Breaking Android Apps (Freakend 2016)

Slide 1

Slide 1 text

eaking A roid A ps BY PABLO GUARDIOLA

Slide 2

Slide 2 text

TWITTER @Guardiola31337 BLOG pguardiola.com

Slide 3

Slide 3 text

SECURITY???

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Android SECURITY Analysis ENVIRONMENT Android SDK

Slide 6

Slide 6 text

Android SECURITY Analysis ENVIRONMENT Android SDK SDK Manager (android)

Slide 7

Slide 7 text

Android SECURITY Analysis ENVIRONMENT Android SDK SDK Manager (android) AVD Manager (android avd)

Slide 8

Slide 8 text

Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager (android) AVD Manager (android avd)

Slide 9

Slide 9 text

Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager (android) AVD Manager (android avd) HAXM

Slide 10

Slide 10 text

Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM

Slide 11

Slide 11 text

Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps: SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM

Slide 12

Slide 12 text

Android SECURITY Analysis ENVIRONMENT Android SDK Android Emulator Analysis apps: SuperSU, RootChecker, ProxyDroid SDK Manager (android) AVD Manager (android avd) Tools: adb, monitor, aapt… HAXM Python

Slide 13

Slide 13 text

$ emulator -avd Android511 -scale 0.9 -no-boot-anim -partition-size 384 -qemu -redir tcp:22222::22 Android EMULATOR

Slide 14

Slide 14 text

$ adb -d (device) $ adb -e (emulator) $ adb -s $ adb devices $ adb pull $ adb logcat $ adb install file.apk $ adb shell [command] $ adb push $ adb uninstall com.package.name $ adb forward tcp: tcp: Android Debug Bridge

Slide 15

Slide 15 text

> geo fix > redir list > redir add tcp:22222:22 $ nc localhost 5554 > network status > sms send > network delay [gprs | edge | …] > power ac [on | off] > power display > network speed > gsm call Android Emulator CONSOLE

Slide 16

Slide 16 text

$ adb -s emulator-5554 push su /system/bin/su $ adb -s emulator-5554 install supersu_v2.46.apk $ adb -s emulator-5554 shell mount -o remount,rw /system $ adb -s emulator-5554 start-server $ adb -s emulator-5554 shell chmod 0755 /system/xbin/su $ adb -s emulator-5554 shell mount -o remount,ro /system $ adb -s emulator-5554 shell su --install $ adb -s emulator-5554 shell chmod 0755 /system/bin/su $ adb -s emulator-5554 push su /system/xbin/su $ adb -s emulator-5554 shell “su --daemon&” $ adb -s emulator-5554 shell setenforce 0 ROOT Android Emulator

Slide 17

Slide 17 text

Security Analysis METHODOLOGIES BEHAVIORAL

Slide 18

Slide 18 text

Security Analysis METHODOLOGIES BEHAVIORAL STATIC

Slide 19

Slide 19 text

Security Analysis METHODOLOGIES BEHAVIORAL STATIC DYNAMIC

Slide 20

Slide 20 text

BEHAVIORAL Analysis NETWORK

Slide 21

Slide 21 text

NETWORK Analysis CAPTURE and INTERCEPT network TRAFFIC End-points Data transmitted Protocols and ports Encoding Encryption DETERMINE

Slide 22

Slide 22 text

EVALUATING traffic and certificate validation Does app VALIDATE ANY “TRUSTED” certificate? Does app ACCEPT ANY certificate as VALID? Does app CONTINUE after a certificate WARNING or ERROR? Does app LEVERAGE certificate PINNING? WHERE is the LOCAL certificate copy?

Slide 23

Slide 23 text

Android EMULATOR $ emulator -avd Android511 -scale 0.9 -http-proxy 127.0.0.1:8081 -no-boot-anim -partition-size 384 -qemu -redir tcp:22222::22

Slide 24

Slide 24 text

Run BURP proxy $ java -jar burpsuite_free_v1.6.28.jar Proxy > Options > Proxy Listeners > Add > Binding > Port 8081 All interfaces

Slide 25

Slide 25 text

Let’s hack!!!

