Your SlideShare is downloading. ×
Securing Android Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Securing Android Applications

1,076
views

Published on

Securing Android Applications

Securing Android Applications

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,076
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
71
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. PRESENTED BY Manish Chasta | CISSP, CHFI, ITIL Principal Consultant, Indusface Securing Android Applications01 www.indusface.com | Copyright 2012
  • 2. Agenda Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application02 www.indusface.com | Copyright 2012
  • 3. What NUMBERS say!!!  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 201403 www.indusface.com | Copyright 2012
  • 4. Market Share04 www.indusface.com | Copyright 2012
  • 5. Introduction to Android  Most widely used mobile OS  Developed by Google  OS + Middleware + Applications  Android Open Source Project (AOSP) is responsible for maintenance and further development05 www.indusface.com | Copyright 2012
  • 6. Android Architecture06 www.indusface.com | Copyright 2012
  • 7. Android Architecture: Linux Kernel  Linux kernel with system services:  Security  Memory and process management  Network stack  Provide driver to access hardware:  Camera  Display and audio  Wifi  …07 www.indusface.com | Copyright 2012
  • 8. Android Architecture: Android RunTime  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM  Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform08 www.indusface.com | Copyright 2012
  • 9. Android Applications09 www.indusface.com | Copyright 2012
  • 10. Mobile Apps vs Web Applications  Thick and Thin Client  Security Measures  User Awareness010 www.indusface.com | Copyright 2012
  • 11. Setting-up Environment  Handset / Android Device  Android SDK and Eclipse  Emulator  Wireless Connectivity  And of course… Application file011 www.indusface.com | Copyright 2012
  • 12. Setting-up Lab  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser012 www.indusface.com | Copyright 2012
  • 13. Working with Android SDK013 www.indusface.com | Copyright 2012
  • 14. Android SDK  Development Environment for Android Application Development  Components:  SDK Manager  AVD Manager  Emulator014 www.indusface.com | Copyright 2012
  • 15. Android SDK  Can be downloaded from : developer.android.com/sdk/  Requires JDK to be installed  Install Eclipse  Install ADT Plugin for Eclipse015 www.indusface.com | Copyright 2012
  • 16. Android SDK : Installing SDK  Simple Next-next process016 www.indusface.com | Copyright 2012
  • 17. Android SDK: Configuring Eclipse  Go to Help->Install new Software  Click Add  Give Name as ADT Plugin  Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/  Press OK  Check next to ‘Developer Tool’ and press next  Click next and accept the ‘Terms and Conditions’  Click Finish017 www.indusface.com | Copyright 2012
  • 18. Android SDK: Configuring Eclipse  Now go to Window -> Preferences  Click on Android in left panel  Browse the Android SDK directory  Press OK018 www.indusface.com | Copyright 2012
  • 19. SDK Manager019 www.indusface.com | Copyright 2012
  • 20. AVD Manager020 www.indusface.com | Copyright 2012
  • 21. Emulator: Running Click on Start021 www.indusface.com | Copyright 2012
  • 22. Emulator: Running from Command Line022 www.indusface.com | Copyright 2012
  • 23. Emulator: Running with proxy023 www.indusface.com | Copyright 2012
  • 24. ADB: Android Debug Bridge  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device.  You can find the adb tool in <sdk>/platform-tools/024 www.indusface.com | Copyright 2012
  • 25. ADB: Important Commands Install an application to emulator or device:025 www.indusface.com | Copyright 2012
  • 26. ADB: Important Commands  Push data to emulator / device  adb push <local> <remote>  Pull data to emulator / device  adb pull <remote> <local>  Remote - > Emulator and Local -> Machine026 www.indusface.com | Copyright 2012
  • 27. ADB: Important Commands  Getting Shell of Emulator or Device  adb shell  Reading Logs  adb logcat027 www.indusface.com | Copyright 2012
  • 28. ADB: Important Commands  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen  Reading Logs  adb logcat028 www.indusface.com | Copyright 2012
  • 29. Auditing Application from Android Phone029 www.indusface.com | Copyright 2012
  • 30. Need of Rooting What is Android Rooting?030 www.indusface.com | Copyright 2012
  • 31. Rooting Android Phone Step 1: Download CF Rooted Kernel files and Odin3 Software031 www.indusface.com | Copyright 2012
  • 32. Rooting Android Phone Step 2: Keep handset on debugging mode032 www.indusface.com | Copyright 2012
  • 33. Rooting Android Phone Step 3: Run Odin3033 www.indusface.com | Copyright 2012
  • 34. Rooting Android Phone Step 4: Reboot the phone in download mode Step 5: Connect to the PC034 www.indusface.com | Copyright 2012
  • 35. Rooting Android Phone Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button035 www.indusface.com | Copyright 2012
  • 36. Rooting Android Phone If your phone is Rooted... You will see PASS!! In Odin3036 www.indusface.com | Copyright 2012
  • 37. Important Tools  Terminal Emulator  Proxy tool (transproxy)037 www.indusface.com | Copyright 2012
