This document discusses Android security and provides steps for analyzing Android applications and exploiting vulnerabilities. It includes the following: 1) An introduction to Android architecture including sandboxes, application frameworks, and permissions. 2) Reasons for focusing on Android security such as the number of downloads, weak app review processes, and platform update issues. 3) Common Android application vulnerabilities like logging of sensitive data, insecure communication, and vulnerabilities in the WebView like addJavaScriptInterface. 4) Steps for cross-compiling code to run on Android, pushing binaries to an Android device, and exploiting vulnerabilities to pop a remote shell.

1. Alice Android Diyarında
CANBERK BOLAT
CYPSEC ‘14
24 APR 2014

2. whoami
• Canberk Bolat
- Security Researcher (@adeosecurity)
- Reverse Engineering, Fuzzing, Pentest
- Blogger/Writer
- http://cbolat.blogspot.com
- Contact
- @cnbrkbolat && canberk.bolat@gmail.com

3. agenda
• Introduction to Android
• Why Android Security?
• Common Android Application Vulnerabilities
• Exploiting addJavaScriptInterface Vulnerability
• Cross-compiling for Android
• Popping Shell on Android
• exit(0)

4. introduction to android

5. introduction to android
• 49 Adımda Android’in uzmanı olun!
* NOT: İngiliz Köyü’nden "49 Steps" kapısı
teşekkürler Kasım Erkan!

6. introduction to android
• Sandbox
• Application Framework
• Memory Management
• File System Security
• User-granted / App-specific Permissions

7. why android security?
• BYOD
• Çok popüler
• 1 yılda ortalama
• 29,000,000,000 uygulama download ediliyor
• Cihaz başına 60~ uygulama
• Zayıf uygulama denetimi (Google Play)
• Platform güncelleme sorunsalı
• KitKat’ı olmayanlar parmak kaldırsın!

8. common android application
vulnerabilities
• Logging
• Unencrypted/Plain-text/Weak credentials
• Unsecure Communication
• HTTP Traffic :(
• XSS (?)
• WebView
• setJavaScriptEnabled
• addJavaScriptInterface

9. common android application
vulnerabilities
• Logging
• Unencrypted/Plain-text/Weak credentials
• Unsecure Communication
• HTTP Traffic :(
• XSS (?)
• WebView
• setJavaScriptEnabled
• addJavaScriptInterface

10. exploiting addJavaScriptInterface
vulnerability
• setJavaScriptEnabled
• addJavaScriptInterface

11. exploiting addJavaScriptInterface
vulnerability
•

12. exploiting addJavaScriptInterface
vulnerability
•

13. exploiting addJavaScriptInterface
vulnerability
•

14. cross-compiling for android
• Android NDK
• ndk-build
• Kodu derlemek için aşağıdaki gibi bir klasör yapısı gerekiyor

15. cross-compiling for android
• Android.mk dosyasının içeriği
• Works for me!

16. cross-compiling for android
C:UsersCanberkhelloworldjni>ndk-build
[armeabi] Compile thumb : hello_world <= helloworld.c
[armeabi] Executable : hello_world
[armeabi] Install : hello_world => libs/armeabi/hello_world
C:UsersCanberkhelloworldjni>adb push ..libsarmeabihello_world data
C:UsersCanberkhelloworldjni>adb shell chmod 777 /data/hello_world
C:UsersCanberkhelloworldjni>adb shell ./data/hello_world
hello arm!

17. popping shell on android
• cross-compile your reverse_connect_backdoor.c for ARM
• convert binary to x02X format
• write converted binary to file system
• mitm and manipulate HTTP traffic
• exploit addJavaScriptInterface vulnerability
• chmod 777 backdoor
• run backdoor
• pop the shell on android

18. popping shell on android

19. demo

20. exit(0)
• teşekkürler!