Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android attacks

575 views

Published on

Android based attacks and testing.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Android attacks

  1. 1. © Blueinfy Solutions Android Attacks
  2. 2. © Blueinfy Solutions Insecure Data Storage • Storing sensitive information on device – a major threat • Phone can be hacked or stolen • Imagine site access, username, passwords, tokens etc. get harvested • Malware used to attack local system and fetch information out. • What are the options?
  3. 3. © Blueinfy Solutions Insecure calls • Storage can be accessed by third party • If device is rooted then access to sensitive information • Poor permission can allow cross access • One app accessing information of other • Information not encrypted
  4. 4. © Blueinfy Solutions Bird eye view
  5. 5. © Blueinfy Solutions Storage calls • Shared Preferences – Store private primitive data in key-value pairs. • Internal Storage – Store private data on the device memory. • External Storage – Store public data on the shared external storage. • SQLite Databases – Store structured data in a private database. • Network Connection – Store data on the web with your own network server.
  6. 6. © Blueinfy Solutions Accessing with adb # cd bank.One cd bank.One # ls ls cache databases files lib # cd files cd files # ls ls PublicKey remember settings temp_file # cat remember cat remember jack jack123# Got user/pass in clear text
  7. 7. © Blueinfy Solutions Weak Server Side Controls • Backend Application Security • Protocols • OWASP Top 10 for AppSec
  8. 8. © Blueinfy Solutions Analyzing HTTP traffic • Security assessment needs sound knowledge of HTTP analysis • Tools and mind needed to analyze the traffic • What to look for? – methods, cookie, querysting etc. • All part of HTTP – Response analysis is equally important.
  9. 9. © Blueinfy Solutions JSON • JSON (JavaScript Object Notation) - a lightweight data-interchange format • Based on JavaScript Programming Language (Standard ECMA-262) • Completely language independent • C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. • Interchangeable is the Key.
  10. 10. © Blueinfy Solutions JSON – object • {} { members } – members • pair pair , members – pair • string : value – array • [] [ elements ] • elements • value value , elements • value • string number object array true false null
  11. 11. © Blueinfy Solutions JSON • Example { "firstName": "John", "lastName": "Smith", "address": { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": 10021 }, "phoneNumbers": [ "212 732-1234", "646 123-4567" ] }
  12. 12. © Blueinfy Solutions JSON call • Calling JSON services
  13. 13. © Blueinfy Solutions JSON fetch • Fetch attribute
  14. 14. © Blueinfy Solutions Insufficient Transport Layer Protection • Poor or no Encryption during transit • Poor certification validations • Man in the middle opening • Traffic over HTTP • Token passing • Device ID over poor channel
  15. 15. © Blueinfy Solutions Session with token only
  16. 16. © Blueinfy Solutions Client Side Injection • Native or Web apps – Using poor libs – Abusing APIs • Popular injections – XSS, SQLi, XPATH etc. • Payment and SMS • Mixed usage – Using webview
  17. 17. © Blueinfy Solutions SQLite
  18. 18. © Blueinfy Solutions What is SQLite? • SQLite is an in-process library that implements a self- contained, serverless, zero-configuration, transactional SQL database engine. • It is the database which is zero configured , that means like other database you do not need to configure it in your system. • At the end, it is a comma separated file (CSV file)
  19. 19. © Blueinfy Solutions SQLite Commands • The standard SQLite commands to interact with relational databases are similar as SQL. • They are CREATE, SELECT, INSERT, UPDATE, DELETE, and DROP. • Data Manipulation Language Command Description INSERT Creates a record UPDATE Modifies records DELETE Deletes records
  20. 20. © Blueinfy Solutions Cont. • Data Query Language: • Data Definition Language: Command Description SELECT Retrieves certain records from one or more tables Command Description CREATE Creates a new table, a view of a table, or other object in database ALTER Modifies an existing database object, such as a table. DROP Deletes an entire table, a view of a table or other object in the database.
