Android mobile app security offensive security workshop
WHO AM I
Next Generation problem Solver
Researcher & Reader in free time
Facilitator at Weekend Testing
Bug bounty Hunter (eX .Crowd Tester)
Reported Security Vulnerabilities for 50+ unique customers all over the world
including Apple, yahoo, Outlook, adobe & etc.
Love to develop nasty code & Hack it :)
Works as Security Researcher at
Certified Ethical Hacker AKA. Bug Wrangler
Null & OWASP Co mmunity
Accenture Digital Mobility
This Presentation is intended for educational purposes only and I cannot be held liable for
any kind of damages done whatsoever to your machine, or other damages.
Please - Don't try this attack on any others system without having context knowledge or
permission, this may harm to someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
It's no way related to my employer - its my own research and ideas.
^ I hope - You gotcha ^
11. SIGN APK WITH JAR SIGNER
12. CHECK - ROOT DETECTION
* Updated apk has patched code *
~ SUMMARY ~
Demo on Missing Root Detection - Done
Demo on Reversing the APK - Done
Demo on rebuild the APK - Done
Demo on weak Binary - Done
Fix : Use the Dex Guard not the pro guard
Update the logical validation - Done
Identify attack surface at Smali code - Done
Demo on Patch the Smali code - Done
Demo on APK signing - Done
Finally done the root detection bypass - Done
Android allows apps to create a bridge in order to render
codes of the application using WebKit open source web
70 % of applications use WebViews
THERE IS TWEAK WITH USAGE
DISABLE SUPPORT FOR PLUGINS
DISABLE FILE SYSTEM ACCESS
WELL - HTTP VS HTTPS
WEBVIEW = NEW WEBVIEW(THIS);
IDENTIFY THE APP WITH THE WEBKIT
- Reverse the binary -
- Remember it's smali code -
VERIFY NETWORK IS MALICIOUS ?
HTTP VS Vulnerable HTTPS VS HTTPS
Edit the Response from cloud server (Man In middle)
YES - I'M DONE!
Feel free to write me at bug.wrangler at outlook.com
Tweet me at Abhinav_Sejpal
We need you!
Attend Null Meets-up & give presentations.
Share your ideas & leanings.
Talk to our community champions.
Your feedback helps us to build a good community.
Looking forward for your ongoing support.
Say 'Hello' @null0x00
! THANK YOU !
@anantshri @oldmanlab @adi1391 @prateekg147
#Nullblr Leads & Champions
Big thank you to @null0x00, Satish, Apoorva & you All
LICENSE AND COPYRIGHTS
humla/ Abhinav Sejpal
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy