SlideShare a Scribd company logo

Android Security & Penetration Testing

Subho Halder
Subho Halder

These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck

Technology
1 of 40
Download to read offline
ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
AndroidManifest.xml Monday, 23 September 13
CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
ANDROID MALWARE Monday, 23 September 13
Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
If you don’t have past relationship with JAVA Monday, 23 September 13
Android Framework for Exploitation Monday, 23 September 13
Let’s Create a Malware ! Monday, 23 September 13
What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
“I am not Afraid” - Eminem Monday, 23 September 13
Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
USE AFE TO AUTOMATE !! Monday, 23 September 13
Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
AFE Internals.py Python Based Plugin Based Architecure Modules Libraries Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
./QUESTIONS subho.halder@gmail.com security@xysec.com http://xysec.com @sunnyrockzzs Monday, 23 September 13
STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13

Recommended

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 

Recommended

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentestingn|u - The Open Security Community
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 

More Related Content

What's hot

Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomSiddharth Krishna Kumar
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 

What's hot (20)

Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
Android Security
Android SecurityAndroid Security
Android Security
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Android Security
Android SecurityAndroid Security
Android Security
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 

Viewers also liked

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating systemSalma Begum
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_osbaroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва it-people
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android Aakash Ugale
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 

Viewers also liked (20)

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android security
Android securityAndroid security
Android security
 
Android ppt
Android ppt Android ppt
Android ppt
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating system
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 

Similar to Android Security & Penetration Testing

Engineering culture
Engineering cultureEngineering culture
Engineering culturePamela Fox
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfdayMatthew Dobson
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensicsINSIGHT FORENSIC
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app developmentGaurav Lochan
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at NetflixRob Spieldenner
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...BeMyApp
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence techniqueGiulio Comi
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 

Similar to Android Security & Penetration Testing (20)

Engineering culture
Engineering cultureEngineering culture
Engineering culture
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfday
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app development
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at Netflix
 
Android TCJUG
Android TCJUGAndroid TCJUG
Android TCJUG
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence technique
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
A false digital alibi on mac os x
A false digital alibi on mac os xA false digital alibi on mac os x
A false digital alibi on mac os x
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 

More from Subho Halder

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Subho Halder
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserSubho Halder
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 

More from Subho Halder (6)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - Teaser
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Android Security & Penetration Testing

  • 1. ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
  • 2. ./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
  • 3. Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
  • 4. ./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
  • 5. Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
  • 6. Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
  • 7. Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
  • 9. CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
  • 10. Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
  • 11. QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
  • 12. Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
  • 13. AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
  • 14. AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
  • 15. AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
  • 17. Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
  • 18. Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
  • 19. If you don’t have past relationship with JAVA Monday, 23 September 13
  • 20. Android Framework for Exploitation Monday, 23 September 13
  • 21. Let’s Create a Malware ! Monday, 23 September 13
  • 22. What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
  • 23. “I am not Afraid” - Eminem Monday, 23 September 13
  • 24. Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
  • 25. USE AFE TO AUTOMATE !! Monday, 23 September 13
  • 26. Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
  • 27. AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
  • 29. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
  • 30. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
  • 31. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
  • 32. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
  • 33. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
  • 34. Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
  • 35. Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
  • 36. OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
  • 37. ./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
  • 38. HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
  • 40. STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13