Don’t get stung by OWASP Episode II @Sp4ghettiCode / spght.dev - Android Worldwide July 2022 - Ed Holloway-George 

@Sp4ghettiCode / spght.dev • Senior Android Dev @ ASOS • Dad to a Pomeranian • Security ‘enthusiast’ (Please please note: NOT expert) Find me on social: • @Sp4ghettiCode • spght.dev/talks • Follow me for more! (And dog pictures) Who am I? I’m this one. This is not me. 

@Sp4ghettiCode / spght.dev Talk Agenda AKA - What I hope I have enough time to cover • Introduction to more of the OWASP Top 10 • Address the most common mistakes in our apps • Q&A • Bedtime (for me at least!) 

@Sp4ghettiCode / spght.dev ⚠ MANDATORY LEGAL WARNING ⚠ You know, just in case someone goofs up later. • Anything you learn here is to be used for educational purposes ONLY • Do NOT test on apps you are not authorised to use • Please consider seeking your company’s security advice from someone that knows a lot more than me! • This talk is NOT associated with and/or endorsed by the OWASP Foundation or my employer! 

@Sp4ghettiCode / spght.dev ⚡ Re-intro to OWASP 

@Sp4ghettiCode / spght.dev ‘Who’ or ‘What’ is OWASP? • Open Web Application Security Project • Non-profit OWASP Foundation created in 2001 • Provides free security resources for developers & organisations alike • Also maintains ‘Top 10’ list(s) of the greatest security threats to application security 

@Sp4ghettiCode / spght.dev Top 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography PART 1 OF THIS TALK NOW AVAILABLE ON ANDROID WW’S YOUTUBE youtu.be/HRJw8RIgbSg spght.dev/talks 5 

@Sp4ghettiCode / spght.dev Next 10 Mobile Threats Source: owasp.org/www-project-mobile-top-10 (Last updated 2016) 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality 5 

@Sp4ghettiCode / spght.dev Insecure Authorisation #6 OWASP Threat YOUR PERMISSIONS 

@Sp4ghettiCode / spght.dev Insecure Authorisation AKA - I don’t think you’re allowed to do that… • Authorisation != Authentication • Authentication = Proving your identity • Authorisation = Performing an action with permission • E.g. Logging in to Twitter • Authentication via email + password • Authorisation permits you to view your DMs (and not mine) 

@Sp4ghettiCode / spght.dev Introducing ‘Smart Sheriff’ South Korea’s answer to ‘How insecure can we make an app’ • Smart Sheriff was a 2015 government mandated parental monitoring mobile app in South Korea • By LAW must be installed on anyone under the age of 19’s phone • Gave parents the ability to monitor web searches, block sites and snoop on messages • Amazing talk: Smart Sheriff, Dumb Idea by Abraham Aranguren & Fabian Fäßler 

@Sp4ghettiCode / spght.dev Introducing ‘Smart Sheriff’ South Korea’s answer to ‘How insecure can we make an app’ • The app had an API to retrieve lost passwords for child accounts that could be called by any user • Passing in a mobile number would return either the app’s password or the mobile number of the child’s parent 🤦 • Trivial to traverse phone numbers to gain privileged info • Pen-test link @ spght.dev/talks Image: 7asecurity.com 

@Sp4ghettiCode / spght.dev Insecure Authorisation How to avoid it! • When using authorised APIs • Use the minimum required permissions for call • Verify any user roles server-side • Avoid using role/permission information that comes from the mobile device itself 

@Sp4ghettiCode / spght.dev Client Code Quality #7 OWASP Threat YOUR CODE (duh) 

@Sp4ghettiCode / spght.dev Client Code Quality What is it? • Difficult to define exactly… • Poorly written code! 🍝 • Not following coding ‘best practises’ • Misuse of a programming language • Javascript -> XSS Attack • SQL -> SQL Injection • C++/etc -> Buffer Overflow 

@Sp4ghettiCode / spght.dev Client Code Quality How to avoid it! • Have a solid code review process • Use static analysis tools e.g. SonarCloud / Snyk • Know the flaws and dangers with using particular languages • Consider using ‘Strict Mode’ to catch errors early 

@Sp4ghettiCode / spght.dev Client Code Quality Strict Mode • Tool within Android Framework to detect code violations at runtime • e.g. Performing I/O operations on the Main Thread • Leaks - e.g. not closing a ‘Closeable’ • Split into Thread + Virtual Machine violations 

@Sp4ghettiCode / spght.dev Client Code Quality Strict Mode • Allows for different ‘penalties’ on spotting a violation • Write to logcat • Show an ‘annoying dialog’ • Flash the device’s screen • Crash the app 🔥😅 

@Sp4ghettiCode / spght.dev Client Code Quality Strict Mode Examples StrictMode.setThreadPolicy( Builder() .detectDiskReads() .detectDiskWrites() .detectNetwork() .penaltyLog() .build() ) StrictMode.setVmPolicy( Penalty: Write to Logcat 

@Sp4ghettiCode / spght.dev Client Code Quality Strict Mode Examples StrictMode.setThreadPolicy( Builder() .detectCleartextNetwork() .detectLeakedSqlLiteObjects() .detectLeakedClosableObjects() .penaltyLog() .penaltyDeath() .build() ) Detect leaks and non- HTTPS traffic Penalty: Write to Logcat Penalty: Crash 🔥 

@Sp4ghettiCode / spght.dev Client Code Quality Strict Mode Usage • BEST PRACTISES: • Add within Application class before super.onCreate call • Use within debuggable builds only • Use penaltyDeath() for most serious cases • E.g. penaltyDeathOnCleartextNetwork() • Always read the docs! 

