@clviper
ca@integrity.pt
Cláudio André
whoami
Pentester at Integrity S.A.
Web applications, Mobile applications and
Infrastructure.
BSc in Management Information...
- Environment Setup
- Tools OfTheTrade
- App Analysis
- Developers Heads Up
Up next...
Physical Equipment Android SDK Emulator Android x86
Environment Setup
Android x86
Environment Setup
Hint
Mouse insideVM : Disable Mouse Integration (Host+i)
Portrait Resolution : Edit /mnt/gru...
- Root your device *
- Allow Unknown Sources (Settings->Security)
- Install proxy app (ProxyDroid,AutoProxy,etc...)
- Conn...
Android SDK
Software Development Kit containing api libraries
and developer tools to build, test and debug
Android apps.
F...
Android Debug Bridge (ADB)
Command-line tool to communicate with
emulator instance or connected physical/virtual
device.
h...
Dalvik Debug Monitor Server(DDMS)
Debugging tool that provides port-forwarding,
screen capture, heap dump, logcat, file ma...
QtADB
Android Manager. Filemanager and applications
manager, access to logs and shell,take
screenshots, etc..*
http://qtad...
http://youtu.be/H4ysZblviZg
DEMO
QtADB
Tools OfTheTrade
Tool for converting .dex Android format to .class
Java format.
https://code.google.com/p/dex2jar/
dex2jar
Tools OfTheTrade
Java Decompiler with GUI to display java source
code of class files.
http://jd.benow.ca/
JD-GUI
Tools OfTheTrade
Extract plain-text AndroidManifest.xml from
APK.
https://code.google.com/p/xml-apk-parser/
APKParser
Tools OfTheTrade
Tool to analyse app behaviour during runtime
and help to identify potential security issues.
https://github.com/iSECPartne...
Tool to bypass SSL certificate pinning for most
applications *
https://github.com/iSECPartners/Android-SSL-TrustKiller
And...
Install Cydia Substrate + AndroidSSLTrustKiller
Hint
Turn off SSLTrustKiller:
#1
#2
(Bypassing Pinning)
Android-SSL-TrustK...
Proxy Server CA Certificate
Hint (Validate Pinning)
#1 Browse to proxy
server address and
download certificate
#2 Open fil...
Android-SSL-TrustKiller
Tools OfTheTrade
http://youtu.be/8NwbmSI9OWo
DEMO
Security testing framework, great to determine
app attack surface and interact with it.
https://www.mwrinfosecurity.com/pr...
http://youtu.be/KAWPfHLHO0Y
DEMO
Drozer(ex-mercury)
Tools OfTheTrade
Integrated platform for security testing of web
applications. For our context the main interest is
in the Proxy funcionall...
Android Environment Sandboxing
/data/data/app1 /data/data/app2
Process UID (10000) Process UID (10001)
APP1
Dalvik
APP2
Da...
Android Application Components
App Analysis
Activities
Services
Broadcast Receivers
Content Providers
Zip Archive
Contains Dalvik class files, assets, resources and
AndroidManifest.xml
Stored at /data/app
Android Application...
Presents information about the app to the
system.
Describes app components
Define permissions
AndroidManifest.xml
App Anal...
XML format file with key-value pairs.
App settings.
Shared Preferences
App Analysis
Single file relational database used to store
application data and settings.
SQLite Databases
App Analysis
OWASPTop 10 Mobile Risks
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
M1:Weak Server Side Controls
M2: In...
GoatDroid
App Analysis
FourGoats is a location-based social network built for sharing everything about your life with
ever...
GoatDroid
App Analysis
http://youtu.be/3DpLKK90oAY
DEMO
http://youtu.be/tAyLOn5ttFo
DEMO
GoatDroid
App Analysis
App Analysis
The Lost Art of Keeping a Secret
http://youtu.be/QJF-pvpRSFE
DEMO
App Analysis
The Lost Art of Keeping a Secret
Developers Heads Up
• Insecure Data Storage
- Shared Preferences without MODE_WORLD_READABLE.
- Sensitive information shou...
• Client Side Injection
- Only export components(Activities,Services,Broadcast Receivers,Content
Providers) that make sens...
Upcoming SlideShare
Loading in...5
×

Pentesting Android Applications

3,903

Published on

This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,903
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
204
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide
  • Activities – GUI disponibilizado ao utilizador;

    Services – Componente que corre operações em background sem user interface

    BroadCast Receivers – Componente que permite receber notifcações de sistema ou de outras aplicações.

    Content Provider – Componente que gere acesso a dados estruturados tipicamente SQLite
  • DexGuard
  • Pentesting Android Applications

    1. 1. @clviper ca@integrity.pt Cláudio André
    2. 2. whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
    3. 3. - Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
    4. 4. Physical Equipment Android SDK Emulator Android x86 Environment Setup
    5. 5. Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
    6. 6. - Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
    7. 7. Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
    8. 8. Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
    9. 9. Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
    10. 10. QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
    11. 11. http://youtu.be/H4ysZblviZg DEMO QtADB Tools OfTheTrade
    12. 12. Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
    13. 13. Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
    14. 14. Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
    15. 15. Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
    16. 16. Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
    17. 17. Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
    18. 18. Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
    19. 19. Android-SSL-TrustKiller Tools OfTheTrade http://youtu.be/8NwbmSI9OWo DEMO
    20. 20. Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
    21. 21. http://youtu.be/KAWPfHLHO0Y DEMO Drozer(ex-mercury) Tools OfTheTrade
    22. 22. Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
    23. 23. Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
    24. 24. Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
    25. 25. Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
    26. 26. Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
    27. 27. XML format file with key-value pairs. App settings. Shared Preferences App Analysis
    28. 28. Single file relational database used to store application data and settings. SQLite Databases App Analysis
    29. 29. OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
    30. 30. GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
    31. 31. GoatDroid App Analysis http://youtu.be/3DpLKK90oAY DEMO
    32. 32. http://youtu.be/tAyLOn5ttFo DEMO GoatDroid App Analysis
    33. 33. App Analysis The Lost Art of Keeping a Secret
    34. 34. http://youtu.be/QJF-pvpRSFE DEMO App Analysis The Lost Art of Keeping a Secret
    35. 35. Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
    36. 36. • Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×