Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacker Halted 2014 - Reverse Engineering the Android OS

1,884 views

Published on

Introduction to the Android OS. the Android Developers Kit, Android Emulators, Rooting Android devices, de-compiling Android Apps. Dex2jar, Java JD_GUI and so on. During the presentation I will pull an App apart and show how to bypass a login screen.

What better way to express the Zombie Apocalypse then with mobile devices. They are ubiquitous. they are carried everywhere, they go everywhere. Having a decent understanding of the Operating System and it’s vulnerabilities can go a long way towards keeping your device protected.

Published in: Technology
  • Be the first to comment

Hacker Halted 2014 - Reverse Engineering the Android OS

  1. 1. Reverse Engineering the Android OS
  2. 2. About Me Ex Military “31 Mic” Microwave Communications - 34th Signal Battalion Lab Developer for Jones and Bartlett Publishing CEI – CEH V8 Martial Art Nutcase Co-creator of Cyber Kung Fu
  3. 3. Reverse Engineering • Understand how applications work • Analyze them • Find vulnerabilities • Uncover hard coded information
  4. 4. Why do I want to Hack Mobile Devices
  5. 5. • Natural Curiosity • MacGyver Fan • CEH V8 mobile sucked • Humongous Installed Base • Self Defense
  6. 6. Lots of important information • Contacts • Messages • Photos • Email • GPS co-ordinates • Personal notes • Stored accounts • Web traffic • Application configs and credentials
  7. 7. Double Edged Sword • User moves between work and personal environments • Carries Corporate Data • Device can be compromised in less secure areas • Compromised device is then connected to work environment
  8. 8. Theft and Loss • Weak protective mechanisms • Compounded by users turning off security features • Rooted devices
  9. 9. More Problems • Increasing everyday use • Users not educated • Mix of personal and business use • Always connected to internet
  10. 10. Physical Security • Phone is easily accessed • SD Card • Charging/io port access – Rubber Ducky • Shoulder Surfing • Smudge attack
  11. 11. Web Issues • Small screen hides full URL • XSS • CSRF • Phishing
  12. 12. Rogue Applications • Malware • Virus • Trojans • Spyware
  13. 13. History • Cabir – 2004 • Skulls – 2004 • pbstealer • Commwarrior • Cardtrap • All Symbion basesd but eventually spread to CE and Java (J2ME
  14. 14. Android and IOs • Ikee – 2009/2010 - worm • AndroidOS.FakePlayer – premuium SMS • Geinimi Trojan • SMS Replicator • DroidDream • GinerMaster • DroidKungFu
  15. 15. Older Devices • Out of date software • Vulnerable to older fixed exploits • Patching – no incentive for older hardware • Carrier indifference
  16. 16. Architecture
  17. 17. Kernel First layer to interact with Hardware
  18. 18. C/C++ Libraries • Exposed to developer via Java API • Kind of a transaction layer between kernel and application framework • Provides common services for apps
  19. 19. Core Libraries • SSL • SLite • Surface Manager • WebKit • Font, media, display libraries
  20. 20. Runtime • DVM – Dalvik Virtual Machine • Efficient and Secure mobile environment
  21. 21. Secure • Each app runs in its own instance • Unique ID and VM • Separate memory and files
  22. 22. Application Framework • Compiled java code running in DVM • Provides services to multiple apps • Layer that 3rd party developers interact with • Abstract access to key resources
  23. 23. Application Layer • Contacts • Phone • Calendar • Browser • Maps • Pictures
  24. 24. Privilege Separation & Sandboxing • Based on Linux security model • Each user is assigned a unique ID (UID) • Each user can be assigned to Groups • Each Group has an unique ID (GID)
  25. 25. Resource Permissions • Owner • Group • Rest of world (everyone)
  26. 26. Sandboxing • Two or more applications can communicate • Provided they grant permissions • Implemented in the kernel • Extended to all software above 1st layer
  27. 27. App Separation • Kernel assigns unique UID • Runs as that user in separate process • Different than multiuser OS
  28. 28. File Separation • New apps get new UIDs • Extended across memory cards • All associated DB and files use the new UID
  29. 29. File Permissions
  30. 30. Separate File Permission Groups • Note – only the associated UID and root UID have full privileges on these resources unless the developer exposes files to other apps.
  31. 31. SD Cards • Everyone (Whole World) has access Storage • Currently vfat fs • Doesn’t support granular permissions • Note – good place for privilege escalation
  32. 32. Data Storage on the Device • Databases • SharedPreferences
  33. 33. SharedPreferences • Allows app to store and retrieve persistent key values • Persist across device sessions • Accesss using the SharedPreferences Object • Stored as XML • /data/data/”app”/shared_prefs • Example
  34. 34. SQLite3 • Full Support • Accessed via the UID of the related app • /data/data/”app”/databases
  35. 35. Application Signing • Ensures Integrity and Authenticity • APK must be signed • Inhibits tampering • Aids confidentiality by insuring where it came from • Apps signed with same key can share UID, Process, Memory, Data Storage and Sandbox
  36. 36. Signing Quirks • Apps can be disassembled and changed • Can be resigned with same certificate if you have key • Multiple apps can use same certificate • App can be manipulated to accept same certificate • Debugging certificate
  37. 37. App access to resources • Developer limits access to required resources • Helps to inhibit rogue apps from taking over • Text, GPS, MMS, camera, microphone, contacts
  38. 38. API Permissions • AndroidManifest.xml • Used by trusted applications • Tracks what the user is allowed to do • Each app must have an AndroidManifest.xml
  39. 39. Permission Model • System displays permissions • Helps user to decide to trust app or not. Normal – Dangerous – Signature – Signature or System
