SlideShare a Scribd company logo

Pentesting Android Applications

Download as PPTX, PDF
Cláudio André
Cláudio André

This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester. So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.

Technology
1 of 36
@clviper ca@integrity.pt Cláudio André
whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
- Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
Physical Equipment Android SDK Emulator Android x86 Environment Setup
Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
- Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
http://youtu.be/H4ysZblviZg DEMO QtADB Tools OfTheTrade
Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
Android-SSL-TrustKiller Tools OfTheTrade http://youtu.be/8NwbmSI9OWo DEMO
Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
http://youtu.be/KAWPfHLHO0Y DEMO Drozer(ex-mercury) Tools OfTheTrade
Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
XML format file with key-value pairs. App settings. Shared Preferences App Analysis
Single file relational database used to store application data and settings. SQLite Databases App Analysis
OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
GoatDroid App Analysis http://youtu.be/3DpLKK90oAY DEMO
http://youtu.be/tAyLOn5ttFo DEMO GoatDroid App Analysis
App Analysis The Lost Art of Keeping a Secret
http://youtu.be/QJF-pvpRSFE DEMO App Analysis The Lost Art of Keeping a Secret
Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
• Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up

Recommended

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 

Recommended

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Mobile security
Mobile securityMobile security
Mobile security
CyberoamAcademy
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
Internet Security Auditors
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
antitree
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
Avinash Sinha
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 

More Related Content

What's hot

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 

What's hot (20)

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Mobile security
Mobile securityMobile security
Mobile security
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Mobile security
Mobile securityMobile security
Mobile security
 
Android security
Android securityAndroid security
Android security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 

Viewers also liked

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
Avinash Sinha
 
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
RootedCON
 
Android and it’s applications
Android and it’s applicationsAndroid and it’s applications
Android and it’s applications
amee yaami
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
Ammar WK
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
Merlin Govender
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
guest536dd0e
 

Viewers also liked (20)

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Pentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web ScanPentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web Scan
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
Image handling in Android
Image handling in AndroidImage handling in Android
Image handling in Android
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android applications By #Manoj_Rockstar
Android applications By #Manoj_RockstarAndroid applications By #Manoj_Rockstar
Android applications By #Manoj_Rockstar
 
Android and it’s applications
Android and it’s applicationsAndroid and it’s applications
Android and it’s applications
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 

Similar to Pentesting Android Applications

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Introduction phonegap
Introduction phonegapIntroduction phonegap
Introduction phonegap
Rakesh Jha
 
Advanced programing in phonegap
Advanced programing in phonegapAdvanced programing in phonegap
Advanced programing in phonegap
Rakesh Jha
 

Similar to Pentesting Android Applications (20)

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Cross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobileCross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobile
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Visual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and IonicVisual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and Ionic
 
Introduction phonegap
Introduction phonegapIntroduction phonegap
Introduction phonegap
 
Advanced programing in phonegap
Advanced programing in phonegapAdvanced programing in phonegap
Advanced programing in phonegap
 
Introduction To Mobile-Automation
Introduction To Mobile-AutomationIntroduction To Mobile-Automation
Introduction To Mobile-Automation
 

Recently uploaded

Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
UXDXConf
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
UXDXConf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 

Pentesting Android Applications

  • 2. whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
  • 3. - Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
  • 4. Physical Equipment Android SDK Emulator Android x86 Environment Setup
  • 5. Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
  • 6. - Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
  • 7. Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
  • 8. Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
  • 9. Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
  • 10. QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
  • 12. Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
  • 13. Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
  • 14. Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
  • 15. Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
  • 16. Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
  • 17. Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
  • 18. Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
  • 20. Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
  • 22. Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
  • 23. Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
  • 24. Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
  • 25. Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
  • 26. Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
  • 27. XML format file with key-value pairs. App settings. Shared Preferences App Analysis
  • 28. Single file relational database used to store application data and settings. SQLite Databases App Analysis
  • 29. OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
  • 30. GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
  • 33. App Analysis The Lost Art of Keeping a Secret
  • 35. Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
  • 36. • Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up

Editor's Notes

  1. Activities – GUI disponibilizado ao utilizador; Services – Componente que corre operações em background sem user interface BroadCast Receivers – Componente que permite receber notifcações de sistema ou de outras aplicações. Content Provider – Componente que gere acesso a dados estruturados tipicamente SQLite
  2. DexGuard