SlideShare a Scribd company logo
1 of 30
Android Application
Analyzer
- Sanjay Gondaliya
Agenda
- Android Application Penetration Testing
- Static Analysis
- Dynamic Analysis
- Common tools used
- Demo - Android Application Analyzer
#Whoami
- 8+ Years of experience in Information Technology
- Sr. Security Consultant @NotSoSecure
- Website: sanjaygondaliya.com
Android Application Penetration Testing
- Static Analysis
- Android Manifest Analysis
- Exported Component
- Debuggable, Backup Flag
- Shared Preferences
- SQLite Database
- Sensitive information in logcat
- Application Source Analysis
- Source code obfuscation
- Root Detection Check
- SSL Pinning Implementation
- Application Memory Dump
- Dynamic Analysis
- API Testing (OWASP Web Top 10)
Common Tools Used
- Application manifest and code analysis (MobSF)
- Apktool (To reverse the APK file)
- Sandbox content analysis (shared preference file, SQLite DB)
- sqlite3, cat, grep command in “adb shell”
- Sensitive information in logcat (adb logcat)
- Source code obfuscation (dex2jar -> jd-gui)
- Frida universal ssl unpinning (To bypass ssl pinning)
- Fridump (Memory dump analysis)
Static Analysis
To check for
Source-code
obfuscation
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To check
Sensitive
information
in Logcat
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To check
Sensitive
information
in Logcat
Shared Preference Analysis
Sqlite Database Analysis
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To check
Sensitive
information
in Logcat
To bypass
checks and
carryon
penetration
testing
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To
Hook the
code, To
Bypass SSL
Pinning and
other client-
side
validation
To check
Sensitive
information
in Logcat
To bypass
checks and
carryon
penetration
testing
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To bypass
checks and
carryon
penetration
testing
To
Hook the
code, To
Bypass SSL
Pinning and
other client-
side
validation
To bypass client-side check, To
trace certain function
• Decompile Using APK
• Modify the source using Text
Editor
• Compile APK from Modified
Source
• Sign APK using Sign.Jar
• Uninstall old APK
• Install New APK
Source-Code
Obfuscated
To check
Sensitive
information
in Logcat
Static Analysis
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To bypass
checks and
carryon
penetration
testing
To
Hook the
code, To
Bypass SSL
Pinning and
other client-
side
validation
To bypass client-side check, To
trace certain function
• Decompile Using APK
• Modify the source using Text
Editor
• Compile APK from Modified
Source
• Sign APK using Sign.Jar
• Uninstall old APK
• Install New APK
Source-Code
Obfuscated
To check
Sensitive
information
in Logcat
To
dump
App
Memory
Android Application Analyzer
- GUI for Android Application static analysis
- To Save Time
- To cover all the test cases during penetration testing
Android Application Analyzer
Android Application Analyzer
Prerequisites
- Python3
- Frida client installed on host machine
- MobSF available on http://localhost:8000
- For Universal Frida SSL Unpinning, Replace the burp certificate in “tools”
directory
- For Fridump, Application needs to be running on the device
Android Application Analyzer - Setup
- Clone Repo from Git
- git clone https://github.com/NotSoSecure/android_application_analyzer.git
- Install pre-requisite
- Linux/Unix
- ./setup.sh
- Windows
- ./setup.bat
Demo
- Sandbox content analysis (shared pref file, sqlite db)
- Source code obfuscation (dex2jar -> jd-gui)
- Apktool (To reverse the apk file)
- Fridump (Memory dump analysis)
- Frida universal ssl unpinning (To bypass ssl pinning)
- Sensitive information in logcat (adb logcat)
- Application manifest and code analysis (MobSF)
- Smali debug/ apk code injection (Required uninstall app -> build app using
apktool -> install app again)
- Application sandbox snapshot for future reference
Demo
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Demo
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
To check
Sensitive
information
in Logcat
Demo
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To check
Sensitive
information
in Logcat
Demo
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To check
Sensitive
information
in Logcat
Demo
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To
Hook the
code, To
Bypass SSL
Pinning and
other client-
side
validation
To check
Sensitive
information
in Logcat
To bypass
checks and
carryon
penetration
testing
Demo
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To bypass
checks and
carryon
penetration
testing
To
Hook the
code, To
Bypass SSL
Pinning and
other client-
side
validation
To bypass client-side check, To
trace certain function
• Decompile Using APK
• Modify the source using Text
Editor
• Compile APK from Modified
Source
• Sign APK using Sign.Jar
• Uninstall old APK
• Install New APK
Source-Code
Obfuscated
To check
Sensitive
information
in Logcat
Demo
To check for
Source-code
obfuscation
Debuggable Flag
Backup Flag
Exported Activity, Services,
Broadcast, Provider
Source Code Analysis
Hardcoded Sensitive
Information
Deep link URL Schemes
Install APK
To check for sensitive
information (Insecure Local
Storage)
• /data/data/AppFolder
• /sdcard/data/AppFolder
Exploitation
Framework
Exploit Exported
Component
• Activity
• Services
• Broadcast
• Provider
To bypass
checks and
carryon
penetration
testing
To
Hook the
code, To
Bypass SSL
Pinning and
other client-
side
validation
To bypass client-side check, To
trace certain function
• Decompile Using APK
• Modify the source using Text
Editor
• Compile APK from Modified
Source
• Sign APK using Sign.Jar
• Uninstall old APK
• Install New APK
Source-Code
Obfuscated
To check
Sensitive
information
in Logcat
To
dump
App
Memory
Thank you :)

