Android attacks

© Blueinfy Solutions
Android Attacks

Insecure Data Storage
• Storing sensitive information on device – a
major threat
• Phone can be hacked or stolen
• Imagine site access, username, passwords,
tokens etc. get harvested
• Malware used to attack local system and fetch
information out.
• What are the options?

Insecure calls
• Storage can be accessed by third party
• If device is rooted then access to sensitive
information
• Poor permission can allow cross access
• One app accessing information of other
• Information not encrypted

Bird eye view

Storage calls
• Shared Preferences
– Store private primitive data in key-value pairs.
• Internal Storage
– Store private data on the device memory.
• External Storage
– Store public data on the shared external storage.
• SQLite Databases
– Store structured data in a private database.
• Network Connection
– Store data on the web with your own network server.

Accessing with adb
# cd bank.One
cd bank.One
# ls
ls
cache
databases
files
lib
# cd files
cd files
# ls
ls
PublicKey
remember
settings
temp_file
# cat remember
cat remember
jack
jack123#
Got user/pass in clear text

Weak Server Side Controls
• Backend Application Security
• Protocols
• OWASP Top 10 for AppSec

Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the traffic
• What to look for? – methods, cookie,
querysting etc.
• All part of HTTP – Response analysis is equally
important.

JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Language
(Standard ECMA-262)
• Completely language independent
• C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many
others.
• Interchangeable is the Key.

JSON
– object
• {}
{ members }
– members
• pair
pair , members
– pair
• string : value
– array
• []
[ elements ]
• elements
• value
value ,
elements
• value
• string
number
object
array
true
false
null

JSON
• Example
{ "firstName": "John", "lastName": "Smith",
"address": { "streetAddress": "21 2nd Street",
"city": "New York", "state": "NY", "postalCode":
10021 }, "phoneNumbers": [ "212 732-1234", "646
123-4567" ] }

JSON call
• Calling JSON services

JSON fetch
• Fetch attribute

Insufficient Transport Layer Protection
• Poor or no Encryption during transit
• Poor certification validations
• Man in the middle opening
• Traffic over HTTP
• Token passing
• Device ID over poor channel

Session with token only

Client Side Injection
• Native or Web apps
– Using poor libs
– Abusing APIs
• Popular injections – XSS, SQLi, XPATH etc.
• Payment and SMS
• Mixed usage
– Using webview

What is SQLite?
• SQLite is an in-process library that implements a self-
contained, serverless, zero-configuration, transactional SQL
database engine.
• It is the database which is zero configured , that means like
other database you do not need to configure it in your
system.
• At the end, it is a comma separated file (CSV file)

SQLite Commands
• The standard SQLite commands to interact with relational
databases are similar as SQL.
• They are CREATE, SELECT, INSERT, UPDATE, DELETE, and
DROP.
• Data Manipulation Language
Command Description
INSERT Creates a record
UPDATE Modifies records
DELETE Deletes records

Cont.
• Data Query Language:
• Data Definition Language:
Command Description
SELECT Retrieves certain records from one or
more tables
Command Description
CREATE Creates a new table, a view of a table,
or other object in database
ALTER Modifies an existing database object,
such as a table.
DROP Deletes an entire table, a view of a
table or other object in the database.

SQLite – Create Database
• The following command will create a new database or will
open the database if it has been created.
• sqlite3 [database name].db

Retrieving Master Table
• This command will retrieve the master table.
• For example:-
variable=* FROM SQLITE_MASTER; --

SQLite Version
• This command retrieves the version number
of the db.

SQLite – Create Table
• For example:- create table [newtablename](id int, name text);
• By using .tables on the command shell the newly created
designation table is shown.

SQLite – Drop Table
• drop table users;--

SQLite – Insert Query
• INSERT INTO TABLE_NAME (column1, column2,
column3,...Ncolumn) VALUES (value1, value2,
value3,...Nvalue);

Extending/Appending queries
• By altering the select query the injected DELETE query
removes all records from the company table.