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Network PROTECTIONS HTTPS - TLS: Digital certificate + CA Self-signed server certificate Missing intermediate CA Unknown CA Verifying server certificate: HttpsURLConnection Not relay on end-user trust decisions Use a custom X509TrustManager Not relay on root or intermediate authority chains Certificate Pinning

Slide 29

Slide 29 text

Network PROTECTIONS ENCRYPTING network connections Change to “false” NetworkSecurityPolicy Is clear-text network traffic allowed? Android Marshmallow StrictMode detectCleartextNetwork DETECT and LOG Unencrypted traffic android:usesCleartextTraffic https://koz.io/android-m-and-the-war-on-cleartext-traffic/

Slide 30

Slide 30 text

BEHAVIORAL Analysis NETWORK FILESYSTEM

Slide 31

Slide 31 text

FYLESYSTEM Analysis INSPECT App SANDBOX /data/data/com.organization.app DISABLE backup SENSITIVE DATA      

Slide 32

Slide 32 text

Get a BACKUP $ java -jar abe.jar unpack backup.ab backup.tar $ adb shell pm list packages | grep “” $ adb backup -apk -obb com.organization.app $ tar xvf backup.tar

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Storing PROTECTIONS INTERNAL storage Encrypt data with a key not available from the app EXTERNAL storage Perform input validation CONTENT PROVIDERS Keep them private android:exported="false" Android keystore supported 4.3+

Slide 35

Slide 35 text

BEHAVIORAL Analysis NETWORK FILESYSTEM LOGGING

Slide 36

Slide 36 text

LOGGING Analysis $ adb logcat -s (Filters by ) $ adb shell > logcat $ adb logcat $ adb logcat -c (Clear log) $ adb logcat -d (Show log and stop) $ adb logcat -d | findstr /I /R “http https user pass…” $ adb logcat -d -b main > main.txt (Main log)

Slide 37

Slide 37 text

Logging PROTECTIONS LOGS should NOT contain SENSITIVE info BEFORE 4.1 (API 16) 3rd party apps could ACCESS system LOGS Be careful with Log.d() statements

Slide 38

Slide 38 text

STATIC Analysis Retrieving APKs

Slide 39

Slide 39 text

RETRIEVING APKs /data/app/*.apk /system/[priv-]app/*.apk DOWNLOADING http://apps.evozi.com/apk-downloader/ https://apkpure.com/ ROOTED device

Slide 40

Slide 40 text

Retrieving APKs aapt (build-tools) STATIC Analysis

Slide 41

Slide 41 text

aNDROID aSSET pACKAGING tOOL $ aapt dump permissions app.apk (App permissions) $ aapt list -a app.apk (List app contents) $ aapt dump xmltree app.apk AndroidManifest.xml (non-xml) $ aapt dump strings app.apk (App strings) $ aapt dump resources app.apk (App resources) $ aapt package … INSPECT APK contents CHANGE APK contents

Slide 42

Slide 42 text

Retrieving APKs aapt (build-tools) Manifest.xml analysis STATIC Analysis

Slide 43

Slide 43 text

Manifest.xml Analysis API levels Android permissions App components declaration AXMLPrinter2 $ java -jar AXMLPrinter2.jar AndroidManifest.xml > AndroidManifest.xml.txt

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

STATIC Analysis Retrieving APKs aapt (build-tools) Manifest.xml analysis Decompiling apps

Slide 46

Slide 46 text

DECOMPILING Apps Understand FUNCTIONALITY Understand app COMPONENTS Inspect source CODE Perform SENSITIVE searches

Slide 47

Slide 47 text

DECOMPILING Apps dex2jar enjarify jd-gui jadx $ sh d2j-dex2jar.sh base.apk $ sh enjarify.sh base.apk -o base.jar $ java -jar jd-gui-1.4.0.jar $ bin/jadx-gui lib/jadx-core-*.jar