  • 38. Setting Proxy  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN.  Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.038 www.indusface.com | Copyright 2012
  • 39. Intercepting Traffic (Burp)  Burp is a HTTP proxy tool  Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response039 www.indusface.com | Copyright 2012
  • 40. Memory Analysis with Terminal Emulator  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd  Application path on Android Device:  /data/data/com.application_name040 www.indusface.com | Copyright 2012
  • 41. Memory Analysis with Terminal Emulator041 www.indusface.com | Copyright 2012
  • 42. Memory Analysis with Terminal Emulator042 www.indusface.com | Copyright 2012
  • 43. Lab: GoatDroid A vulnerable Android application from the OW ASP043 www.indusface.com | Copyright 2012
  • 44. GoatDroid : Setting up  Install MySQL  Install fourgoats database.  Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.044 www.indusface.com | Copyright 2012
  • 45. GoatDroid : Setting up  Run goatdroid-beta-v0.1.2.jar file  Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be  C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be  C:Documents and SettingsManishandroidavd045 www.indusface.com | Copyright 2012
  • 46. GoatDroid : Setting up  Start web services  Start emulator through GoatDroid jar file  Push / Install the application to Device  Run FourGoat application from emulator  Click on Menu and then click on Destination Info  Provide following information in required fields:  Server: 10.0.2.2 and Port 8888046 www.indusface.com | Copyright 2012
  • 47. GoatDroid : Setting up Demo / Hands On047 www.indusface.com | Copyright 2012
  • 48. GoatDroid : Setting up proxy  Assuming FourGoat is already installed  Run goatdroid-beta-v0.1.2.jar file and start web services  Start any HTTP Proxy (Burp) tool on port 7000  Configure Burp to forward the incoming traffic to port 8888  Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000048 www.indusface.com | Copyright 2012
  • 49. GoatDroid : Setting up proxy  Open the FourGoat application in emulator  Click on Mene to set Destination Info  Set Destination Info as below:  Server: 10.0.2.2 and port as 7000  Now see if you are able to intercept the trrafic in Burp 049 www.indusface.com | Copyright 2012
  • 50. GoatDroid : Setting up Proxy Demo / Hands On050 www.indusface.com | Copyright 2012
  • 51. GoatDroid: Intercepting Traffic Demo / Hands On051 www.indusface.com | Copyright 2012
  • 52. GoatDroid: Parameter Manipulation Attack Demo / Hands On052 www.indusface.com | Copyright 2012
  • 53. GoatDroid: Handset Memory Analysis Demo / Hands On053 www.indusface.com | Copyright 2012
  • 54. GoatDroid: Auditing from Android Device  Install the app in Android device  Set the destination info as below:  Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)  Memory Analysis through Terminal Emulator and DD command054 www.indusface.com | Copyright 2012
  • 55. GoatDroid: Reverse Engineering Next Topic055 www.indusface.com | Copyright 2012
  • 56. Reverse Engineering Android Applications056 www.indusface.com | Copyright 2012
  • 57. Reverse Engineering Android Application  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information057 www.indusface.com | Copyright 2012
  • 58. Reverse Engineering Android Application  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk  Open code files in any Java decompile058 www.indusface.com | Copyright 2012
  • 59. Reverse Engineering Android Application Demo / Hands On059 www.indusface.com | Copyright 2012
  • 60. Agnitio  Mobile Application Coder Review tool  Install: Next-Next process  Can analyze Codebase as well as .apk file060 www.indusface.com | Copyright 2012
  • 61. Agnitio Demo / Hands On061 www.indusface.com | Copyright 2012
  • 62. Analyzing SQLite Database062 www.indusface.com | Copyright 2012
  • 63. Analyzing SQLite Database  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file.063 www.indusface.com | Copyright 2012
  • 64. Analyzing SQLite Database  Pull the .db files out of the emulator / Device as explained eirler  Tools  SQLite browser  Epilog064 www.indusface.com | Copyright 2012
  • 65. Analyzing SQLite Database Demo / Hands On065 www.indusface.com | Copyright 2012
  • 66. ExploitMe One more Vulnerable application from Security Compass066 www.indusface.com | Copyright 2012
  • 67. ExploitMe Demo / Hands On067 www.indusface.com | Copyright 2012
  • 68. Manish Chasta Email: manish.chasta@indusface.com068 www.indusface.com | Copyright 2012
  • 69. Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA BANGALORE, INDIA MUMBAI, INDIA A/2-3, 3rd Floor, Status Plaza 408, 2nd Floor 1357 / 1359, Regus Serviced Opp Relish Resort Regency Enclave Offices, Level 13, Platinum Atladara Old Padra Road 4, Magrath Road Techno Park 17 & 18, Sector 30, Vadodara – 390020 Bangalore – 560025 Vashi, Navi Mumbai – 400705 Gujarat, India Karnataka, India Maharashtra, India. T: +91 265 3933000 T: +91 80 65608570 T : +91 22 61214961 F: +91 265 2355820 +91 80 65608571 F : +91 80 41129296 OTTAWA, CANADA HOUSTON, USA 137 Goodman Drive 1001 Fannin Street, Ste 1250 Kanata, Ottawa K2W 1C7 Houston, Texas 77002 Ontario, Canada USA T : +1 613 721 9363 T : +1 832 295 1462069 www.indusface.com | Copyright 2012