• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Android Security & Penetration Testing
 

Android Security & Penetration Testing

on

  • 2,722 views

These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck

These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck

Statistics

Views

Total Views
2,722
Views on SlideShare
2,048
Embed Views
674

Actions

Likes
1
Downloads
81
Comments
0

10 Embeds 674

http://www.subho.me 653
https://twitter.com 6
http://plus.url.google.com 6
http://cloud.feedly.com 2
http://webcache.googleusercontent.com 2
https://translate.googleusercontent.com 1
http://bundlr.com 1
https://www.google.com 1
https://www.google.co.uk 1
http://www.google.it 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Android Security & Penetration Testing Android Security & Penetration Testing Presentation Transcript

    • ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
    • ./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
    • Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
    • ./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
    • Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
    • Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
    • Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
    • AndroidManifest.xml Monday, 23 September 13
    • CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
    • Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
    • QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
    • Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
    • AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
    • AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
    • AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
    • ANDROID MALWARE Monday, 23 September 13
    • Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
    • Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
    • If you don’t have past relationship with JAVA Monday, 23 September 13
    • Android Framework for Exploitation Monday, 23 September 13
    • Let’s Create a Malware ! Monday, 23 September 13
    • What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
    • “I am not Afraid” - Eminem Monday, 23 September 13
    • Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
    • USE AFE TO AUTOMATE !! Monday, 23 September 13
    • Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
    • AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
    • AFE Internals.py Python Based Plugin Based Architecure Modules Libraries Monday, 23 September 13
    • Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
    • Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
    • Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
    • Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
    • Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
    • Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
    • Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
    • OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
    • ./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
    • HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
    • ./QUESTIONS subho.halder@gmail.com security@xysec.com http://xysec.com @sunnyrockzzs Monday, 23 September 13
    • STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13