Mobile Hacking Daiane Santos

! Opinions expressed are solely my own and do not express the views or opinions of my employer. disclaimer

- about me - introduction - surface attack - server-side attacks - client-side attacks - reversing android - thanks Agenda

whoami Mobile Security Engineer @Nubank Player and Captain @RATF Autist - AH/SD Chess Player Neuroscience Enthusiast

No content

surface attack

No content

No content

Server- Side- Attacks Static Analysis

mobile application architecture mobile device transport security server - auth and authz - webpages - apis database

server-side vulnerabilities Most of the communication between an application and a user occurs through a server, as it is the server that stores and processes all the data that enables the application to run: authentication data, business data, financial or transactional data, personal data, etc.

> Weak Server-Side Controls > Insecure Data Storage > Insufficient Transport Layer Protection > Poor Authentication and Authorization > Broken Cryptography > Security Decisions via Untrusted Inputs > Improper Session Handling server-side vulnerabilities

Client- Side- Attacks

> Injections > Local Storage > Web Messaging > WebSockets > ClickJacking > Cross-origin Resource Sharing (CORS) -> CSRF Client-Side Attacks

static application security testing

! Content created only for educational purpose disclaimer II

reverse engineering

Tip: Rename the .apk file to .zip and use unzip to open ;)

API calls or endpoints understanding the way some security controls are implemented root detection -> SuperUser hardcoded sensitive information inside the code backdoor accounts, API keys and secrets, passwords... interesting strings points of encryption and obfuscation so we can decrypt and de-obfuscate What we are looking for? reversing

Activities: Components that provide a screen with which users can interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background. reversing

AndroidManifest.xml Includes package name, details about the app components, permissions, security settings...

AndroidManifest.xml

other files classes.dex resources.arsc This file contains the Dalvik Bytecode, this file is executed when an app runs. The file acts like an index of all mentioned resources.

other files lib/ assets/ res/ Directory with all resources, activities xmls, layouts, images... Composed by native libs of the application. Adicional libs and other files that are necessary to app.

mobSF

attacks on activities If an application has an activity that is exported, other applications can also invoke it. This can be invoked by other malicious applications that are running on the device.

attacks on broadcast receivers That means any application will be able to send arbitrary, uncontrolled SMSs.

securing the application Set android:exported 1. attribute’s value to false false 2. Limit access with custom permissions

thank you! Contact: wh0isdxk.github.com github.com/wh0isdxk twitter.com/wh0isdxk instagram.com/wh0isdxk wh0isdxk.medium.com