Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rapid Android Application Security Testing


Published on

This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.

This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)

Published in: Mobile

Rapid Android Application Security Testing

  1. 1. Rapid Android Application Security Testing
  2. 2. Agenda • Introduction to Android Testing – Static Analysis – Dynamic Analysis – Local Storage Inspection • Challenge.txt
  3. 3. Android Security Testing • Can install apps on device and go hack the network. • Can install the application in the emulator and test it.
  4. 4. What’s inside? • Android is a Linux kernel based OS. • Dalvik VM (Dalvik Virtual Machine) makes the dex file (Dalvik Executables) reach execution. • APK (Android Application Package) contains all the resources, i.e. manifest file, signatures, dex file, and other resources in a zipped manner.
  5. 5. So what happens. • Java source code is compiled to Java byte Code using Java Compiler • Byte code is converted into Dalvik Code using Dex compiler • Dalvik Executable (Dex file) goes to “Dalvik VM” and executes within it.
  6. 6. …..Continued. Dalvik VM Dalvik Executable (Dex File) Java Source Code Java Byte CodeJava Compiler Dalvik Code Dex Compiler
  7. 7. Pentest. How to do? • Break the testing into three parts: – Static Testing – Dynamic Testing – Local Storage • Try to uncover issues in every phase.
  8. 8. Static Analysis • Get the .apk file. • Reverse Engineer it. • Decompile / Dis-assemble it. • Dis-assemble it using – Dedexer gives assembly like output) or – Baksmali (based on dedexer and gives code more easy to understand. • Decompile it using – Dex2jar (dalvik code turns to Java byte code (jar file). – Use jd-gui to view the java source codes.h
  9. 9. What to look for? • Look for api information, database connection strings, internal / external IP disclosures and ports, etc. • If you are lucky, you might get a password too, Believe me developers are crazy. • If you can go for social engineering stuff, lot of emails can be found. • Tip: A pair of /* and */ holds a lot of information.
  10. 10. m0bLiz3r Demo
  11. 11. Dynamic Analysis • Load emulator. • Set up an Interception Proxy • Figure out SSL issues. • And follow the generic logic test cases you follow in web applications.
  12. 12. Proxy Setup
  13. 13. Continued…
  14. 14. Local Storage Inspection • Check for sensitive data getting stored on client side. • XML files, database files are most commonly found culprits. • Inspect memory for information sensitive information > memdump • Inspect generated logs for sensitive information > logcat. • Uninstall and check if things remain in application folder.
  15. 15. Where to look?
  16. 16. How it look?
  17. 17. Tools Of Trade • Android SDK • ADB • BurpSuite • APKtools • Smali/baksmali • Dex2jar • Genymotion • Appuse/Android Tamer.
  18. 18. Challenges • AppUse is quite slow: – Save time in loading your Emulator. – Save time in installing app. • ADB always run behind device. If you are idle, adb don’t work, or restart your emulator. – Keep your ADB attached to device constantly. • Commands for every push, apk installation, etc. – Get Drag and Drop feature. • Organization might ask you to get application from play store. – Get Play Store. • Genymotion – give you all the above sweet cake. – Supports Webcam, mike, GPS, etc. as well --------- Haven’t tested them however – Not stable. --------- One bad out of six is never a bad.
  19. 19. Time UP : What next? • OWASP mobile TOP 10 • Drozer (for Inter Process Communication) • Explore new tools all the time. • Keep sharing.
  20. 20. Questions?