  40. 40. Components • Activity • Content Providers • Broadcast Receivers • Services
  41. 41. Activity • Provides a screen and allows a user to interact with it. • A window where the user interface is defined
  42. 42. Content Providers • Allow efficient data sharing between processes & applications • Allow applications to access the stored data of other applications • Use relational databases similar to tables • Each row is an Instance each column is a Type • Pic
  43. 43. Examples of Content Providers • Calendar provider • Contacts provider
  44. 44. Broadcast Receiver • Listens for asynchronous request from intents • Apps can register for events and get notified when it happens
  45. 45. Services • Background processes • Run even when app is not visible • Provide computations • Example is GPS
  46. 46. SecurityException • Without proper permissions a component call will raise a Security Exception
  47. 47. Intents • Mechanisms for asynchronous IPC (Inter Process Communication) • Allow app to send or broadcast messages to specific components • Control task and transport data • Components like Activities, Broadcast Receivers & Services are activated via Intents • Contain a large amount of information • Parsed by OS & used by the receiver to take action • Contain category and instruction for activity launch Action – Data – Type – Category (note)
  48. 48. Google Bouncer • Automatically scans Android Market looking for malicious Apps • Checks new applications • Apps already in Store • Developer accounts • No restrictions on upload process • Can be bypassed
  49. 49. Rooting • Gain Root permissions • Allow access and editing of Carrier and Manufacturer apps • Install Custom Software (ROMs) • Install different Android Version • Wi Fi tethering • Overclocking • Removing Fluff-ware
  50. 50. Some Rooting Techniques • Depends on the device • OneClickRoot • SuperOneClick • z4Root • GingerBreak • UnlockRoot
  51. 51. The SDK • Windows and Linux • SDk & Eclipse • Virtual Devices (emulators) • Allows interaction with virtual and real devices – Browse files – Create, install, extract apps – Get shells – SSH & VNC
  52. 52. SDK continued • Eclipse • ADT – Android Developer Tools – Signing – Debugging – Important for developer & tester – Use Android SDK Tools • IDE – integrated Development Environment
  53. 53. Package Explorer
  54. 54. Package Explorer Middle pane • Source code • Activity’s UI
  55. 55. Right Pane (Outline) • Methods • Functions • Arguments • Variables • Properties
  56. 56. Perspectives • Java – DDMS – Debug (Dalvik Debug Monitor Server)
  57. 57. AVD Manager • Allows emulation of devices • Custom hardware • Custom software • Runs from SDK executables
  58. 58. Android Virtual Device
  59. 59. Device definition • Create • Clone – Edit – Delete • New custom devices
  60. 60. What we can do with a Virtual Device • Send and receive text between devices • make calls • interact with the touch screen if you have one on your host • browse file • threads
  61. 61. Commands Available • the VM can be run from the command line • Command - adb devices • adb connect <device name> • note the number reference the port used
  62. 62. USB devices are different
  63. 63. Shell interaction is via the –s option
  64. 64. Shell commands • allows browsing • read and write files & folders • change permissions • get network statistics
  65. 65. basic linux commands • ls • ps • netstat • top
  66. 66. More Commands • list all the packages • pm list packages –f
  67. 67. sqlite3 • access databases *.db • query statements • show a browsed database from /data/Datacom.android.providers.telephony/databases
  68. 68. Browse SMS Folder
  69. 69. Database containing SMSs
  70. 70. Sqlite3 mnsms.db
  71. 71. sqlite .tables
  72. 72. select * sms
  73. 73. Adb pull - Adb push • adb pull <device_path> <local_path> • adb push <device_path> <local_path>
  74. 74. Pull Example Browser Files
  75. 75. Push Example Changed “enable_javascript” to true
  76. 76. Device Settings Changed
  77. 77. Sqlite.exe in sdk/tools
  78. 78. Sqlite store credentials Because the Web Browser had the “Remember Password” option enabled we can view it in the “webview.db” file
  79. 79. DDMS View Dalvik Debug Monitor Server Browse all Devices and Contents by using the “File Explorer” Tab
  80. 80. More Powerfull Shell
  81. 81. SSH Client
  82. 82. SSH Server
  83. 83. Putty as Client
  84. 84. putty shell via ssh over wifi
  85. 85. Droid VNC
  86. 86. Analysis Types
  87. 87. APK = ZIP
  88. 88. Decompiling & Disassembling
  89. 89. Elements in apk
  90. 90. Source AndroidManifest.xml
  91. 91. Dex files dexdump –d path_to_file.dex
  92. 92. apktool apktool d name.apk path_to_file
  93. 93. Smali / bacsmali • Developed by Jesus Freke • Assembler/ disassembler for dex files
  94. 94. smali Folder
  95. 95. classes.dex vs .smali
  96. 96. Apktool AndroidManifest.xml
  97. 97. Folders & Uses src – source • Packages • MainActivity.java assets • Fonts, audio, images, text files • Non-android xml files
  98. 98. Folders & Uses bin – same as Linux libs - same as Linux res - resources • drawables – images for layouts • layout –user interface * • values – string.xml – styles.xml – dimens.xml - colors
  99. 99. layout/Folder Activity_Main.xml <TextView android:layout_width=“wrap_content” android:layout_height=“wrap_content” android:text=“@string/”hello world”
  100. 100. valuesFolder Strings.xml <resourses> <string name=“Hello world”> Hello world </string>
  101. 101. dex2jar
  102. 102. Decompiles dex into java
  103. 103. JD-GUI
  104. 104. XDAAutoTool
  105. 105. XDAAutoTool Options
  106. 106. Bypassing Security Controls
  107. 107. Code example
  108. 108. for - if - else
  109. 109. password after 5 iterations
  110. 110. Quick Way
  111. 111. Tom Updegrove tu@internetworkservice.com

×