Android Hacking

Tools and Techniques Related To 1

 RIT Alum Intrepidus Group Interlock Rochester Rochester 2600 TOOOL BSidesROC@antitreeantitree.com 2

 Android Introduction Tools For Hackers Analysis Techniques Examples How to be “secure” 3

Other, Honeycomb Cupcake 1% Donut 6% 1% 2% Blackberry, 9% Eclair 15% Gingerbread 25%iOS, 28% Android, 56% Froyo 56% 4

 Linux 2.6 Dalvik Virtual Machine – new instance for each app DEX – Dalvik byte code APK - zip AndroidManifest.xml Dalvik Java APK Byte Code 6

Linux Angry Birds app_42Dalvik VM Instances

 Intents – inter process communication Activities - screen Content Providers – sqlite3 database Services – background processes Broadcasts – send and receive info to other apps 8

• Dynamic Network Analysis• Static Code Review• File System Auditing 9

 Android SDK  ADB  DDMS  Emulator Apktool Smali/Baksmali Dex2jar Java Decompiler (e.g. JAD or JD-GUI) Mallory Burpsuite Wireshark 10

 Java source code vs Smali files vs DEX vs jar vs pseudocode Android development Java Linux 11

 Watch Traffic flow through a MITM Things to look for:  Information being passed in the clear  SSL usage and whether it’s done correctly  Results of modifying requests and responses  Authentication process 13

Wireless Router Emulator PPTP serverDDWRT/TOMATOE Android SDK PPTPDUsually need a clunky device Sometimes doesn’t act the Dedicated server way you want it 14

#!/bin/bash# firewall script to intercept all traffic from ppp0 and redirect to local port# all credit to the great algorythmecho 1 > /proc/sys/net/ipv4/ip_forwardiptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEiptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 80 -m tcp --to-ports8080iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 443 -m tcp --to-ports 8080 15

 Wireshark  Initial traffic fingerprinting Burpsuite  Great for HTTP/S traffic Mallory  Great for nonspecific protocols 16

 Audit how data is stored Things to look for:  Incorrect permissions  Storage location (data, sdcard, asec) Tools  Adb shell  Standard linux commands  [Root exploit and busybox] 18

 See how the app works through pseudocode Things to look for:  Overall understanding of the app  Cryptographic functions  Debug/Testing functions  Client side authentication 21

 Tools:  Apktool d com.antitree.app  Smali path/to/smali/files/  Dex2jar out.dex  Jd-gui out_dex2jar.jar APK DEX Jar Pseudocode Smali 22

Reverse engineering is neat

But what does it mean? 26

 Skype: 4/11  Permissions error allowed a malicious app to access contacts and personal information Google: 6/11  Session information passed in the clear made it susceptible to hijacking Dropbox: 8/11  An attempt to share data granted any app to the ability to make file public 27

 HTC: 10/11  Spyware Logging app found to be accessible to any app with the network connection permission ▪ GPS coordinates ▪ MEID, MDN ▪ phone logs ▪ MUCH more  *#*#HTCLOG#*#* 28

100,000 installations 29

 File System Permissions Set to 777  Access saved sessions  Modify included binaries Why: Lazy permissions How discovered: file system permission review 30

SSHUNTUNNEL

 Shares information Controls permissions Tool: Android Manifest Auditor Code Name: The Jaku 32

1. Insecure Data Storage2. Weak Server Side Controls3. Insufficient Transport Layer Protection4. Client Side Injection5. Poor Authorization and Authentication6. Improper Session Handling7. Security Decisions Via Untrusted Inputs8. Side Channel Data Leakage9. Broken Cryptography10. Sensitive Information Disclosure 34

 Deploy mobile device management solution  Zenprise, MobileIron, (Google?) Train your users – don’t give in Audit your devices  Are users following best practices?  What apps are installed? Require mobile security solution  Lookout, WaveSecure, NetQin 35

 Audit your apps!  Check permissions  Check source code  Analyze your traffic Think before you Root Security Software  Remote wipe  Malware detection 36

Coincidence? 37

Slides and app available at www.antitree.com 38

 http://www.intrepidusgroup.com/insight/ http://code.google.com/p/android-apktool/ http://code.google.com/p/smali/ http://code.google.com/p/dex2jar/ http://java.decompiler.free.fr/?q=jdgui http://developer.android.com/sdk 39

http://www.antitree.com	128
http://173.255.202.215	23
http://10.2.2.13	10
http://antitree.com	9
https://www.antitree.com	1

Android Hacking

by antitree

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 171

Statistics

Android Hacking Presentation Transcript