Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Android attacks

  1. 1. © Blueinfy Solutions Android Attacks
  2. 2. © Blueinfy Solutions Insecure Data Storage • Storing sensitive information on device – a major threat • Phone can be hacked or stolen • Imagine site access, username, passwords, tokens etc. get harvested • Malware used to attack local system and fetch information out. • What are the options?
  3. 3. © Blueinfy Solutions Insecure calls • Storage can be accessed by third party • If device is rooted then access to sensitive information • Poor permission can allow cross access • One app accessing information of other • Information not encrypted
  4. 4. © Blueinfy Solutions Bird eye view
  5. 5. © Blueinfy Solutions Storage calls • Shared Preferences – Store private primitive data in key-value pairs. • Internal Storage – Store private data on the device memory. • External Storage – Store public data on the shared external storage. • SQLite Databases – Store structured data in a private database. • Network Connection – Store data on the web with your own network server.
  6. 6. © Blueinfy Solutions Accessing with adb # cd bank.One cd bank.One # ls ls cache databases files lib # cd files cd files # ls ls PublicKey remember settings temp_file # cat remember cat remember jack jack123# Got user/pass in clear text
  7. 7. © Blueinfy Solutions Weak Server Side Controls • Backend Application Security • Protocols • OWASP Top 10 for AppSec
  8. 8. © Blueinfy Solutions Analyzing HTTP traffic • Security assessment needs sound knowledge of HTTP analysis • Tools and mind needed to analyze the traffic • What to look for? – methods, cookie, querysting etc. • All part of HTTP – Response analysis is equally important.
  9. 9. © Blueinfy Solutions JSON • JSON (JavaScript Object Notation) - a lightweight data-interchange format • Based on JavaScript Programming Language (Standard ECMA-262) • Completely language independent • C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. • Interchangeable is the Key.
  10. 10. © Blueinfy Solutions JSON – object • {} { members } – members • pair pair , members – pair • string : value – array • [] [ elements ] • elements • value value , elements • value • string number object array true false null
  11. 11. © Blueinfy Solutions JSON • Example { "firstName": "John", "lastName": "Smith", "address": { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": 10021 }, "phoneNumbers": [ "212 732-1234", "646 123-4567" ] }
  12. 12. © Blueinfy Solutions JSON call • Calling JSON services
  13. 13. © Blueinfy Solutions JSON fetch • Fetch attribute
  14. 14. © Blueinfy Solutions Insufficient Transport Layer Protection • Poor or no Encryption during transit • Poor certification validations • Man in the middle opening • Traffic over HTTP • Token passing • Device ID over poor channel
  15. 15. © Blueinfy Solutions Session with token only
  16. 16. © Blueinfy Solutions Client Side Injection • Native or Web apps – Using poor libs – Abusing APIs • Popular injections – XSS, SQLi, XPATH etc. • Payment and SMS • Mixed usage – Using webview
  17. 17. © Blueinfy Solutions SQLite
  18. 18. © Blueinfy Solutions What is SQLite? • SQLite is an in-process library that implements a self- contained, serverless, zero-configuration, transactional SQL database engine. • It is the database which is zero configured , that means like other database you do not need to configure it in your system. • At the end, it is a comma separated file (CSV file)
  19. 19. © Blueinfy Solutions SQLite Commands • The standard SQLite commands to interact with relational databases are similar as SQL. • They are CREATE, SELECT, INSERT, UPDATE, DELETE, and DROP. • Data Manipulation Language Command Description INSERT Creates a record UPDATE Modifies records DELETE Deletes records
  20. 20. © Blueinfy Solutions Cont. • Data Query Language: • Data Definition Language: Command Description SELECT Retrieves certain records from one or more tables Command Description CREATE Creates a new table, a view of a table, or other object in database ALTER Modifies an existing database object, such as a table. DROP Deletes an entire table, a view of a table or other object in the database.
  21. 21. © Blueinfy Solutions SQLite – Create Database • The following command will create a new database or will open the database if it has been created. • sqlite3 [database name].db
  22. 22. © Blueinfy Solutions Retrieving Master Table • This command will retrieve the master table. • For example:- variable=* FROM SQLITE_MASTER; --
  23. 23. © Blueinfy Solutions SQLite Version • This command retrieves the version number of the db.
  24. 24. © Blueinfy Solutions SQLite – Create Table • For example:- create table [newtablename](id int, name text); • By using .tables on the command shell the newly created designation table is shown.
  25. 25. © Blueinfy Solutions SQLite – Drop Table • drop table users;--
  26. 26. © Blueinfy Solutions SQLite – Insert Query • INSERT INTO TABLE_NAME (column1, column2, column3,...Ncolumn) VALUES (value1, value2, value3,...Nvalue);
  27. 27. © Blueinfy Solutions Extending/Appending queries • By altering the select query the injected DELETE query removes all records from the company table.
  28. 28. © Blueinfy Solutions SQLite – OR 1=1 • ‘* from [tablename] where id=1 OR 1=1;’
  29. 29. © Blueinfy Solutions Adding User • insert into users values(15,’user15’)
  30. 30. © Blueinfy Solutions Side Channel Data Leakage • Platform issues – sandboxing or disable controls – Cache – Logs, Keystrokes, screenshots etc. – Temp files • 3rd Party libs (AD networks and analytics)
  31. 31. © Blueinfy Solutions Unauthorized Dialing/SMS
  32. 32. © Blueinfy Solutions Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans
  33. 33. © Blueinfy Solutions GGTracker • June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (NOK 200) • Application Sends Premium SMS to US numbers
  34. 34. © Blueinfy Solutions UI Impersonation
  35. 35. © Blueinfy Solutions UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application
  36. 36. © Blueinfy Solutions UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Classic example is - Netflix Application in AppStore • Flow in review process of AppStore – Anyone can name anything to their application
  37. 37. © Blueinfy Solutions NetFlix • Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password and uninstalls itself • More than 10000 users lost their details in a week
  38. 38. © Blueinfy Solutions Activity Monitoring
  39. 39. © Blueinfy Solutions Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans
  40. 40. © Blueinfy Solutions Activity Monitoring • Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files
  41. 41. © Blueinfy Solutions Android.Pjapps • Early 2010 • Steal/Change users information • PjApps Application – • Send and monitor incoming SMS messages • Read/write to the user's browsing history and bookmarks • Install packages and Open Sockets • Write to external storage • Read the phone's state
  42. 42. © Blueinfy Solutions System Modification
  43. 43. © Blueinfy Solutions System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker
  44. 44. © Blueinfy Solutions Information in Common Services
  45. 45. © Blueinfy Solutions Information in Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application
  46. 46. © Blueinfy Solutions Logical Issues
  47. 47. © Blueinfy Solutions Logical Issues • Authentication flags and privilege escalations at application layer • Critical parameter manipulation and access to unauthorized information/content • Business constraint exploitation • Identity or profile extraction • Denial of Services (DoS) with business logic
  48. 48. © Blueinfy Solutions In Memory Analysis
  49. 49. © Blueinfy Solutions In memory analysis • Using in built command in ADB named “dumpsys” • Command to get memory dump – # Dumpsys meminfo • Can be run only by “su” (Rooting a device is mandatory)
  50. 50. © Blueinfy Solutions Uncovering vulnerability from Manifest File
  51. 51. © Blueinfy Solutions Quick Recap of Manifest tags • Manifest • Application • Activity • Activity-alias • Receiver • Service • Uses-permission
  52. 52. © Blueinfy Solutions Decompiling Android Applications
  53. 53. © Blueinfy Solutions Decompiling android application • Using Apktool - http://code.google.com/p/android-apktool/ • Using Dex2Jar - http://code.google.com/p/dex2jar/ • Using aapt (Bundled with Android SDK)
  54. 54. © Blueinfy Solutions Use Apktool to convert the XML to readable format Android manifest file: APK Tool
  55. 55. © Blueinfy Solutions Use dex2jar to convert classes.dex file in the extracted folder to .class files Use JAD to convert the class files into JAVA files Dex2Jar and JAD
  56. 56. © Blueinfy Solutions Debuggable flag in Android • One of the key attribute in android manifest file • Under “application” section • Describes debugging in enabled • If “Debuggable”attribute is set o true, the application will try to connect to a local unix socket “@jdwp-control” • Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable application
  57. 57. © Blueinfy Solutions CheckDebuggable Script • Checks in APK whether debuggable is enabled • Script can be found at – http://www.espheresecurity.com/resourcest ools.html • Paper can be found at - http://www.espheresecurity.com/CheckDebu ggable.pdf
  58. 58. © Blueinfy Solutions Conclusion

×