis, hendrerit ante id, aliquet libero. Proin pulvinar ornare consectetur. Vestibulum
    ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Proin
    consequat tincidunt risus et aliquam. Donec vel vulputate sem, sed ornare lorem.
    Curabitur a maximus urna, ut blandit tellus.
    Suspendisse I haven’t nisl a ultricies semper. Cras really purus mollis vestibulum
    rhoncus. Sed hacked your orci, imperdiet vitae pharetra app, tincidunt laoreet lacus
    Vivamus posuere nisl diam, ut efficitur mauris facilisis vehicula. Vestibulum risus veli
    tincidunt a libero a, vestibulum tincidunt orci. Pellentesque in finibus est. Praesent
    tempus tortor ac magna iaculis, sed cursus quam venenatis. Quisque pharetra
    euismod auctor.

    View Slide

  10. Sue-y
    /s(j)uːi/
    1. To become annoyed with someone who broke your
    toy without permission and want to sue them for that.
    “Company X got all ‘sue-y’ on me when I hacked their
    app and showed the world"

    View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. Kuba Gretzki
    http://bit.ly/hack4beer

    View Slide

  15. loyalty
    \ˈlȯi(-ə)l-tē\

    View Slide

  16. loyalty
    + =

    View Slide

  17. loyalty
    HTTP Proxy

    View Slide

  18. POST /users/461845f5d03e6c052a43afbc/points
    Accept: application/json
    Accept-Language: en-gb
    X-App-Version: 1.28.0
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
    ...
    Content-Type: application/json; charset=UTF-8
    Content-Length: 375
    Host: api.eatapp.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    {
    "authentication_token":"boKUp9vBHNAJp7XbWZCK",
    "latitude":...,
    "longitude":...,
    "point":{
    "isDoneByGesture":false,
    "main_beacon":{
    "major":38995,
    "minor":12702,
    "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578050000"}
    ]
    }
    }

    View Slide

  19. POST /users/461845f5d03e6c052a43afbc/points
    Accept: application/json
    Accept-Language: en-gb
    X-App-Version: 1.28.0
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
    ...
    Content-Type: application/json; charset=UTF-8
    Content-Length: 375
    Host: api.eatapp.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    {
    "authentication_token":"boKUp9vBHNAJp7XbWZCK",
    "latitude":...,
    "longitude":...,
    "point":{
    "isDoneByGesture":false,
    "main_beacon":{
    "major":38995,
    "minor":12702,
    "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578050000"}
    ]
    }
    }

    View Slide

  20. POST /users/461845f5d03e6c052a43afbc/points
    Accept: application/json
    Accept-Language: en-gb
    X-App-Version: 1.28.0
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1;)
    ...
    Content-Type: application/json; charset=UTF-8
    Content-Length: 375
    Host: api.eatapp.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    {
    "authentication_token":"boKUp9vBHNAJp7XbWZCK",
    "latitude":...,
    "longitude":...,
    "point":{
    "isDoneByGesture":false,
    "main_beacon":{
    "major":38995,
    "minor":12702,
    "uuid":"2C75E74B-41B7-49E3-BD26-CE86B2F569F8"
    },
    "place_id":"450",
    "promoted_products_ids":[
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578040000"},
    {"id":"647035946536601578050000"}
    ]
    }
    }

    View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. stop!

    View Slide

  25. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE

    View Slide

  26. Encrypt all the values
    dependencies {
    compile 'com.scottyab:aescrypt:0.0.1'
    }
    String password = "password";
    String message = "hello world";
    try {
    String encryptedMsg = AESCrypt.encrypt(password, message);
    }catch (GeneralSecurityException e){
    //handle error
    }
    String password = "password";
    String encryptedMsg = "2B22cS3UC5s35WBihLBo8w==";
    try {
    String messageAfterDecrypt = AESCrypt.decrypt(password, encryptedMsg);
    }catch (GeneralSecurityException e){
    //handle error - could be due to incorrect password or tampered encryptedMsg
    }

    View Slide

  27. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE

    View Slide

  28. Utilise security features when they exist

    View Slide

  29. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE

    View Slide

  30. Certificate pinning
    String hostname = "publicobject.com";
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build();
    OkHttpClient client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build();
    Request request = new Request.Builder()
    .url("https://" + hostname)
    .build();
    client.newCall(request).execute();
    http://bit.ly/android-certificate-pinning

    View Slide

  31. Certificate pinning
    String hostname = "publicobject.com";
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build();
    OkHttpClient client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build();
    Request request = new Request.Builder()
    .url("https://" + hostname)
    .build();
    client.newCall(request).execute();
    http://bit.ly/android-certificate-pinning

    View Slide

  32. Certificate pinning
    String hostname = "publicobject.com";
    CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build();
    OkHttpClient client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build();
    Request request = new Request.Builder()
    .url("https://" + hostname)
    .build();
    client.newCall(request).execute();
    http://bit.ly/android-certificate-pinning

    View Slide

  33. • Encrypt all the values
    • Utilise security features when they exist
    • Certificate pinning
    • DO NOT TRUST THE DEVICE

    View Slide

  34. Someone will decompile your app

    View Slide

  35. And when they do…

    View Slide

  36. –Every Developer
    “But I need magic strings”

    View Slide

  37. Options
    http://bit.ly/SafeKey
    Encrypt
    Make sure you encrypt or at least
    encode them
    Server
    Get your keys of a server you own

    View Slide

  38. Store in the NDK
    http://bit.ly/NDKStorage

    View Slide

  39. start!

