Testing Android Security CA edition

Slide 1

Slide 1 text

Testing Android Security José Manuel Ortega @jmortegac AMSTERDAM 11-12 MAY 2016

Slide 2

Slide 2 text

https://speakerdeck.com/jmortega http://jmortega.github.io

Slide 3

Slide 3 text

AGENDA ▪ Development Cycle ▪ Static and Dynamic Analysis ▪ Components Security ▪ Hybrid Automatic tools ▪ Best Practices & OWASP

Slide 4

Slide 4 text

DEVELOPMENT CYCLE

Slide 5

Slide 5 text

WHITE BOX /BLACK BOX ✓ ✓ ✓ ✓ ✓ ✓

Slide 6

Slide 6 text

TESTING ANDROID SECURITY

Slide 7

Slide 7 text

FORENSICS

Slide 8

Slide 8 text

FORENSICS ▪ ▪ ▪ ▪ ▪ ▪

Slide 9

Slide 9 text

STATIC ANALYSIS ✓ ✓ ✓ ✓ ✓ ✓ ✓

Slide 10

Slide 10 text

CODE REVIEW / SOURCE CODE ANALYSIS

Slide 11

Slide 11 text

ANDROID LINT

Slide 12

Slide 12 text

ANDROID STUDIO INSPECT CODE

Slide 13

Slide 13 text

ANDROID SONAR PLUGIN

Slide 14

Slide 14 text

ANDROID SONAR PLUGIN >RULES

Slide 15

Slide 15 text

SONAR SECURITY

Slide 16

Slide 16 text

ANDROWARN

Slide 17

Slide 17 text

QARK ▪ Quick Android Review Kit ▪ https://github.com/linkedin/qark ▪ Static code analysis tool ▪ Look for potential vulnerabilities

Slide 18

Slide 18 text

QARK ▪ Identifies permissions and exported components (activities,services..) on Manifest ▪ Looks for WORLD_READABLE and WORLD_WRITABLE files ▪ Looks for X.509 certificates validation issues

Slide 19

Slide 19 text

QARK

Slide 20

Slide 20 text

QARK REPORT

Slide 21

Slide 21 text

REVERSE ENGINEERING ▪ Decompile dalvik to smali ▪ classes.dex in APK ▪ APKTOOL ▪ DEX2JAR ▪ Java Decompiler

Slide 22

Slide 22 text

APK STRUCTURE

Slide 23

Slide 23 text

DISASSEMBLY AND DECOMPILATION

Slide 24

Slide 24 text

JADX-GUI

Slide 25

Slide 25 text

APKTOOL

Slide 26

Slide 26 text

DYNAMIC ANALYSIS TOOLS

Slide 27

Slide 27 text

WIRESHARK

Slide 28

Slide 28 text

BURP SUITE ▪ Intercepting network traffic ▪ HTTP proxy tool ▪ Able to intercept layer traffic and allows users to manipulate the HTTP request and response

Slide 29

Slide 29 text

DROZER ▪ https://labs.mwrinfosecurity.com/tools/drozer/ ▪ Find vulnerabilities automatically ▪ Automate security testing ▪ Interact with your Apps with debugging disabled

Slide 30

Slide 30 text

INSIDE DROZER

Slide 31

Slide 31 text

DROZER

Slide 32

Slide 32 text

DROZER PACKAGE INFO ▪ app.package.info

Slide 33

Slide 33 text

DROZER COMMANDS

Slide 34

Slide 34 text

DROZER CONTENT PROVIDERS

Slide 35

Slide 35 text

FINDING SQL INJECTION IN CONTENT PROVIDERS

Slide 36

Slide 36 text

EXPLOITING SQL INJECTION VULNERABILITY

Slide 37

Slide 37 text

ANDROID MANIFEST android:debuggable=true android:exported=true

Slide 38

Slide 38 text

ANDROID MANIFEST EXPORTED ATTRIBUTE … … …

Slide 39

Slide 39 text

COMPONENTS SECURITY ▪ AndroidManifest.xml ▪ Activities ▪ Content Providers ▪ Services ▪ Shared Preferences ▪ Webview

Slide 40

Slide 40 text

LOG INFORMATION public static final boolean SHOW_LOG = BuildConfig.DEBUG; public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg); }

Slide 41

Slide 41 text

THRID PARTY LIBRARIES

Slide 42

Slide 42 text

VULNERABILITIES IN CORDOVA 3.5

Slide 43

Slide 43 text

SECURITY IN CONTENT PROVIDERS ▪ Components provide a standardized interface for sharing data between applications ▪ URI addressing scheme ▪ Can perform queries equivalent to SELECT, UPDATE,INSERT, DELETE

Slide 44

Slide 44 text

SQLCIPHER ▪ SQLCipher is a SQL extension that provides transparent AES encryption of database files ▪ 256-bit AES Encrypt SQLite database ▪ http://sqlcipher.net/sqlcipher-for-android

Slide 45

Slide 45 text

SECURED PREFERENCES ▪ https://github.com/scottyab/secure-preferences ▪ Encrypt your app’s shared preferences ▪ Android Share Preferences wrapper that provides encryption for keys and values

