NETWORK
Analysis
CAPTURE and INTERCEPT network TRAFFIC
End-points
Data transmitted
Protocols and ports
Encoding
Encryption
DETERMINE
Slide 22
Slide 22 text
EVALUATING
traffic and certificate validation
Does app VALIDATE ANY “TRUSTED” certificate?
Does app ACCEPT ANY certificate as VALID?
Does app CONTINUE after a certificate WARNING or ERROR?
Does app LEVERAGE certificate PINNING?
WHERE is the LOCAL certificate copy?
Run BURP
proxy
$ java -jar burpsuite_free_v1.6.28.jar
Proxy > Options > Proxy Listeners > Add >
Binding > Port 8081 All interfaces
Slide 25
Slide 25 text
Let’s hack!!!
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
Network
PROTECTIONS
HTTPS - TLS: Digital certificate + CA
Self-signed server certificate
Missing intermediate CA
Unknown CA
Verifying server certificate: HttpsURLConnection
Not relay on end-user trust decisions
Use a custom X509TrustManager
Not relay on root or intermediate authority chains
Certificate Pinning
Slide 29
Slide 29 text
Network
PROTECTIONS
ENCRYPTING network connections
Change to “false” NetworkSecurityPolicy
Is clear-text network traffic allowed?
Android Marshmallow
StrictMode detectCleartextNetwork
DETECT and LOG Unencrypted traffic
android:usesCleartextTraffic
https://koz.io/android-m-and-the-war-on-cleartext-traffic/
Slide 30
Slide 30 text
BEHAVIORAL
Analysis
NETWORK
FILESYSTEM
Slide 31
Slide 31 text
FYLESYSTEM
Analysis
INSPECT App SANDBOX
/data/data/com.organization.app
DISABLE backup SENSITIVE DATA
Slide 32
Slide 32 text
Get a
BACKUP
$ java -jar abe.jar unpack backup.ab backup.tar
$ adb shell pm list packages | grep “”
$ adb backup -apk -obb com.organization.app
$ tar xvf backup.tar
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
Storing
PROTECTIONS
INTERNAL storage
Encrypt data with a key not available from the app
EXTERNAL storage
Perform input validation
CONTENT PROVIDERS
Keep them private
android:exported="false"
Android keystore supported 4.3+
Logging
PROTECTIONS
LOGS should NOT contain SENSITIVE info
BEFORE 4.1 (API 16) 3rd party apps
could ACCESS system LOGS
Be careful with Log.d() statements
drozer
$ drozer console connect
Run Embedded Server from drozer Agent
$ adb forward tcp:31415 tcp:31415
$ adb install agent.apk (drozer Agent)
dz> run app.package.debuggable (List debuggable apps)
dz> run app.activity.start --component
com.organization.name com.organization.name.Activity
dz> run app.package.info -a com.organization.name (App info)
dz> list (List available modules)
dz> run app.package.list (List all apps installed)
dz> run app.package.attacksurface com.organization.name
(App attack surface)
DEBUGGING
Apps
CONTROL execution
Debuggable apps Play Store ≈5%
Tools: AS or Device Monitor
dz> run app.package.debuggable -f com.organization.name
android:debuggable=“true”