Unlocking the Future of AI Agents with Large Language Models
Dynamic Security Analysis & Static Security Analysis for Android Apps.
1. Security Analysis of
Mobile Apps
(Android & iOS)
Note: The sole purpose of this Workshop is for learning and testing of
your own applications.This is not intended for piracy or any other non-
legal use.
webuy.com
3. Reverse Engineering of Android app
● Decompiling :
○ Extracting the source code of the app.
● Recompiling:
○ To compile the program/source code again after changes has been
made to it in order to test and run it.
4. Reverse Engineering of Android app
● Why Android:
○ Easy access to apk’s
○ Very less apps secured with obfuscation
○ Root access to devices
○ Easy to decompile
5. Reverse Engineering of Android app
Tools to analyse:
● APKTool - A tool to decompile and recompile the apk.
● Dex2jar - To extract the source code into jar
● JD-GUI - To view the source code
● iLSpy - .Net assembly browser and decompiler
6.
7. APKTool
Installation:
● Prerequisite: Java 7 or higher version needs to be installed
● Download APKTool and follow the instructions in the below
https://ibotpeaches.github.io/Apktool/install/
Steps to Decompile & Recompile:
● Go to the folder where the apk lies and run the below command from
command prompt. This will decompile the apk to the current folder where apk
lies.
○ apktool d appname.apk
8. Recompiling an apk
● After decompiling ,check AndroidManifest.xml file and other src files.If there
are any modifications to be done then modify it and recompile the app using
below command.
○ apktool b appname
● To sign the APK,the key should be generated first. For generating the key,
run the below command
○ keytool -genkey -keystore filename.keystore -validity 1000 -alias
aliasname
9.
10. Recompiling an apk
● To sign the apk ,run the below command and enter the password which had
given while generating the key.
○ jarsigner -keystore filename.keystore -verbose appname.apk aliasname
● Woohaaa!!!! You are done with apk creation :) ,install the apk on device.
15. MobSF Configuration
Requirements:
● Static Analysis
○ Python 2.7 - Python 2 Download (Latest Python 2.7 release is
recommended)
○ Oracle JDK 1.7 or above - Java JDK Download
○ Mac OS X Users must install Command-line tools for MAC OS X How to
Install Commandline Tools in Mac
○ iOS IPA Analysis works only on OSX and requires a MAC
○ Windows App Static analysis requires a Windows Host or Windows VM for
16. Execution of MobSF through Terminal
● Navigate to the Mobile-Security-Framework-MobSF-0.9.2 folder on terminal
and then :
○ python manage.py runserver
17.
18.
19.
20.
21.
22. Dynamic Analysis with Inspeckage
Inspeckage is a tool developed to offer dynamic analysis of Android applications.
● Simple Application
● Internal HTTP Server
● Developed as an Xposed framework module
23. Features of Inspeckage
● Information Gathering
○ Request permissions
○ App permissions
○ Shared Libraries
○ Exported and Non-Exported Activities
○ App is Debuggable or not
○ Version,UID,GUID etc
● Hooks(We can see what application is doing during runtime)
24. Installation of Inspeckage
● Required Softwares:
○ Any emulator (Genymotion emulator 5.1.0 would be preferred)
○ ARM Translation 1.1 (for latest ARM Translation follow the 3rd point)
○ Google Apps (for gapps and latest ARM translation follow this link
https://gist.github.com/wbroek/9321145 or
https://www.genymotion.com/help/desktop/faq/#google-play-services )
○ SuperSU v2.46 (Install latest version from Playstore)
○ Xposed Framework v80 sdk-22 x86 (Follow this link for different Android versions
https://devs-lab.com/download-install-xposed-installer-framework-android.html )
25. How to Run?!!
● Install the Apk on device for dynamic analysis
● Open Inspeckage App on emulator
● Run the below command from command prompt
○ adb forward tcp:8008 tcp:8008 ( to know whether service has started,
open browser then browse the url http://127.0.0.1:8008 )
● Go to Emulator/device,choose the Target app from Inspeckage and click on
‘Launch App’
26.
27.
28. Sources and More info
● https://github.com/dan7800/VulnerableAndroidAppOracle
● https://ibotpeaches.github.io/Apktool/documentation/
● Inspeckage: http://www.kitploit.com/2017/04/inspeckage-android-package-
inspector.html
● MobSF:
https://tools.androidtamer.com/Security%20Assessment/Automated%20Analy
sis/MobSF/
● https://manifestsecurity.com/android-application-security/
● https://tools.pentestbox.org/
Editor's Notes
In the US, a famous mobile app widely used among all the payment mobile. Consumers simply enter their passwords once when activating the payment portion of the app and use it, again and again, to make unlimited purchases without having to re-input their password or username.
This might seem great when you talk about convenience. The sad truth is that on 16 January 2014, that mobile app, the most used application in the US with 10 million customers, was found to be storing user credentials in plain text format. When CNBC reported that user data had been compromised, 3 million people deleted the app from their mobile devices. In 24 hours, the app fell from 4th highest grossing app to number 26. That company scrambled to release an update later that week, too late.
The Clear text also displayed users’ geolocation tracking points. With this information in hand, unauthorized individuals would have the credentials to log into the company’s website as well. Often people use the same username and password across accounts. This means that there is a potential to compromise additional user accounts.
Extract the contents of the app which allows you to modify individual aspects of an app. For instance, you can simply change the color palette of the app by just changing few hex codes. Depending on the expertise, you can even modify the functionality of the app if needed. Once your work is completed, you need to recompile the files to form an APK.
Installation:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
Install MobSF Python dependencies using pip
Windows
C:\Python27\python.exe -m pip install -r requirements.txt
NOTE: If you face any issues, download and install the latest python 2.7.x
Mac
pip install -r requirements.txt --user
By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
We can run it without Xposed, but 80% of its, but 80% of its features depends on the Xposed Framework so it's recommended that the framework is present on the device / emulator.To know more about Xposed http://blog.attify.com/2015/01/04/xposed-framework-android-hooking/