@Sp4ghettiCode / spght.dev Code Tampering #8 OWASP Threat YOUR CODE AGAIN 

@Sp4ghettiCode / spght.dev Code Tampering What is it? • The unwanted modification of your app’s code • Modification of your app’s resources • The unintended use of your app through the use of a ‘rooted/ jailbroken’ device • More common in popular apps such as ‘freemium’ games • Used by malicious actors to distribute modded APKs with spyware + more nasty surprises 😈 

@Sp4ghettiCode / spght.dev Code Tampering How could we do it? • Using APKTOOL: ibotpeaches.github.io/Apktool • Decompiles APK to resources and SMALI files • SMALI = Converted .dex byte-code • Run using: apktool d app.apk 

@Sp4ghettiCode / spght.dev Code Tampering Kotlin private fun showPinEntered(pinCount: Int) { binding.mainPin.text = "*".repeat(pinCount) } 

@Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private final showPinEntered(I)V .locals 2 .param p1, "pinCount" .line 56 iget-object v0, p0, Ldev/spght/owasp/login/LoginActivity;->binding:Ldev/spght/owasp/databinding/LoginBinding; if-nez v0, :cond_0 # Removed binding error handling code here for brevity iget-object v0, v0, Ldev/spght/owasp/databinding/LoginBinding;->mainPin:Landroid/widget/TextView; const-string v1, "*" check-cast v1, Ljava/lang/CharSequence; invoke-static {v1, p1}, Lkotlin/text/StringsKt;->repeat(Ljava/lang/CharSequence;I)Ljava/lang/String; move-result-object v1 check-cast v1, Ljava/lang/CharSequence; invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V .line 57 return-void .end method 

@Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private final showPinEntered(I)V .locals 2 .param p1, "pinCount" 

@Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private final showPinEntered(I)V check-cast v1, Ljava/lang/CharSequence; invoke-static {v1, p1}, Lkotlin/text/StringsKt;->repeat(Ljava/lang/CharSequence;I)Ljava/lang/String; move-result-object v1 

@Sp4ghettiCode / spght.dev Code Tampering Converted Smali Example .method private final showPinEntered(I)V invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V .line 57 return-void 

@Sp4ghettiCode / spght.dev Code Tampering ⚠ How to do it… # Re-compile the app # base in this example is the base folder of the decompiled app apktool b base # Generate a new key to sign the build keytool -genkeypair -v -keystore key.keystore -alias publishingdoc -keyalg RSA -keysize 2048 -validity 10000 # Sign the new app APK jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ./key.keystore base.apk publishingdoc • Modify Smali files to do XYZ (i.e. whatever) • Samples: https://ur.link/43i ⚠ • Re-compile app using apktool then re-sign using jarsigner 

@Sp4ghettiCode / spght.dev Code Tampering How to detect it! • Root Detection SDKs • RootBeer: github.com/scottyab/rootbeer • Jetpack Security App Authenticator SDK • Verifies SHA-256 of signing certificates 

@Sp4ghettiCode / spght.dev Intermission Super shameless plug… • I have two articles with relevant code tampering material: • “Learning to 'Hack Android' with picoCTF” • “Hands on with Jetpack's Security App Authenticator library” ✨ BOTH AVAILABLE TO READ AT SPGHT.DEV ✨ 

@Sp4ghettiCode / spght.dev Reverse Engineering #9 OWASP Threat YOUR CODE AGAIN, AGAIN 

@Sp4ghettiCode / spght.dev Reverse Engineering AKA gnireenignE esreveR • Decompiling your app and understanding how it works to find vulnerabilities + other goodies • Similar attack approach to Code Tampering • Uses a similar set of tools to look at source code 

@Sp4ghettiCode / spght.dev Reverse Engineering How to do it… • Your APK is just a ZIP file with extra spice • Rename app.apk to app.zip • Unzip • ??? • Profit • A wild folder with lots of files appeared! 

@Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process) 

@Sp4ghettiCode / spght.dev Reverse Engineering How to do it… • Convert .dex to .jar • github.com/pxb1988/dex2jar • ⚠ Run dex2jar *.dex • ⚠ Open .jar in JADX / Luyten / JD-GUI • ⚠ Explore code 

@Sp4ghettiCode / spght.dev 

@Sp4ghettiCode / spght.dev Extraneous Functionality #10 OWASP Threat ITS YOUR CODE ONCE AGAIN YOU GET THE PICTURE… 

@Sp4ghettiCode / spght.dev Extraneous Functionality I.e. A treasure hunt for hackers • Hackers look for ‘back-doors’ in your app’s code • Hidden feature flags • Hard-coded debug accounts • Any other goodies you left behind… 

@Sp4ghettiCode / spght.dev Extraneous Functionality How to protect against it • Where possible, do not ship with anything included in your app that could be ‘enabled’ when you don’t want it to be • Ensure you strip out any hard-coded credentials or anything you use for QA-ing the app • GOOD CODE REVIEWS! 

@Sp4ghettiCode / spght.dev Thanks for watching! • Find me on Twitter @Sp4ghettiCode • Thanks to Android Worldwide for rescheduling this talk! • More resources and links at spght.dev/talks • Please do reach out if you are interested in learning more or have knowledge to share with the community! • Questions and Answers to follow… 

@Sp4ghettiCode / spght.dev EOF