Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The secret life of Android apps

70e6121fd35429c905a1cf35f2b3d0a1?s=47 Artur Hil
November 24, 2021

The secret life of Android apps


Artur Hil

November 24, 2021

More Decks by Artur Hil

Other Decks in Programming


  1. The secret life of Android apps Artur Hil

  2. @s1LentHil Security Engineer CISSP, Breaking the apps to make them

    more secure, Security engineering and architecture We make software to get data security right
  3. @ s1LentHil

  4. What we will talk about • How to setup the

    testing environment • What tools do you need • How to tune those tools • Examples of proper security controls in apps @ s1LentHil
  5. We will not cover • How to root the Android

    Phone • How to bypass the Root detection • How to bypass the TLS pinning • How to reverse engineer the Android apps • How to make money on apps vulnerabilities • How to break the TikTok app to make you account popular @ s1LentHil
  6. You will need 1. macOS or Windows or Linux, but

    we will cover only macOS 2. Burp Suite community or Pro 3. Android studio or Real device, but we will cover only emulator 4. Some app you want to test @ s1LentHil
  7. Environment variables nano ~/.zshrc @ s1LentHil

  8. Create the AVD with AVD manager Android Studio > Tools

    > AVD manager @ s1LentHil
  9. Create the AVD with AVD manager @ s1LentHil

  10. It is your choice to trust @ s1LentHil

  11. Create the AVD with AVD manager @ s1LentHil

  12. Create the AVD with AVD manager @ s1LentHil

  13. Create the AVD with AVD manager @ s1LentHil

  14. Create the AVD with console sdkmanager --install "system-images;android-26;google_apis;x86_64" sdkmanager --list

    @ s1LentHil
  15. Create the AVD with console avdmanager create avd -n Pixel_27

    -d 19 -k 'system-images;android-26;google_apis;x86_64' AVD name Device id (Pixel) Package path of the system image @ s1LentHil
  16. @ s1LentHil

  17. Running through the Burp Suite @ s1LentHil

  18. Running through the Burp Suite @ s1LentHil

  19. GET the ROOT CA @ s1LentHil

  20. ROOT CA to AVD Easy way: Android < v 7.0

    https://portswigger.net/support/installing-burp-suites-ca-certificate-in-an-android-device cacert.der >> cacert.cer @ s1LentHil
  21. ROOT CA to AVD emulator -list-avds Pixel_27 emulator @Pixel_27 -writable-system

    @ s1LentHil
  22. ROOT CA to AVD openssl x509 -inform DER -in cacert.der

    -out cacert.pem openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1 9a5ba575 mv cacert.pem 9a5ba575.0 @ s1LentHil
  23. ROOT CA to AVD adb root restarting adbd as root

    adb remount remount succeeded adb push 9a5ba575.0 /sdcard/ 9a5ba575.0: 1 file pushed, 0 skipped. 1.4 MB/s (1326 bytes in 0.01s) @ s1LentHil
  24. ROOT CA to AVD adb shell generic_x86_64:/ # generic_x86_64:/ #

    mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/ generic_x86_64:/ # chmod 644 /system/etc/security/cacerts/9a5ba575.0 generic_x86_64:/ # reboot @ s1LentHil
  25. @ s1LentHil

  26. @ s1LentHil

  27. @ s1LentHil adb shell pm list packages package:com.example.someapp adb shell

    pm path com.example.someapp package:/data/app/someapp/base.apk adb pull /data/app/someapp/base.apk path/to/desired/destination
  28. @ s1LentHil adb install base.apk Performing Streamed Install Success

  29. Establishes baseline security requirements for mobile apps https://github.com/OWASP/owasp-masvs @ s1LentHil

    Mobile Application Security Verification Standard (MASVS)
  30. Comprehensive manual for mobile app security testing and reverse engineering

    for iOS and Android mobile security testers https://github.com/OWASP/owasp-mstg @ s1LentHil Mobile Security Testing Guide (MSTG)
  31. https://owasp.org/www-project-mobile-top-10/ @ s1LentHil

  32. TLS pining @ s1LentHil MASVS 5.4 The app either uses

    its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.
  33. Root detection @ s1LentHil MASVS 8.1 The app detects, and

    responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.
  34. @ s1LentHil Developers are building great apps but often they

    don’t pay attention to security. Security people are breaking those apps but often they just break them. Security of the app is endless process.
  35. @ s1LentHil https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting https://gist.github.com/mrk-han/66ac1a724456cadf1c93f4218c6060ae https://speakerdeck.com/julep/common-ios-vulnerabilities-and-how-to-fix-them https://www.cossacklabs.com/blog/react-native-app-security/ Read more about mobile

    app security
  36. @s1LentHil https://speakerdeck.com/ s1lenthil We help companies to protect their sensitive

    and valuable data.