More Related Content

What's hot

Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개
SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개
SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개CURVC Corp
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Androidの入力システム
Androidの入力システムAndroidの入力システム
Androidの入力システムmagoroku Yamamoto
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送
[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送
[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送Google Cloud Platform - Japan
 
Crystal Hirschorn_Building Internal Developer Platforms that will make the en...
Crystal Hirschorn_Building Internal Developer Platforms that will make the en...Crystal Hirschorn_Building Internal Developer Platforms that will make the en...
Crystal Hirschorn_Building Internal Developer Platforms that will make the en...VMware Tanzu
 
Alfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみよう
Alfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみようAlfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみよう
Alfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみようTasuku Otani
 
Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法
Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法
Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法tobaru_yuta
 

What's hot (20)

Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
JSON Injection
JSON InjectionJSON Injection
JSON Injection
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
 
SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개
SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개
SonarQube와 함께하는 소프트웨어 품질 세미나 - SonarQube 소개
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
BTRisk Adli Bilişim Eğitimi Sunumu
BTRisk Adli Bilişim Eğitimi SunumuBTRisk Adli Bilişim Eğitimi Sunumu
BTRisk Adli Bilişim Eğitimi Sunumu
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Androidの入力システム
Androidの入力システムAndroidの入力システム
Androidの入力システム
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security -  API Security top 10 - Erez YalonCheckmarx meetup API Security -  API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送
[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送
[Cloud OnAir] Anthosで実現するハイブリッドクラウド 〜 GKE On-Prem編 〜 2019年8月29日 放送
 
Crystal Hirschorn_Building Internal Developer Platforms that will make the en...
Crystal Hirschorn_Building Internal Developer Platforms that will make the en...Crystal Hirschorn_Building Internal Developer Platforms that will make the en...
Crystal Hirschorn_Building Internal Developer Platforms that will make the en...
 
Alfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみよう
Alfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみようAlfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみよう
Alfresco勉強会#36 alfresco 5でカスタムREST APIを作ってみよう
 
Cyber Kill Chain
Cyber Kill ChainCyber Kill Chain
Cyber Kill Chain
 
[BurpSuiteJapan]Burp Suite回答編
[BurpSuiteJapan]Burp Suite回答編[BurpSuiteJapan]Burp Suite回答編
[BurpSuiteJapan]Burp Suite回答編
 
Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法
Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法
Burp suite を使って iPhone アプリを診断した時に困ったことと、解決方法
 

Similar to Android application analyzer

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsTom Keetch
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Secview
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試Secview
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android contentWilliam Hugo Yang
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open StandardsAPIsecure_ Official
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learningcaleb194331
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfNullHyderabad
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
Mobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und KibanaMobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und Kibanainovex GmbH
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 

