Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android Hacking

8,832 views

Published on

Slides from a presentation at the Rochester Security Summit.

Published in: Technology

Android Hacking

  1. 1. Tools and Techniques Related To 1
  2. 2.  RIT Alum Intrepidus Group Interlock Rochester Rochester 2600 TOOOL BSidesROC@antitreeantitree.com 2
  3. 3.  Android Introduction Tools For Hackers Analysis Techniques Examples How to be “secure” 3
  4. 4. Other, Honeycomb Cupcake 1% Donut 6% 1% 2% Blackberry, 9% Eclair 15% Gingerbread 25%iOS, 28% Android, 56% Froyo 56% 4
  5. 5.  Linux 2.6 Dalvik Virtual Machine – new instance for each app DEX – Dalvik byte code APK - zip AndroidManifest.xml Dalvik Java APK Byte Code 6
  6. 6. Linux Angry Birds app_42Dalvik VM Instances
  7. 7.  Intents – inter process communication Activities - screen Content Providers – sqlite3 database Services – background processes Broadcasts – send and receive info to other apps 8
  8. 8. • Dynamic Network Analysis• Static Code Review• File System Auditing 9
  9. 9.  Android SDK  ADB  DDMS  Emulator Apktool Smali/Baksmali Dex2jar Java Decompiler (e.g. JAD or JD-GUI) Mallory Burpsuite Wireshark 10
  10. 10.  Java source code vs Smali files vs DEX vs jar vs pseudocode Android development Java Linux 11
  11. 11. 12
  12. 12.  Watch Traffic flow through a MITM Things to look for:  Information being passed in the clear  SSL usage and whether it’s done correctly  Results of modifying requests and responses  Authentication process 13
  13. 13. Wireless Router Emulator PPTP serverDDWRT/TOMATOE Android SDK PPTPDUsually need a clunky device Sometimes doesn’t act the Dedicated server way you want it 14
  14. 14. #!/bin/bash# firewall script to intercept all traffic from ppp0 and redirect to local port# all credit to the great algorythmecho 1 > /proc/sys/net/ipv4/ip_forwardiptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEiptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 80 -m tcp --to-ports8080iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp --dport 443 -m tcp --to-ports 8080 15
  15. 15.  Wireshark  Initial traffic fingerprinting Burpsuite  Great for HTTP/S traffic Mallory  Great for nonspecific protocols 16
  16. 16. 17
  17. 17.  Audit how data is stored Things to look for:  Incorrect permissions  Storage location (data, sdcard, asec) Tools  Adb shell  Standard linux commands  [Root exploit and busybox] 18
  18. 18. 19
  19. 19. 20
  20. 20.  See how the app works through pseudocode Things to look for:  Overall understanding of the app  Cryptographic functions  Debug/Testing functions  Client side authentication 21
  21. 21.  Tools:  Apktool d com.antitree.app  Smali path/to/smali/files/  Dex2jar out.dex  Jd-gui out_dex2jar.jar APK DEX Jar Pseudocode Smali 22
  22. 22. Reverse engineering is neat
  23. 23. 24
  24. 24. 25
  25. 25. But what does it mean? 26
  26. 26.  Skype: 4/11  Permissions error allowed a malicious app to access contacts and personal information Google: 6/11  Session information passed in the clear made it susceptible to hijacking Dropbox: 8/11  An attempt to share data granted any app to the ability to make file public 27
  27. 27.  HTC: 10/11  Spyware Logging app found to be accessible to any app with the network connection permission ▪ GPS coordinates ▪ MEID, MDN ▪ phone logs ▪ MUCH more  *#*#HTCLOG#*#* 28
  28. 28. 100,000 installations 29
  29. 29.  File System Permissions Set to 777  Access saved sessions  Modify included binaries Why: Lazy permissions How discovered: file system permission review 30
  30. 30. SSHUNTUNNEL
  31. 31.  Shares information Controls permissions Tool: Android Manifest Auditor Code Name: The Jaku 32
  32. 32. 33
  33. 33. 1. Insecure Data Storage2. Weak Server Side Controls3. Insufficient Transport Layer Protection4. Client Side Injection5. Poor Authorization and Authentication6. Improper Session Handling7. Security Decisions Via Untrusted Inputs8. Side Channel Data Leakage9. Broken Cryptography10. Sensitive Information Disclosure 34
  34. 34.  Deploy mobile device management solution  Zenprise, MobileIron, (Google?) Train your users – don’t give in Audit your devices  Are users following best practices?  What apps are installed? Require mobile security solution  Lookout, WaveSecure, NetQin 35
  35. 35.  Audit your apps!  Check permissions  Check source code  Analyze your traffic Think before you Root Security Software  Remote wipe  Malware detection 36
  36. 36. Coincidence? 37
  37. 37. Slides and app available at www.antitree.com 38
  38. 38.  http://www.intrepidusgroup.com/insight/ http://code.google.com/p/android-apktool/ http://code.google.com/p/smali/ http://code.google.com/p/dex2jar/ http://java.decompiler.free.fr/?q=jdgui http://developer.android.com/sdk 39
  39. 39. 40

×