Slide 46

Slide 46 text

SECURED PREFERENCES

Slide 47

Slide 47 text

DATA STORAGE

Slide 48

Slide 48 text

PROTECTING DATA FILES

Slide 49

Slide 49 text

SECURE COMMUNICATIONS ▪ Ensure that all sensitive data is encrypted ▪ Certificate pinning for avoid MITM attacks

Slide 50

Slide 50 text

CERTIFICATES SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER TrustManager where checkServerTrusted() always returns true

Slide 51

Slide 51 text

CERTIFICATE PINNING

Slide 52

Slide 52 text

X.509 CERTIFICATES

Slide 53

Slide 53 text

HTTPS Connection

Slide 54

Slide 54 text

HTTPS Connection

Slide 55

Slide 55 text

ENCRYPT NETWORK REQUESTS ▪ Best practice is to always encrypt network communications ▪ HTTPS and SSL can protect against MitM attacks and prevent casual sniffing traffic. ▪ Server certificate validity is checked by default

Slide 56

Slide 56 text

VALIDATE SERVER CERTIFICATE ▪ https://www.ssllabs.com/ssltest

Slide 57

Slide 57 text

CHECK CERTIFICATES TOOLS ▪ OpenSSL ▪ Keytool ▪ Jarsigner

Slide 58

Slide 58 text

Runtime Permissions ▪ All permissions granted at install time ▪ Dangerous permissions require user confirmation ▪ Prompt for dangerous permissions at runtime ▪ Granted/revoked by permission group ▪ Managed per app, per user ▪ /data/system/users/0/runtime-permissions.xml

Slide 59

Slide 59 text

Group permissions on Android M

Slide 60

Slide 60 text

Permissions FLOW on Android M

Slide 61

Slide 61 text

Permissions on Android M

Slide 62

Slide 62 text

Permissions on Android M

Slide 63

Slide 63 text

OBFUSCATION ▪ The obfuscator can use several techniques to protect a Java/Android application: ▪ change names of classes, methods, fields ▪ modify the control flow ▪ code optimization ▪ dynamic code loading ▪ change instructions with metamorphic technique

Slide 64

Slide 64 text

PROGUARD ▪ File shrinker: detects and removes unused classes, fields, methods,and attributes ▪ Optimizer: optimizes bytecode and removes unused instructions ▪ Obfuscator: renames classes, fields, and methods using short meaningless names

Slide 65

Slide 65 text

OBFUSCATION WITH PROGUARD

Slide 66

Slide 66 text

OBFUSCATION WITH PROGUARD

Slide 67

Slide 67 text

HYBRID AUTOMATIC ONLINE TOOLS ▪ SandDroid ▪ ApkScan ▪ Visual Threat ▪ TraceDroid ▪ CopperDroid ▪ APK Analyzer ▪ ForeSafe ▪ AndroTotal ▪ NowSecure Lab

Slide 68

Slide 68 text

VULNERABILTIY ANALYSIS

Slide 69

Slide 69 text

HYBRID AUTOMATIC ONLINE TOOLS ▪ http://sanddroid.xjtu.edu.cn/#home

Slide 70

Slide 70 text

SANDROID

Slide 71

Slide 71 text

SANDROID

Slide 72

Slide 72 text

TRACEDROID

Slide 73

Slide 73 text

NOWSECURE LAB

Slide 74

Slide 74 text

NOWSECURE LAB

Slide 75

Slide 75 text

NOWSECURE LAB

Slide 76

Slide 76 text

BEST PRACTICES ▪ Don’t hardcode sensitive information ▪ Don’t store sensitive information ▪ Don’t store at easily readable location like memory card ▪ Encrypt the stored data ▪ Implement SSL

Slide 77

Slide 77 text

BEST PRACTICES ▪ Protect the webserver against application layer attacks ▪ Prefer encryption over encoding or obfuscation ▪ Sanitize inputs, use prepared statements (protection against sql injection)

Slide 78

Slide 78 text

BEST PRACTICES

Slide 79

Slide 79 text

Android Secure Coding Checklist ▪ Use least privilege in request permissions ▪ Don’t unnecessarily export components ▪ Handle intents carefully ▪ Justify any custom permissions ▪ Mutually authenticate services ▪ Use APIs to construct ContentProvider URIs ▪ Use HTTPS ▪ Follow best practices from OWASP project http://owasp. org/index.php/OWASP_Mobile_Security_Project

Slide 80

Slide 80 text

OWASP MOBILE TOP 10 RISKS

Slide 81

Slide 81 text

OWASP MOBILE TOP 10 RISKS

Slide 82

Slide 82 text

Open Android Security Assesment Methodology

Slide 83

Slide 83 text

PENTESTING TOOLS / SANTOKU LINUX o o o

Slide 84

Slide 84 text

PENTESTING TOOLS / NOWSECURE ▪ https://www.nowsecure.com/resources/freetools/

Slide 85

Slide 85 text

REFERENCES ▪ http://proguard.sourceforge.net ▪ http://code.google.com/p/dex2jar ▪ http://code.google.com/p/android-apktool ▪ https://labs.mwrinfosecurity.com/tools/drozer ▪ http://sqlcipher.net/sqlcipher-for-android ▪ https://www.owasp.org/index. php/OWASP_Mobile_Security_Project ▪ https://developer.android. com/training/articles/security-tips.html