Don’t get stung by OWASP - Episode II

Don’t get stung by OWASP
Episode II

@Sp4ghettiCode / spght.dev - Android Worldwide July 2022
- Ed Holloway-George

View Slide

@Sp4ghettiCode / spght.dev
• Senior Android Dev @ ASOS

• Dad to a Pomeranian

• Security ‘enthusiast’

(Please please note: NOT expert)

Find me on social:

• @Sp4ghettiCode

• spght.dev/talks

• Follow me for more! (And dog pictures)
Who am I? I’m this
one.
This is not
me.

View Slide

Talk Agenda
AKA - What I hope I have enough time to cover
• Introduction to more of the OWASP Top 10

• Address the most common mistakes in our apps

• Q&A

• Bedtime (for me at least!)

View Slide

⚠ MANDATORY LEGAL WARNING ⚠
You know, just in case someone goofs up later.
• Anything you learn here is to be used for
educational purposes ONLY

• Do NOT test on apps you are not authorised to use

• Please consider seeking your company’s security
advice from someone that knows a lot more than me!

• This talk is NOT associated with and/or endorsed
by the OWASP Foundation or my employer!

View Slide

⚡ Re-intro to OWASP

View Slide

‘Who’ or ‘What’ is OWASP?
• Open Web Application Security Project

• Non-profit OWASP Foundation created in 2001

• Provides free security resources for developers &
organisations alike

• Also maintains ‘Top 10’ list(s) of the greatest security
threats to application security

View Slide

Top 10 Mobile Threats
Source: owasp.org/www-project-mobile-top-10 (Last updated 2016)
1. Improper Platform Usage

2. Insecure Data Storage

3. Insecure Communication

4. Insecure Authentication

5. Insufficient Cryptography
PART 1 OF THIS TALK

NOW AVAILABLE ON ANDROID
WW’S YOUTUBE

youtu.be/HRJw8RIgbSg

spght.dev/talks
5

View Slide

Next 10 Mobile Threats
Source: owasp.org/www-project-mobile-top-10 (Last updated 2016)
1. Improper Platform Usage

2. Insecure Data Storage

3. Insecure Communication

4. Insecure Authentication

5. Insufficient Cryptography
6. Insecure Authorisation

7. Client Code Quality

8. Code Tampering

9. Reverse Engineering

10. Extraneous Functionality
5

View Slide

Insecure Authorisation
#6 OWASP Threat
YOUR
PERMISSIONS

View Slide

AKA - I don’t think you’re allowed to do that…
• Authorisation != Authentication

• Authentication = Proving your identity

• Authorisation = Performing an action with permission

• E.g. Logging in to Twitter

• Authentication via email + password

• Authorisation permits you to view your DMs (and not mine)

View Slide

Introducing ‘Smart Sheriff’
South Korea’s answer to ‘How insecure can we make an app’
• Smart Sheriff was a 2015 government
mandated parental monitoring mobile
app in South Korea

• By LAW must be installed on anyone
under the age of 19’s phone

• Gave parents the ability to monitor
web searches, block sites and snoop
on messages

• Amazing talk: Smart Sheriff, Dumb
Idea by Abraham Aranguren & Fabian Fäßler

View Slide

Introducing ‘Smart Sheriff’
South Korea’s answer to ‘How insecure can we make an app’
• The app had an API to retrieve
lost passwords for child accounts
that could be called by any user

• Passing in a mobile number would
return either the app’s password
or the mobile number of the
child’s parent 🤦

• Trivial to traverse phone numbers
to gain privileged info

• Pen-test link @ spght.dev/talks
Image: 7asecurity.com

View Slide

How to avoid it!
• When using authorised APIs

• Use the minimum required permissions for call

• Verify any user roles server-side

• Avoid using role/permission information that comes from
the mobile device itself

View Slide

Client Code Quality
#7 OWASP Threat
YOUR CODE
(duh)

View Slide

Client Code Quality
What is it?
• Difficult to define exactly…

• Poorly written code! 🍝

• Not following coding ‘best practises’

• Misuse of a programming language

• Javascript
->
XSS Attack

• SQL
->
SQL Injection

• C++/etc
->
Buffer Overflow

View Slide

Client Code Quality
How to avoid it!
• Have a solid code review process

• Use static analysis tools e.g. SonarCloud / Snyk

• Know the flaws and dangers with using particular
languages

• Consider using ‘Strict Mode’ to catch errors early

View Slide

Client Code Quality
Strict Mode
• Tool within Android Framework to detect code violations at
runtime

• e.g. Performing I/O operations on the Main Thread

• Leaks - e.g. not closing a ‘Closeable’

• Split into Thread + Virtual Machine violations

View Slide

Client Code Quality
Strict Mode
• Allows for different ‘penalties’
on spotting a violation

• Write to logcat

• Show an ‘annoying dialog’

• Flash the device’s screen

• Crash the app 🔥😅

View Slide

Client Code Quality
Strict Mode Examples
StrictMode.setThreadPolicy(

Builder()

.detectDiskReads()

.detectDiskWrites()

.detectNetwork()

.penaltyLog()

.build()

)

StrictMode.setVmPolicy(

Penalty: Write to Logcat

View Slide

Client Code Quality
Strict Mode Examples
StrictMode.setThreadPolicy(

Builder()

.detectCleartextNetwork()

.detectLeakedSqlLiteObjects()

.detectLeakedClosableObjects()

.penaltyLog()

.penaltyDeath()

.build()

)
Detect leaks and non-
HTTPS traffic

Penalty: Write to Logcat

Penalty: Crash 🔥

View Slide

Client Code Quality
Strict Mode Usage
• BEST PRACTISES:

• Add within Application class before super.onCreate call

• Use within debuggable builds only

• Use penaltyDeath() for most serious cases

• E.g. penaltyDeathOnCleartextNetwork()

• Always read the docs!

