$30 off During Our Annual Pro Sale. View Details »

The secret life of Android apps

Artur Hil
November 24, 2021
Programming
0
230

The secret life of Android apps

Artur Hil

November 24, 2021
Tweet

More Decks by Artur Hil

See All by Artur Hil
Security Headers, why should we care
s1lenthil
1
52
Content Security Policy bypass techniques
s1lenthil
0
55

Other Decks in Programming

See All in Programming
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
200
Amazon Lookout for Vision デモ / 20231208-aws_seminar-02-lookout-vision-demo
kasacchiful
0
160
コンピュータグラフィクスの空
fadis
6
1.4k
個人開発がおすすめな理由
texmeijin
3
640
Modern Java for the Masses! Is Java Still Relevant?
deepu105
1
470
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
5
1k
Accelerating App Dev with Cloudflare Workers
chimame
1
210
Firebase Hostingを使ってPasskeyをandroidアプリで試してみよう
ryunen344
1
340
エンジニアもUIを作るならユーザーについて知ろう!
ohakutsu
1
130
緊急SOS!KubernetesのCompletedな10万Jobぜんぶ消す
tk3fftk
3
440
Open Source - A Journey of Contribution and Collaboration
ivargrimstad
0
1k
Unity Searchを拡張して高度な検索型UIを実現する
trapezoid
0
580

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
89
4.5k
GitHub's CSS Performance
jonrohan
1021
440k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k
Automating Front-end Workflow
addyosmani
1354
200k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Code Review Best Practice
trishagee
53
14k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
900
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Documentation Writing (for coders)
carmenintech
55
3.5k

Transcript

  1. The secret life of Android
    apps
    Artur Hil

    View Slide

  2. @s1LentHil
    Security Engineer
    CISSP,
    Breaking the apps to make them more secure,
    Security engineering and architecture
    We make software
    to get data security right

    View Slide

  3. @
    s1LentHil

    View Slide

  4. What we will talk about
    ● How to setup the testing environment
    ● What tools do you need
    ● How to tune those tools
    ● Examples of proper security controls in apps
    @
    s1LentHil

    View Slide

  5. We will not cover
    ● How to root the Android Phone
    ● How to bypass the Root detection
    ● How to bypass the TLS pinning
    ● How to reverse engineer the Android apps
    ● How to make money on apps vulnerabilities
    ● How to break the TikTok app to make you account popular
    @
    s1LentHil

    View Slide

  6. You will need
    1. macOS or Windows or Linux, but we will cover only macOS
    2. Burp Suite community or Pro
    3. Android studio or Real device, but we will cover only emulator
    4. Some app you want to test
    @
    s1LentHil

    View Slide

  7. Environment variables
    nano ~/.zshrc
    @
    s1LentHil

    View Slide

  8. Create the AVD with AVD manager
    Android Studio > Tools > AVD manager
    @
    s1LentHil

    View Slide

  9. Create the AVD with AVD manager
    @
    s1LentHil

    View Slide

  10. It is your choice to trust
    @
    s1LentHil

    View Slide

  11. Create the AVD with AVD manager
    @
    s1LentHil

    View Slide

  12. Create the AVD with AVD manager
    @
    s1LentHil

    View Slide

  13. Create the AVD with AVD manager
    @
    s1LentHil

    View Slide

  14. Create the AVD with console
    sdkmanager --install "system-images;android-26;google_apis;x86_64"
    sdkmanager --list
    @
    s1LentHil

    View Slide

  15. Create the AVD with console
    avdmanager create avd -n Pixel_27 -d 19 -k 'system-images;android-26;google_apis;x86_64'
    AVD name Device id (Pixel) Package path of the system image
    @
    s1LentHil

    View Slide

  16. @
    s1LentHil

    View Slide

  17. Running through the Burp Suite
    @
    s1LentHil

    View Slide

  18. Running through the Burp Suite
    @
    s1LentHil

    View Slide

  19. GET the ROOT CA
    @
    s1LentHil

    View Slide

  20. ROOT CA to AVD
    Easy way:
    Android < v 7.0
    https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device
    cacert.der >> cacert.cer
    @
    s1LentHil

    View Slide

  21. ROOT CA to AVD
    emulator -list-avds
    Pixel_27
    emulator @Pixel_27 -writable-system
    @
    s1LentHil

    View Slide

  22. ROOT CA to AVD
    openssl x509 -inform DER -in cacert.der -out cacert.pem
    openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
    9a5ba575
    mv cacert.pem 9a5ba575.0
    @
    s1LentHil

    View Slide

  23. ROOT CA to AVD
    adb root
    restarting adbd as root
    adb remount
    remount succeeded
    adb push 9a5ba575.0 /sdcard/
    9a5ba575.0: 1 file pushed, 0 skipped. 1.4 MB/s (1326 bytes in 0.01s)
    @
    s1LentHil

    View Slide

  24. ROOT CA to AVD
    adb shell
    generic_x86_64:/ #
    generic_x86_64:/ # mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/
    generic_x86_64:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0
    generic_x86_64:/ # reboot
    @
    s1LentHil

    View Slide

  25. @
    s1LentHil

    View Slide

  26. @
    s1LentHil

    View Slide

  27. @
    s1LentHil
    adb shell pm list packages
    package:com.example.someapp
    adb shell pm path com.example.someapp
    package:/data/app/someapp/base.apk
    adb pull /data/app/someapp/base.apk path/to/desired/destination

    View Slide

  28. @
    s1LentHil
    adb install base.apk
    Performing Streamed Install
    Success

    View Slide

  29. Establishes baseline security requirements for mobile apps
    https://github.com/OWASP/owasp-masvs
    @
    s1LentHil
    Mobile Application Security Verification
    Standard (MASVS)

    View Slide

  30. Comprehensive manual for mobile app security testing and reverse
    engineering for iOS and Android mobile security testers
    https://github.com/OWASP/owasp-mstg
    @
    s1LentHil
    Mobile Security Testing Guide (MSTG)

    View Slide

  31. https://owasp.org/www-project-mobile-top-10/
    @
    s1LentHil

    View Slide

  32. TLS pining
    @
    s1LentHil
    MASVS 5.4
    The app either uses its own certificate store, or pins the endpoint
    certificate or public key, and subsequently does not establish
    connections with endpoints that offer a different certificate or key, even
    if signed by a trusted CA.

    View Slide

  33. Root detection
    @
    s1LentHil
    MASVS 8.1
    The app detects, and responds to, the presence of a
    rooted or jailbroken device either by alerting the user or
    terminating the app.

    View Slide

  34. @
    s1LentHil
    Developers are building great apps but often they don’t pay attention to security.
    Security people are breaking those apps but often they just break them.
    Security of the app is endless process.

    View Slide

  35. @
    s1LentHil
    https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting
    https://gist.github.com/mrk-han/66ac1a724456cadf1c93f4218c6060ae
    https://speakerdeck.com/julep/common-ios-vulnerabilities-and-how-to-fix-them
    https://www.cossacklabs.com/blog/react-native-app-security/
    Read more about mobile app security

    View Slide

  36. @s1LentHil
    https://speakerdeck.com/
    s1lenthil
    We help companies to
    protect their sensitive
    and valuable data.

    View Slide