SQLite – OR 1=1
• ‘* from [tablename] where id=1 OR 1=1;’

Adding User
• insert into users values(15,’user15’)

Side Channel Data Leakage
• Platform issues – sandboxing or disable
controls
– Cache
– Logs, Keystrokes, screenshots etc.
– Temp files
• 3rd
Party libs (AD networks and analytics)

Unauthorized Dialing/SMS

Unauthorized Dialing/SMS
• Social Engineering using Mobile Devices
• Attacker plays with user’s mind
• User installs application
• Application sends premium rate SMS or a
premium rate phone call to unknown number
• Used by Malware/Trojans

GGTracker
• June 2010
• Another Application which sends
International SMS
• One SMS Costs – 40 USD (NOK 200)
• Application Sends Premium SMS to US
numbers

UI Impersonation

UI Impersonation
• Attack has been there since long
• On a mobile stack, known as UI
impersonation
• Other names are Phishing Attack, ClickJacking
• Attacker plays with user’s mind and try to
impersonate as other user or other
application

UI Impersonation
• Victim looses credit card information or
authentication credentials or secret
• One application can create local PUSH
notification as it is created from apple store
• Classic example is - Netflix Application in
AppStore
• Flow in review process of AppStore – Anyone
can name anything to their application

NetFlix
• Oct -2011
• Steals users “netflix” account information
• Application shows error message to user
“Compatibility issues with the user’s
hardware” when user enters username and
password and uninstalls itself
• More than 10000 users lost their details in a
week

Activity Monitoring

Activity Monitoring
• Sending a blind carbon copy of each email to
attacker
• Listening all phone calls
• Email contact list, pictures to attacker
• Read all emails stored on the device
• Usual intension of Spyware/Trojans

Activity Monitoring
• Attacker can monitor –
– Audio Files
– Video
– Pictures
– Location
– Contact List
– Call/Browser/SMS History
– Data files

Android.Pjapps
• Early 2010
• Steal/Change users information
• PjApps Application –
• Send and monitor incoming SMS messages
• Read/write to the user's browsing history and
bookmarks
• Install packages and Open Sockets
• Write to external storage
• Read the phone's state

System Modification

System Modification
• Application will attempt to modify system
configuration to hide itself (Historically this is
known as ROOTKIT)
• Configuration changes makes certain attack
possible i.e. –
– Modifying device proxy to get user’s activity
monitoring
– Configure BCC email sending to attacker

Information in Common Services

Information in Common Services
• KeyBoard, Clipboard are shared amongst all
the applications.
• Information stored in clipboard can be
accessed by all the application
• Sensitive information should not be allowed
to copy/paste in the application

Logical Issues

Logical Issues
• Authentication flags and privilege escalations
at application layer
• Critical parameter manipulation and access to
unauthorized information/content
• Business constraint exploitation
• Identity or profile extraction
• Denial of Services (DoS) with business logic

In Memory Analysis

In memory analysis
• Using in built command in ADB named
“dumpsys”
• Command to get memory dump –
# Dumpsys meminfo
• Can be run only by “su” (Rooting a device is
mandatory)

Uncovering vulnerability from
Manifest File

Quick Recap of Manifest tags
• Manifest
• Application
• Activity
• Activity-alias
• Receiver
• Service
• Uses-permission

Decompiling Android Applications

Decompiling android application
• Using Apktool -
http://code.google.com/p/android-apktool/
• Using Dex2Jar -
http://code.google.com/p/dex2jar/
• Using aapt (Bundled with Android SDK)

Use Apktool to convert the XML to readable format
Android manifest file:
APK Tool

Use dex2jar to convert classes.dex file in the extracted folder to .class files
Use JAD to convert the class files into JAVA files
Dex2Jar and JAD

Debuggable flag in Android
• One of the key attribute in android manifest
file
• Under “application” section
• Describes debugging in enabled
• If “Debuggable”attribute is set o true, the
application will try to connect to a local unix
socket “@jdwp-control”
• Using JDWP, It is possible to gain full access to
the Java process and execute arbitrary code
in the context of the debugable application

CheckDebuggable Script
• Checks in APK whether debuggable is enabled
• Script can be found at –
http://www.espheresecurity.com/resourcest
ools.html
• Paper can be found at -
http://www.espheresecurity.com/CheckDebu
ggable.pdf

Conclusion

Android attacks

Android attacks

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(8)

Similar to Android attacks

Similar to Android attacks(20)

More from Blueinfy Solutions

More from Blueinfy Solutions(13)

Recently uploaded

Recently uploaded(20)

Android attacks