View Slide

Code Tampering
#8 OWASP Threat
YOUR CODE
AGAIN

View Slide

Code Tampering
What is it?
• The unwanted modification of your app’s code

• Modification of your app’s resources

• The unintended use of your app through the use of a ‘rooted/
jailbroken’ device

• More common in popular apps such as ‘freemium’ games

• Used by malicious actors to distribute modded APKs with spyware +
more nasty surprises 😈

View Slide

Code Tampering
How could we do it?
• Using APKTOOL:
ibotpeaches.github.io/Apktool

• Decompiles APK to resources and
SMALI files

• SMALI = Converted .dex byte-code

• Run using:

apktool d app.apk

View Slide

Code Tampering
Kotlin
private fun showPinEntered(pinCount: Int) {

binding.mainPin.text = "*".repeat(pinCount)

}

View Slide

Code Tampering
Converted Smali Example
.method private final showPinEntered(I)V

.locals 2

.param p1, "pinCount"

.line 56

iget-object v0, p0, Ldev/spght/owasp/login/LoginActivity;->binding:Ldev/spght/owasp/databinding/LoginBinding;

if-nez v0, :cond_0 # Removed binding error handling code here for brevity

iget-object v0, v0, Ldev/spght/owasp/databinding/LoginBinding;->mainPin:Landroid/widget/TextView;

const-string v1, "*"

check-cast v1, Ljava/lang/CharSequence;

invoke-static {v1, p1}, Lkotlin/text/StringsKt;->repeat(Ljava/lang/CharSequence;I)Ljava/lang/String;

move-result-object v1


invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V

.line 57

return-void

.end method

View Slide

Code Tampering

.locals 2

.param p1, "pinCount"

View Slide

Code Tampering


invoke-static {v1, p1}, Lkotlin/text/StringsKt;->repeat(Ljava/lang/CharSequence;I)Ljava/lang/String;

move-result-object v1

View Slide

Code Tampering

invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V

.line 57

return-void

View Slide

Code Tampering
⚠ How to do it…
# Re-compile the app

# base in this example is the base folder of the decompiled app

apktool b base

# Generate a new key to sign the build

keytool -genkeypair -v -keystore key.keystore -alias publishingdoc -keyalg RSA -keysize 2048 -validity 10000

# Sign the new app APK

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ./key.keystore base.apk publishingdoc
• Modify Smali files to do XYZ (i.e. whatever)

• Samples: https://ur.link/43i ⚠

• Re-compile app using apktool then re-sign using jarsigner

View Slide

Code Tampering
How to detect it!
• Root Detection SDKs

• RootBeer: github.com/scottyab/rootbeer

• Jetpack Security App Authenticator SDK

• Verifies SHA-256 of signing certificates

View Slide

Intermission
Super shameless plug…
• I have two articles with relevant code tampering material:

• “Learning to 'Hack Android' with picoCTF”

• “Hands on with Jetpack's Security App Authenticator
library”

✨ BOTH AVAILABLE TO READ AT SPGHT.DEV ✨

View Slide

Reverse Engineering
#9 OWASP Threat
YOUR CODE
AGAIN, AGAIN

View Slide

Reverse Engineering
AKA gnireenignE esreveR
• Decompiling your app and understanding how it works to
find vulnerabilities + other goodies

• Similar attack approach to Code Tampering

• Uses a similar set of tools to look at source code

View Slide

Reverse Engineering
How to do it…
• Your APK is just a ZIP file with extra spice

• Rename app.apk to app.zip

• Unzip

• ???

• Profit

• A wild folder with lots of files appeared!

View Slide

Reverse Engineering
The innards of your APK
• .dex files are Dalvik Executable
files

• Similar to Java .class files but
run on Android’s JVM

• Contains Dalvik byte code

• Possible to convert back to its
original source code (lossy
process)

View Slide

Reverse Engineering
How to do it…
• Convert .dex to .jar

• github.com/pxb1988/dex2jar

• ⚠ Run dex2jar *.dex

• ⚠ Open .jar in JADX / Luyten / JD-GUI

• ⚠ Explore code

View Slide


View Slide

Extraneous Functionality
#10 OWASP Threat
ITS YOUR CODE
ONCE AGAIN

YOU GET THE PICTURE…

View Slide

I.e. A treasure hunt for hackers
• Hackers look for ‘back-doors’ in your app’s code

• Hidden feature flags

• Hard-coded debug accounts

• Any other goodies you left behind…

View Slide

How to protect against it
• Where possible, do not ship with anything included in
your app that could be ‘enabled’ when you don’t want it
to be

• Ensure you strip out any hard-coded credentials or
anything you use for QA-ing the app

• GOOD CODE REVIEWS!

View Slide

Thanks for watching!
• Find me on Twitter @Sp4ghettiCode

• Thanks to Android Worldwide for rescheduling this talk!

• More resources and links at spght.dev/talks

• Please do reach out if you are interested in learning more
or have knowledge to share with the community!

• Questions and Answers to follow…

View Slide

EOF

View Slide

Don’t get stung by OWASP - Episode II

Don’t get stung by OWASP - Episode II

Ed Holloway-George

More Decks by Ed Holloway-George

Other Decks in Programming

Featured

Transcript