SlideShare a Scribd company logo

Android Security and Peneteration Testing

Download as PPTX, PDF
S
Surabaya Blackhat

Speaking at Unmask Cybercrime, held by Surabaya Hacker Link. This session im talking about How to finding apps vulnerability and using MITM techniques for request monitoring between apps and REST Service.

Technology
1 of 32
Android Application Hacking Rama Zeta Surabaya Blackhat
What you need to know ? • Android is secure • But users are not • Androids Security is to Protect the System • Not your Data or Application • Security can easily be Bypassed by Users • Unknown Sources • Rooting • etc
What is Android ? • Android is an operating system based on the Linux Kernel, and designed Primarily for touch screen mobile devices such as Smart Phone, Tablet computers, Smart TV, etc.
Android Architecture
Android Security Model • Security at the OS Level through the Linux Kernel • Application sand boxing • Secure inter-process communication • Application Signing • Application defined and user-granted permissions. • Google Bouncer
Android App Component’s • Activity • Service • Intent • Broadcast Receiver • Content Providers (Data Handling)
Android Apps Types • Native Apps • Hybrid Apps • Web View Apps
Pentesting Android Apps
Reverse Engineering Engineering (Development) Reverse Engineering
Tools (Some of)
Man In The Middle Attack • Mobile Web Based Apps • Apps Using REST API • Request Parameter’s without encoding
Burpsuite for Tampering Request • Set Proxy into the device • Burpsuite will act for Monitoring request from device • Analyzing request to the backend • Happy Hacking!
SQL Injection in Android, w00t ? • Usually found on API Service • Using unsecured backend url (non https) • Unencoded parameter (POST)
Insecure Data Storage • Shared Preferences • SQLite Database • Phone Storage
Insecure Data Storage : Shared Preferences • Using DIVA (Damn Insecure Vulnerable App) • Shared preferences stored at /data/data/[package name]/shared_prefs on Android Devices • Saved as XML Format
Insecure Data Storage : SQLite • Still Using DIVA • SQLite Stored at the Same folder /data/data/[package name]/databases • Saved as .sqlite file
Insecure Data Storage : Phone Storage • Saved as file, with or without extension. • Can be saved into External or Internal storage • If it saved at internal storage, the path will be : /data/data/[package_name]/ • External Storage, the path will be : /mnt/sdcard/
Attacking Application Components • Activities • Services • Content Providers • Broadcast Receivers • Intents
Accessing Activities Outside the App • The key is read the AndroidManifest.xml file • We can see all of current activities inside the app. • Understand function of ADB tools
Another Case • This example will show you how to access credentials without registering. • Using adb command and some of secret strings.
Conclusion • Its recommended we encrypt our apps after production stage, ie : use Proguard or Dexguard • Use secure protocol HTTPS for API endpoint • Use Authentication method for API Service, like OAUTH or JWT • Encrypt or use JSON outgoing data from apps to API Service • But, remember the rule! Nothing secure 
Thanks Rama Zeta ramazeta1997@gmail.com 082136333348

Recommended

Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
SharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the deviceSharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the device
Olav Tvedt
 
Menofia UN -Mobile Security
Menofia UN -Mobile SecurityMenofia UN -Mobile Security
Menofia UN -Mobile Security
Ahmed Samara
 
Building secure android apps
Building secure android appsBuilding secure android apps
Building secure android apps
Kaushal Bhavsar
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
Micro Focus
 
Hybrid identity and privacy
Hybrid identity and privacyHybrid identity and privacy
Hybrid identity and privacy
Oxford Computer Group
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
Micro Focus
 
NIC - Securing one drive and its content
NIC - Securing one drive and its contentNIC - Securing one drive and its content
NIC - Securing one drive and its content
Olav Tvedt
 

Recommended

Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
SharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the deviceSharePoint Conference - Secure the data, not the device
SharePoint Conference - Secure the data, not the device
Olav Tvedt
 
Menofia UN -Mobile Security
Menofia UN -Mobile SecurityMenofia UN -Mobile Security
Menofia UN -Mobile Security
Ahmed Samara
 
Building secure android apps
Building secure android appsBuilding secure android apps
Building secure android apps
Kaushal Bhavsar
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
Micro Focus
 
Hybrid identity and privacy
Hybrid identity and privacyHybrid identity and privacy
Hybrid identity and privacy
Oxford Computer Group
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
Micro Focus
 
NIC - Securing one drive and its content
NIC - Securing one drive and its contentNIC - Securing one drive and its content
NIC - Securing one drive and its content
Olav Tvedt
 
Provable Device Cybersecurity in Blockchain Transactions
Provable Device Cybersecurity in Blockchain TransactionsProvable Device Cybersecurity in Blockchain Transactions
Provable Device Cybersecurity in Blockchain Transactions
Rivetz
 
Droidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backendDroidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backend
Nacef Labidi
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
Austin Nagel
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
David Strom
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
Micro Focus
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
David Strom
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
Sam Bowne
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
Micro Focus
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
Risk Crew
 
CNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device ManagementCNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device Management
Sam Bowne
 
Software Security by Glenn Wilson
Software Security by Glenn WilsonSoftware Security by Glenn Wilson
Software Security by Glenn Wilson
Alex Cachia
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
NCCOMMS
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
OWASP
 

More Related Content

What's hot

OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
Austin Nagel
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
Risk Crew
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 

What's hot (20)

Provable Device Cybersecurity in Blockchain Transactions
Provable Device Cybersecurity in Blockchain TransactionsProvable Device Cybersecurity in Blockchain Transactions
Provable Device Cybersecurity in Blockchain Transactions
 
Droidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backendDroidcon Tunisia 2014 connect your mobile app to your backend
Droidcon Tunisia 2014 connect your mobile app to your backend
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
CNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device ManagementCNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device Management
 
Software Security by Glenn Wilson
Software Security by Glenn WilsonSoftware Security by Glenn Wilson
Software Security by Glenn Wilson
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
 

Similar to Android Security and Peneteration Testing

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Security on android
Security on androidSecurity on android
Security on android
pk464312
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
Santosh Sh
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
hakersinfo
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
GTestClub
 

Similar to Android Security and Peneteration Testing (20)

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Security on android
Security on androidSecurity on android
Security on android
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Mobile security
Mobile securityMobile security
Mobile security
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01Androidoverview 100405150711-phpapp01
Androidoverview 100405150711-phpapp01
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 

More from Surabaya Blackhat

More from Surabaya Blackhat (9)

Surabaya blackhat - Cyber Crime Nowadays
Surabaya blackhat - Cyber Crime NowadaysSurabaya blackhat - Cyber Crime Nowadays
Surabaya blackhat - Cyber Crime Nowadays
 
Antisipasi Kejahatan Sosial Media (Anticipating Social Media Crime)
Antisipasi Kejahatan Sosial Media (Anticipating Social Media Crime)Antisipasi Kejahatan Sosial Media (Anticipating Social Media Crime)
Antisipasi Kejahatan Sosial Media (Anticipating Social Media Crime)
 
Modus Operasi Kejahatan Sosial Media (Social Media Crimes Operation Mode)
Modus Operasi Kejahatan Sosial Media (Social Media Crimes Operation Mode)Modus Operasi Kejahatan Sosial Media (Social Media Crimes Operation Mode)
Modus Operasi Kejahatan Sosial Media (Social Media Crimes Operation Mode)
 
Mengenal Kejahatan Sosial Media (Introduce into Social Media Crime)
Mengenal Kejahatan Sosial Media (Introduce into Social Media Crime)Mengenal Kejahatan Sosial Media (Introduce into Social Media Crime)
Mengenal Kejahatan Sosial Media (Introduce into Social Media Crime)
 
Bug Prevention of SQL Injection
Bug Prevention of SQL InjectionBug Prevention of SQL Injection
Bug Prevention of SQL Injection
 
Uploading Shell or Backdoor
Uploading Shell or BackdoorUploading Shell or Backdoor
Uploading Shell or Backdoor
 
Bypass Login Authentication
Bypass Login AuthenticationBypass Login Authentication
Bypass Login Authentication
 
Google Dorking
Google DorkingGoogle Dorking
Google Dorking
 
Introduction to Web Attacking
Introduction to Web AttackingIntroduction to Web Attacking
Introduction to Web Attacking
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Android Security and Peneteration Testing

  • 1. Android Application Hacking Rama Zeta Surabaya Blackhat
  • 2. What you need to know ? • Android is secure • But users are not • Androids Security is to Protect the System • Not your Data or Application • Security can easily be Bypassed by Users • Unknown Sources • Rooting • etc
  • 3. What is Android ? • Android is an operating system based on the Linux Kernel, and designed Primarily for touch screen mobile devices such as Smart Phone, Tablet computers, Smart TV, etc.
  • 5. Android Security Model • Security at the OS Level through the Linux Kernel • Application sand boxing • Secure inter-process communication • Application Signing • Application defined and user-granted permissions. • Google Bouncer
  • 6. Android App Component’s • Activity • Service • Intent • Broadcast Receiver • Content Providers (Data Handling)
  • 7. Android Apps Types • Native Apps • Hybrid Apps • Web View Apps
  • 11. Man In The Middle Attack • Mobile Web Based Apps • Apps Using REST API • Request Parameter’s without encoding
  • 12. Burpsuite for Tampering Request • Set Proxy into the device • Burpsuite will act for Monitoring request from device • Analyzing request to the backend • Happy Hacking!
  • 13. SQL Injection in Android, w00t ? • Usually found on API Service • Using unsecured backend url (non https) • Unencoded parameter (POST)
  • 14. Insecure Data Storage • Shared Preferences • SQLite Database • Phone Storage
  • 15. Insecure Data Storage : Shared Preferences • Using DIVA (Damn Insecure Vulnerable App) • Shared preferences stored at /data/data/[package name]/shared_prefs on Android Devices • Saved as XML Format
  • 16.
  • 17.
  • 18. Insecure Data Storage : SQLite • Still Using DIVA • SQLite Stored at the Same folder /data/data/[package name]/databases • Saved as .sqlite file
  • 19.
  • 20. Insecure Data Storage : Phone Storage • Saved as file, with or without extension. • Can be saved into External or Internal storage • If it saved at internal storage, the path will be : /data/data/[package_name]/ • External Storage, the path will be : /mnt/sdcard/
  • 21.
  • 22.
  • 23.
  • 24. Attacking Application Components • Activities • Services • Content Providers • Broadcast Receivers • Intents
  • 25. Accessing Activities Outside the App • The key is read the AndroidManifest.xml file • We can see all of current activities inside the app. • Understand function of ADB tools
  • 26.
  • 27.
  • 28. Another Case • This example will show you how to access credentials without registering. • Using adb command and some of secret strings.
  • 29.
  • 30.
  • 31. Conclusion • Its recommended we encrypt our apps after production stage, ie : use Proguard or Dexguard • Use secure protocol HTTPS for API endpoint • Use Authentication method for API Service, like OAUTH or JWT • Encrypt or use JSON outgoing data from apps to API Service • But, remember the rule! Nothing secure 