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

Retrieving APKs aapt (build-tools) Manifest.xml analysis Decompiling apps Protections STATIC Analysis

Slide 50

Slide 50 text

Static PROTECTIONS Minimize PERMISSIONS required Minimize app components EXPOSURE Validate Signing CERTIFICATE …

Slide 51

Slide 51 text

DYNAMIC Analysis Manipulating components

Slide 52

Slide 52 text

Manipulating COMPONENTS Evaluate AndroidManifest Inspect source code Custom code to invoke components drozer

Slide 53

Slide 53 text

drozer $ drozer console connect Run Embedded Server from drozer Agent $ adb forward tcp:31415 tcp:31415 $ adb install agent.apk (drozer Agent) dz> run app.package.debuggable (List debuggable apps) dz> run app.activity.start --component com.organization.name com.organization.name.Activity dz> run app.package.info -a com.organization.name (App info) dz> list (List available modules) dz> run app.package.list (List all apps installed) dz> run app.package.attacksurface com.organization.name (App attack surface)

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

DYNAMIC Analysis Manipulating components Debugging apps

Slide 56

Slide 56 text

DEBUGGING Apps CONTROL execution Debuggable apps Play Store ≈5% Tools: AS or Device Monitor dz> run app.package.debuggable -f com.organization.name android:debuggable=“true”

Slide 57

Slide 57 text

DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps

Slide 58

Slide 58 text

Disassembling APPS Disassembly + Re-assembly = Valid app Disable emulator or root detection Force HTTP instead of HTTPS Change app functionality

Slide 59

Slide 59 text

$ apktool b (dist) $ apktool d .apk Disassembling APPS apktool $ jarsigner -verify -verbose -certs target.apk $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 - keystore keys/keyName.keystore target.apk keyNameAlias $ keytool -genkey -v -keystore keys/keyName.keystore -alias keyNameAlias -keyalg RSA -keysize 2048 -validity 7300 Sign, verify and align APK $ zipalign -v 4 target.apk target-aligned.apk

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps MitM

Slide 62

Slide 62 text

Man in the Middle Manipulate HTTP(S) traffic: Requests/Responses Burp ProxyDroid

Slide 63

Slide 63 text

DYNAMIC Analysis Manipulating components Debugging apps Manipulating apps MitM Protections

Slide 64

Slide 64 text

Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled()

Slide 65

Slide 65 text

Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled() Check Emulation

Slide 66

Slide 66 text

Check EMULATION public boolean checkEmulation() { TelephonyManager mng = (TelephonyManager) getApplicationContext() .getSystemService(Context.TELEPHONY_SERVICE); if (mng.getSimOperatorName().equals("Android") || mng.getNetworkOperatorName().equals("Android")) { return true; } return false; }

Slide 67

Slide 67 text

Dynamic PROTECTIONS WebView: Be careful with setJavaScriptEnabled() Check Emulation Check Debugging

Slide 68

Slide 68 text

Check DEBUGGING public boolean checkDebugging() { if (Debug.isDebuggerConnected()) { return true; } return false; }

Slide 69

Slide 69 text

CONCLUSIONS We should BE HACKERS from time to time

Slide 70

Slide 70 text

CONCLUSIONS We should BE HACKERS from time to time It’s EASY

Slide 71

Slide 71 text

CONCLUSIONS It’s EASY SECURITY means QUALITY QUALITY means SUCCESS We should BE HACKERS from time to time

Slide 72

Slide 72 text

Thank you! @Guardiola31337 pguardiola.com guardiola31337@gmail.com

Slide 73

Slide 73 text

REFERENCES http://developer.android.com/ https://portswigger.net/burp/ https://koz.io/android-m-and-the-war-on-cleartext-traffic/ https://code.google.com/archive/p/android4me/downloads https://github.com/pxb1988/dex2jar https://github.com/google/enjarify https://github.com/java-decompiler/jd-gui https://github.com/skylot/jadx https://labs.mwrinfosecurity.com/tools/drozer/ http://ibotpeaches.github.io/Apktool/