Your SlideShare is downloading. ×
0
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Manish Chasta - Securing Android Applications

1,428

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,428
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
82
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The figure have reached 17.7 Billion which is 117% increase compared to applications downloaded in 2010
  • Transcript

    • 1. Mansih Chasta | CISSP, CHFI, ITIL
    • 2.  Principal Consultant @ Indusface, India Over 6 years experience in Information and Application Security CISSP, CHFI, ITIL
    • 3. What comes to any Indian’s mind whenthey think of Russia?
    • 4.  Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application
    • 5.  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 2014
    • 6.  Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is responsible for maintenance and further development
    • 7.  Linux kernel with system services:  Security  Memory and process management  Network stack Provide driver to access hardware:  Camera  Display and audio  Wifi  …
    • 8.  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform
    • 9.  Thick and Thin Client Security Measures User Awareness
    • 10.  Handset / Android Device Android SDK and Eclipse Emulator Wireless Connectivity And of course… Application file
    • 11.  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser
    • 12.  Development Environment for Android Application Development Components:  SDK Manager  AVD Manager  Emulator
    • 13.  Can be downloaded from : developer.android.com/sdk/ Requires JDK to be installed Install Eclipse Install ADT Plugin for Eclipse
    • 14.  Simple Next-next process
    • 15.  Go to Help->Install new Software Click Add Give Name as ADT Plugin Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/ Press OK Check next to ‘Developer Tool’ and press next Click next and accept the ‘Terms and Conditions’ Click Finish
    • 16.  Now go to Window -> Preferences Click on Android in left panel Browse the Android SDK directory Press OK
    • 17.  Click on Start
    • 18.  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. You can find the adb tool in <sdk>/platform-tools/
    • 19.  Install an application to emulator or device:
    • 20.  Push data to emulator / device  adb push <local> <remote> Pull data to emulator / device  adb pull <remote> <local> Remote - > Emulator and Local -> Machine
    • 21.  Getting Shell of Emulator or Device  adb shell Reading Logs  adb logcat
    • 22.  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen Reading Logs  adb logcat
    • 23.  What is Android Rooting?
    • 24. Step 1: Download CF Rooted Kernel files and Odin3 Software
    • 25.  Step 2: Keep handset on debugging mode
    • 26.  Step 3: Run Odin3
    • 27.  Step 4: Reboot the phone in download mode Step 5: Connect to the PC
    • 28.  Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button
    • 29.  If your phone is Rooted... You will see PASS!! In Odin3
    • 30.  Terminal Emulator Proxy tool (transproxy)
    • 31.  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN. Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.
    • 32.  Burp is a HTTP proxy tool Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response
    • 33.  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd Application path on Android Device:  /data/data/com.application_name
    • 34.  Install MySQL Install fourgoats database. Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.
    • 35.  Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be ▪ C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be ▪ C:Documents and SettingsManishandroidavd
    • 36.  Start web services Start emulator through GoatDroid jar file Push / Install the application to Device Run FourGoat application from emulator Click on Menu and then click on Destination Info Provide following information in required fields:  Server: 10.0.2.2 and Port 8888
    • 37. Demo / Hands On
    • 38.  Assuming FourGoat is already installed Run goatdroid-beta-v0.1.2.jar file and start web services Start any HTTP Proxy (Burp) tool on port 7000 Configure Burp to forward the incoming traffic to port 8888 Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000
    • 39.  Open the FourGoat application in emulator Click on Mene to set Destination Info Set Destination Info as below:  Server: 10.0.2.2 and port as 7000 Now see if you are able to intercept the trrafic in Burp 
    • 40. Demo / Hands On
    • 41. Demo / Hands On
    • 42. Demo / Hands On
    • 43. Demo / Hands On
    • 44. • Install the app in Android device• Set the destination info as below: • Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)• Memory Analysis through Terminal Emulator and DD command
    • 45. Next Topic
    • 46.  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information
    • 47.  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk Open code files in any Java decompile
    • 48. Demo / Hands On
    • 49.  Mobile Application Coder Review tool Install: Next-Next process Can analyze Codebase as well as .apk file
    • 50. Demo / Hands On
    • 51.  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file.
    • 52.  Pull the .db files out of the emulator / Device as explained eirler Tools  SQLite browser  Epilog
    • 53. Demo / Hands On
    • 54. Demo / Hands On
    • 55. Спасибо Manish Chasta Email: manish.chasta@owasp.org Twitter: twitter.com/manish_chastaLinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta

    ×