    View Slide

  40. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable

    View Slide

  41. Tampering detection
    // myPackageName should decode at runtime to "com.yourpackagename"
    // google should decode at runtime to "com.android.vending";
    // amazon should decode at runtime to "com.amazon.venezia";
    public boolean isHacked(Context context, String myPackageName, String google, String amazon)
    {
    //Crooks renamed your app?
    if (context.getPackageName().compareTo(myPackageName != 0)
    return true; // BOOM!
    //Rogues relocated your app?
    String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
    if (installer == null)
    return true; // BOOM!
    if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
    return true; // BOOM!
    return false;
    }
    http://bit.ly/android-tampering-detection

    View Slide

  42. Tampering detection
    // myPackageName should decode at runtime to "com.yourpackagename"
    // google should decode at runtime to "com.android.vending";
    // amazon should decode at runtime to "com.amazon.venezia";
    public boolean isHacked(Context context, String myPackageName, String google, String amazon)
    {
    //Crooks renamed your app?
    if (context.getPackageName().compareTo(myPackageName != 0)
    return true; // BOOM!
    //Rogues relocated your app?
    String installer = context.getPackageManager().getInstallerPackageName(myPackageName);
    if (installer == null)
    return true; // BOOM!
    if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0)
    return true; // BOOM!
    return false;
    }
    http://bit.ly/android-tampering-detection

    View Slide

  43. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable

    View Slide

  44. private static final int VALID = 0;
    private static final int INVALID = 1;
    private static final String APP_SIGNATURE = "1038C0E34658923C4192E61B16846";
    public static int checkAppSignature(Context context) {
    try {
    PackageInfo packageInfo = context.getPackageManager()
    .getPackageInfo(context.getPackageName(),
    PackageManager.GET_SIGNATURES);
    for (Signature signature : packageInfo.signatures) {
    byte[] signatureBytes = signature.toByteArray();
    MessageDigest md = MessageDigest.getInstance("SHA");
    md.update(signature.toByteArray());
    //compare signatures
    if (SIGNATURE.equals(APP_SIGNATURE)){
    return VALID;
    };
    }
    } catch (Exception e) {
    //assumes an issue in checking signature., but we let the caller decide on what to do.
    }
    return INVALID;
    }
    Check your app’s signature
    http://bit.ly/AndroidTampering

    View Slide

  45. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable

    View Slide

  46. private static boolean canExecuteCommand(String command) {
    try {
    int exitValue =
    Runtime.getRuntime().exec(command).waitFor();
    if (exitValue != 0) return false;
    else return true;
    } catch (Exception e) {
    return false;
    }
    }
    Check for rooted device

    View Slide

  47. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable

    View Slide

  48. Build.FINGERPRINT.startsWith("generic")
    Check for emulator

    View Slide

  49. • Add tampering detection
    • Check your app’s signature
    • Check for rooted device
    • Check for emulator
    • Check if the app is debuggable

    View Slide

  50. public static boolean isDebuggable(Context context){
    return (context.getApplicationInfo().flags &
    ApplicationInfo.FLAG_DEBUGGABLE) != 0;
    }
    Check if the app is debuggable

    View Slide

  51. Debuggable app

    View Slide

  52. View Slide

  53. Things to look at
    • Protect your apps with tools like ProGuard and
    DexGuard.
    • Look at the SafetyNet API by Google
    • Implement Network Security Configuration
    http://bit.ly/SafeKey

    View Slide

  54. ProGuard DexGuard
    • Installed by default
    • Name Obfuscation
    • Code Optimisation
    • Removal of Redundant Code
    • FREE
    • Class Encryption
    • Call Hiding through Reflection
    • String Encryption
    • Certificate Checks
    • Debug Detection
    • Emulator Detection
    • Root Detection
    • Tamper Detection
    • Costs $$$

    View Slide

  55. Things to look at
    • Protect your apps with tools like ProGuard and
    DexGuard.
    • Look at the SafetyNet API by Google
    • Implement Network Security Configuration
    http://bit.ly/SafeKey

    View Slide

  56. SafetyNet API by Google

    View Slide

  57. Things to look at
    • Protect your apps with tools like ProGuard and
    DexGuard.
    • Look at the SafetyNet API by Google
    • Implement Network Security Configuration
    http://bit.ly/SafeKey

    View Slide

  58. Network Security Configuration

    View Slide

  59. View Slide

  60. View Slide

  61. Marcos Placona
    @marcos_placona
    [email protected]
    Thanks
    github.com/mplacona
    androidsecurity.info

    View Slide