Attacking Android Applications Dario Incalza @h4oxer 

$ whoami @h4oxer • Mobile Security Expert @ ZIONSECURITY • Pentesting of mobile applications • Bug bounty hunting • www.darioincalza.be • Tweets @h4oxer 

ZIONSECURITY • Experts in web, mobile, IoT and infrastructure security • Pentesting – architectural and implementation • Secure Software Development • Security Consultancy • HQ in Rotselaar, Belgium • www.zionsecurity.com @h4oxer 

Outline • Android Applications 101 • Attack Surfaces • Attacking Applications Statically • Attacking Applications Dynamically • Countermeasures @h4oxer 

Android Applications 101 @h4oxer 

Android Platform Stack @h4oxer Linux Kernel Hardware Abstraction Layer (HAL) Native C/C++ Libraries Android Runtime (ART) Core libraries Java API Framework Applications 

Android Application • .apk - Android Package • Uploaded to Play Store or sideloaded • Can be dumped from the device • A regular .zip file • Always signed @h4oxer 

APK Content @h4oxer AndroidManifest.xml resources.arsc classes.dex res assets Native C/C++ - .so files 

Build Process @h4oxer Source Code Resource Files Jar Libraries AAR Libraries Compilers DEX Files Compiled Res 

DEX Bytecode • Register-based bytecode • Executed by Dalvik / ART Runtime • Compiled to native code - dex2oat • Can be reversed to Java source • Smali bytecode – intermediate bytecode @h4oxer 

Smali Bytecode @h4oxer 

Attack Surfaces @h4oxer 

Attack Models • Reverse engineering offline & online • App on device – without root • App on device – with root • Man-in-the-Middle • Physical access to device @h4oxer 

Research Questions • How does the app handle authentication? • Access tokens, storage credentials, proper session management • How does the app store user data? • Cryptography, storage location, API keys, exposed content providers • How does the app communicate? • HTTP, HTTPS, Certificate pinning • How does the app protect itself? • Obfuscation, dynamic checks @h4oxer 

@h4oxer 

Attacking Applications Statically @h4oxer 

Reverse Engineering Process @h4oxer APK .so libraries Classes.de x Resources Xml resources unzip AAPT Java Source Smali bytecode dex2jar Baksmali/smal i X86/ARM/x86- 64 Radare2/Hopper/IDAPro 

$ aapt d xmltree file.apk AndroidManifest.xml @h4oxer 

$ aapt d xmltree file.apk AndroidManifest.xml @h4oxer 

$ apktool d file.apk @h4oxer 

Bytecodeviewer @h4oxer 

DroidGraph @h4oxer https://github.com/DarioI/droidgraph 

Cryptography 101 • Symmetric Crypto = one key for encryption/decryption • AES, 3DES, Blowfish, … • Public-key Crypto = private and public key • Encrypt with private key and decrypt with public key = digital signature • Encrypt with public key and decrypt with private key = confidentiality @h4oxer 

Locate Cryptography • Which crypto library is used? • Android, BouncyCastle, SpongyCastle, etc. • Does it use a hardcoded crypto key? • Does it use broken crypto? • MD5, RC4, AES in EBC, etc. • Where does it store cryptography keys? @h4oxer 

Locate Cryptography • In Smali bytecode • Ljavax/crypto/Cipher; • Ljavax/crypto/spec/PBEKeySpec; • Ljavax/crypto/SecretKey; @h4oxer 

Locate Cryptography grep -r "Ljavax/crypto/Cipher" @h4oxer 

Locate Cryptography @h4oxer 

@h4oxer 

Attacking Applications Dynamically @h4oxer 

Motivation • App might protect itself • Need runtime information • Trigger other code execution paths @h4oxer 

Tools • Hooking Frameworks • LD_PRELOAD, Frida, xPosed,… • Emulators • Android SDK, Genymotion, Nathan Emulator • Debuggers • Radare2, IDA Pro, GDB, JDB, … • MiTM Proxies • Mitmproxy, Burp, Charles, … @h4oxer 

Frida • Dynamic instrumentation toolkit • Debug a live process • Loads JavaScript (JS) Engine • Write, inject and execute JS script to interact • Server (on phone) and client (on pc) code @h4oxer 

Frida – frida_client.py @h4oxer scriptname = sys.argv[1] # get script fd = open(scriptname, "r") # open script procname = sys.argv[2] # get process # define callback function def on_message(message, data): print(message) print(data) #Connect to Frida on the phone session = frida.get_usb_device().attach(procname) #Create script script = session.create_script(fd.read()) fd.close() script.on('message', on_message) script.load() 

Frida – hooks.js @h4oxer Dalvik.perform(function () { var WebView = Dalvik.use("android.webkit.WebView"); WebView.loadUrl.overload("java.lang.String").implementation = function (s) { send(s.toString()); this.loadUrl.overload("java.lang.String").call(this, s); }; }); $ python frida_client.py hooks.js com.example.webview 

xPosed Framework • Framework for hooking method calls • Implemented as hooking modules • Separate APK file that hooks into other running applications • Disadvantage: need to build APK for hooking • xPosed bridge jar is injected in every application @h4oxer 

xPosed Framework @h4oxer public class Example implements IXposedHookLoadPackage { public void handleLoadPackage(final LoadPackageParam lpparam) { if (!lpparam.packageName.equals("com.example.webview")) return; findAndHookMethod("android.webkit.WebView”, lpparam.classLoader, "loadUrl","java.lang.String", new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param){ String url = (String) param.args[0]; XposedBridge.log("URL:"+ url); } @Override protected void afterHookedMethod(MethodHookParam param) { // this will be called after } }); } } 

SSL 101 • SSL Certificate = cryptographically secured piece of information • Certificates are issued by CAs • Android device trusts a set of root Cas • SSL Validation = check if certificate from server is trusted @h4oxer 

Problem @h4oxer Applicatio n MiTM Server Identify? Identify? Returns Cert Returns MiTM Cert 

MiTM Attack • Allows you to test/discover/fuzz APIs • Install trusted user certificate • Trusted by all applications on < Android 6.0 • Install trusted system certificate • User certificates are not trusted by all apps on Android 6.0+ • Requires root @h4oxer 

MiTM Attack @h4oxer $ emulator –avd mitm_device –http-proxy http://localhost:3030 $ mitmproxy –p 3030 

MiTM Attack @h4oxer 

Countermeasures @h4oxer 

Countermeasures • Static Protection • Obfuscators • Packers @h4oxer • Dynamic Protection • Root Detectors • Emulator Detectors • Integrity Checkers • SSL Pinning 

SafetyNet API • Google’s opinion on device • Result - JWT – JSON Web Token • Result: compatible or not • Can be cryptographically verified • Good protection against dynamic attacks @h4oxer 

Key Take Aways • Think about a secure design • Apply a layered approach to security • Make sure you hack you application first @h4oxer 

QA? Thank you! @h4oxer