Speaking at Unmask Cybercrime, held by Surabaya Hacker Link. This session im talking about How to finding apps vulnerability and using MITM techniques for request monitoring between apps and REST Service.
2. What you need to know ?
• Android is secure
• But users are not
• Androids Security is to Protect the System
• Not your Data or Application
• Security can easily be Bypassed by Users
• Unknown Sources
• Rooting
• etc
3. What is Android ?
• Android is an operating system based on the Linux Kernel, and
designed Primarily for touch screen mobile devices such as Smart
Phone, Tablet computers, Smart TV, etc.
5. Android Security Model
• Security at the OS Level through the Linux Kernel
• Application sand boxing
• Secure inter-process communication
• Application Signing
• Application defined and user-granted permissions.
• Google Bouncer
11. Man In The Middle Attack
• Mobile Web Based Apps
• Apps Using REST API
• Request Parameter’s without encoding
12. Burpsuite for Tampering Request
• Set Proxy into the device
• Burpsuite will act for Monitoring request from device
• Analyzing request to the backend
• Happy Hacking!
13. SQL Injection in Android, w00t ?
• Usually found on API Service
• Using unsecured backend url (non https)
• Unencoded parameter (POST)
15. Insecure Data Storage : Shared
Preferences
• Using DIVA (Damn Insecure Vulnerable App)
• Shared preferences stored at /data/data/[package
name]/shared_prefs on Android Devices
• Saved as XML Format
16.
17.
18. Insecure Data Storage : SQLite
• Still Using DIVA
• SQLite Stored at the Same folder /data/data/[package
name]/databases
• Saved as .sqlite file
19.
20. Insecure Data Storage : Phone Storage
• Saved as file, with or without extension.
• Can be saved into External or Internal storage
• If it saved at internal storage, the path will be :
/data/data/[package_name]/
• External Storage, the path will be : /mnt/sdcard/
25. Accessing Activities Outside the App
• The key is read the AndroidManifest.xml file
• We can see all of current activities inside the app.
• Understand function of ADB tools
26.
27.
28. Another Case
• This example will show you how to access credentials without
registering.
• Using adb command and some of secret strings.
29.
30.
31. Conclusion
• Its recommended we encrypt our apps after production stage, ie :
use Proguard or Dexguard
• Use secure protocol HTTPS for API endpoint
• Use Authentication method for API Service, like OAUTH or JWT
• Encrypt or use JSON outgoing data from apps to API Service
• But, remember the rule! Nothing secure