Similar to Android application analyzer (20)

G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
In app search 1
In app search 1In app search 1
In app search 1
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Android Penetration testing - Day 2
 Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
 
Mobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und KibanaMobile Analytics mit Elasticsearch und Kibana
Mobile Analytics mit Elasticsearch und Kibana
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 

Android application analyzer

  • 2. Agenda - Android Application Penetration Testing - Static Analysis - Dynamic Analysis - Common tools used - Demo - Android Application Analyzer
  • 3. #Whoami - 8+ Years of experience in Information Technology - Sr. Security Consultant @NotSoSecure - Website: sanjaygondaliya.com
  • 4. Android Application Penetration Testing - Static Analysis - Android Manifest Analysis - Exported Component - Debuggable, Backup Flag - Shared Preferences - SQLite Database - Sensitive information in logcat - Application Source Analysis - Source code obfuscation - Root Detection Check - SSL Pinning Implementation - Application Memory Dump - Dynamic Analysis - API Testing (OWASP Web Top 10)
  • 5. Common Tools Used - Application manifest and code analysis (MobSF) - Apktool (To reverse the APK file) - Sandbox content analysis (shared preference file, SQLite DB) - sqlite3, cat, grep command in “adb shell” - Sensitive information in logcat (adb logcat) - Source code obfuscation (dex2jar -> jd-gui) - Frida universal ssl unpinning (To bypass ssl pinning) - Fridump (Memory dump analysis)
  • 6. Static Analysis To check for Source-code obfuscation
  • 7. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes
  • 8. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider
  • 9. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 10. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 13. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat To bypass checks and carryon penetration testing
  • 14. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To Hook the code, To Bypass SSL Pinning and other client- side validation To check Sensitive information in Logcat To bypass checks and carryon penetration testing
  • 15. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat
  • 16. Static Analysis To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat To dump App Memory
  • 17. Android Application Analyzer - GUI for Android Application static analysis - To Save Time - To cover all the test cases during penetration testing
  • 18. Android Application Analyzer Android Application Analyzer
  • 19. Prerequisites - Python3 - Frida client installed on host machine - MobSF available on http://localhost:8000 - For Universal Frida SSL Unpinning, Replace the burp certificate in “tools” directory - For Fridump, Application needs to be running on the device
  • 20. Android Application Analyzer - Setup - Clone Repo from Git - git clone https://github.com/NotSoSecure/android_application_analyzer.git - Install pre-requisite - Linux/Unix - ./setup.sh - Windows - ./setup.bat
  • 21. Demo - Sandbox content analysis (shared pref file, sqlite db) - Source code obfuscation (dex2jar -> jd-gui) - Apktool (To reverse the apk file) - Fridump (Memory dump analysis) - Frida universal ssl unpinning (To bypass ssl pinning) - Sensitive information in logcat (adb logcat) - Application manifest and code analysis (MobSF) - Smali debug/ apk code injection (Required uninstall app -> build app using apktool -> install app again) - Application sandbox snapshot for future reference
  • 22. Demo Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder
  • 23. Demo Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder To check Sensitive information in Logcat
  • 24. Demo Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 25. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To check Sensitive information in Logcat
  • 26. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To Hook the code, To Bypass SSL Pinning and other client- side validation To check Sensitive information in Logcat To bypass checks and carryon penetration testing
  • 27. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat
  • 28. Demo To check for Source-code obfuscation Debuggable Flag Backup Flag Exported Activity, Services, Broadcast, Provider Source Code Analysis Hardcoded Sensitive Information Deep link URL Schemes Install APK To check for sensitive information (Insecure Local Storage) • /data/data/AppFolder • /sdcard/data/AppFolder Exploitation Framework Exploit Exported Component • Activity • Services • Broadcast • Provider To bypass checks and carryon penetration testing To Hook the code, To Bypass SSL Pinning and other client- side validation To bypass client-side check, To trace certain function • Decompile Using APK • Modify the source using Text Editor • Compile APK from Modified Source • Sign APK using Sign.Jar • Uninstall old APK • Install New APK Source-Code Obfuscated To check Sensitive information in Logcat To dump App Memory
  • 29.