The secret life of Android apps

Slide 1

Slide 1 text

The secret life of Android apps Artur Hil

Slide 2

Slide 2 text

@s1LentHil Security Engineer CISSP, Breaking the apps to make them more secure, Security engineering and architecture We make software to get data security right

Slide 3

Slide 3 text

@ s1LentHil

Slide 4

Slide 4 text

What we will talk about ● How to setup the testing environment ● What tools do you need ● How to tune those tools ● Examples of proper security controls in apps @ s1LentHil

Slide 5

Slide 5 text

We will not cover ● How to root the Android Phone ● How to bypass the Root detection ● How to bypass the TLS pinning ● How to reverse engineer the Android apps ● How to make money on apps vulnerabilities ● How to break the TikTok app to make you account popular @ s1LentHil

Slide 6

Slide 6 text

You will need 1. macOS or Windows or Linux, but we will cover only macOS 2. Burp Suite community or Pro 3. Android studio or Real device, but we will cover only emulator 4. Some app you want to test @ s1LentHil

Slide 7

Slide 7 text

Environment variables nano ~/.zshrc @ s1LentHil

Slide 8

Slide 8 text

Create the AVD with AVD manager Android Studio > Tools > AVD manager @ s1LentHil

Slide 9

Slide 9 text

Create the AVD with AVD manager @ s1LentHil

Slide 10

Slide 10 text

It is your choice to trust @ s1LentHil

Slide 11

Slide 11 text

Create the AVD with AVD manager @ s1LentHil

Slide 12

Slide 12 text

Create the AVD with AVD manager @ s1LentHil

Slide 13

Slide 13 text

Create the AVD with AVD manager @ s1LentHil

Slide 14

Slide 14 text

Create the AVD with console sdkmanager --install "system-images;android-26;google_apis;x86_64" sdkmanager --list @ s1LentHil

Slide 15

Slide 15 text

Create the AVD with console avdmanager create avd -n Pixel_27 -d 19 -k 'system-images;android-26;google_apis;x86_64' AVD name Device id (Pixel) Package path of the system image @ s1LentHil

Slide 16

Slide 16 text

@ s1LentHil

Slide 17

Slide 17 text

Running through the Burp Suite @ s1LentHil

Slide 18

Slide 18 text

Running through the Burp Suite @ s1LentHil

Slide 19

Slide 19 text

GET the ROOT CA @ s1LentHil

Slide 20

Slide 20 text

ROOT CA to AVD Easy way: Android < v 7.0 https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device cacert.der >> cacert.cer @ s1LentHil

Slide 21

Slide 21 text

ROOT CA to AVD emulator -list-avds Pixel_27 emulator @Pixel_27 -writable-system @ s1LentHil

Slide 22

Slide 22 text

ROOT CA to AVD openssl x509 -inform DER -in cacert.der -out cacert.pem openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1 9a5ba575 mv cacert.pem 9a5ba575.0 @ s1LentHil

Slide 23

Slide 23 text

ROOT CA to AVD adb root restarting adbd as root adb remount remount succeeded adb push 9a5ba575.0 /sdcard/ 9a5ba575.0: 1 file pushed, 0 skipped. 1.4 MB/s (1326 bytes in 0.01s) @ s1LentHil

Slide 24

Slide 24 text

ROOT CA to AVD adb shell generic_x86_64:/ # generic_x86_64:/ # mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ generic_x86_64:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0 generic_x86_64:/ # reboot @ s1LentHil

Slide 25

Slide 25 text

@ s1LentHil

Slide 26

Slide 26 text

@ s1LentHil

Slide 27

Slide 27 text

@ s1LentHil adb shell pm list packages package:com.example.someapp adb shell pm path com.example.someapp package:/data/app/someapp/base.apk adb pull /data/app/someapp/base.apk path/to/desired/destination

Slide 28

Slide 28 text

@ s1LentHil adb install base.apk Performing Streamed Install Success

Slide 29

Slide 29 text

Establishes baseline security requirements for mobile apps https://github.com/OWASP/owasp-masvs @ s1LentHil Mobile Application Security Veriﬁcation Standard (MASVS)

Slide 30

Slide 30 text

Comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers https://github.com/OWASP/owasp-mstg @ s1LentHil Mobile Security Testing Guide (MSTG)

Slide 31

Slide 31 text

https://owasp.org/www-project-mobile-top-10/ @ s1LentHil

Slide 32

Slide 32 text

TLS pining @ s1LentHil MASVS 5.4 The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.

Slide 33

Slide 33 text

Root detection @ s1LentHil MASVS 8.1 The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.

Slide 34

Slide 34 text

@ s1LentHil Developers are building great apps but often they don’t pay attention to security. Security people are breaking those apps but often they just break them. Security of the app is endless process.

Slide 35

Slide 35 text

@ s1LentHil https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting https://gist.github.com/mrk-han/66ac1a724456cadf1c93f4218c6060ae https://speakerdeck.com/julep/common-ios-vulnerabilities-and-how-to-fix-them https://www.cossacklabs.com/blog/react-native-app-security/ Read more about mobile app security

Slide 36

Slide 36 text

@s1LentHil https://speakerdeck.com/ s1lenthil We help companies to protect their sensitive and valuable data.