  21. 21. © Blueinfy Solutions SQLite – Create Database • The following command will create a new database or will open the database if it has been created. • sqlite3 [database name].db
  22. 22. © Blueinfy Solutions Retrieving Master Table • This command will retrieve the master table. • For example:- variable=* FROM SQLITE_MASTER; --
  23. 23. © Blueinfy Solutions SQLite Version • This command retrieves the version number of the db.
  24. 24. © Blueinfy Solutions SQLite – Create Table • For example:- create table [newtablename](id int, name text); • By using .tables on the command shell the newly created designation table is shown.
  25. 25. © Blueinfy Solutions SQLite – Drop Table • drop table users;--
  26. 26. © Blueinfy Solutions SQLite – Insert Query • INSERT INTO TABLE_NAME (column1, column2, column3,...Ncolumn) VALUES (value1, value2, value3,...Nvalue);
  27. 27. © Blueinfy Solutions Extending/Appending queries • By altering the select query the injected DELETE query removes all records from the company table.
  28. 28. © Blueinfy Solutions SQLite – OR 1=1 • ‘* from [tablename] where id=1 OR 1=1;’
  29. 29. © Blueinfy Solutions Adding User • insert into users values(15,’user15’)
  30. 30. © Blueinfy Solutions Side Channel Data Leakage • Platform issues – sandboxing or disable controls – Cache – Logs, Keystrokes, screenshots etc. – Temp files • 3rd Party libs (AD networks and analytics)
  31. 31. © Blueinfy Solutions Unauthorized Dialing/SMS
  32. 32. © Blueinfy Solutions Unauthorized Dialing/SMS • Social Engineering using Mobile Devices • Attacker plays with user’s mind • User installs application • Application sends premium rate SMS or a premium rate phone call to unknown number • Used by Malware/Trojans
  33. 33. © Blueinfy Solutions GGTracker • June 2010 • Another Application which sends International SMS • One SMS Costs – 40 USD (NOK 200) • Application Sends Premium SMS to US numbers
  34. 34. © Blueinfy Solutions UI Impersonation
  35. 35. © Blueinfy Solutions UI Impersonation • Attack has been there since long • On a mobile stack, known as UI impersonation • Other names are Phishing Attack, ClickJacking • Attacker plays with user’s mind and try to impersonate as other user or other application
  36. 36. © Blueinfy Solutions UI Impersonation • Victim looses credit card information or authentication credentials or secret • One application can create local PUSH notification as it is created from apple store • Classic example is - Netflix Application in AppStore • Flow in review process of AppStore – Anyone can name anything to their application
  37. 37. © Blueinfy Solutions NetFlix • Oct -2011 • Steals users “netflix” account information • Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password and uninstalls itself • More than 10000 users lost their details in a week
  38. 38. © Blueinfy Solutions Activity Monitoring
  39. 39. © Blueinfy Solutions Activity Monitoring • Sending a blind carbon copy of each email to attacker • Listening all phone calls • Email contact list, pictures to attacker • Read all emails stored on the device • Usual intension of Spyware/Trojans
  40. 40. © Blueinfy Solutions Activity Monitoring • Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files
  41. 41. © Blueinfy Solutions Android.Pjapps • Early 2010 • Steal/Change users information • PjApps Application – • Send and monitor incoming SMS messages • Read/write to the user's browsing history and bookmarks • Install packages and Open Sockets • Write to external storage • Read the phone's state
  42. 42. © Blueinfy Solutions System Modification
  43. 43. © Blueinfy Solutions System Modification • Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) • Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker
  44. 44. © Blueinfy Solutions Information in Common Services
  45. 45. © Blueinfy Solutions Information in Common Services • KeyBoard, Clipboard are shared amongst all the applications. • Information stored in clipboard can be accessed by all the application • Sensitive information should not be allowed to copy/paste in the application
  46. 46. © Blueinfy Solutions Logical Issues
  47. 47. © Blueinfy Solutions Logical Issues • Authentication flags and privilege escalations at application layer • Critical parameter manipulation and access to unauthorized information/content • Business constraint exploitation • Identity or profile extraction • Denial of Services (DoS) with business logic
  48. 48. © Blueinfy Solutions In Memory Analysis
  49. 49. © Blueinfy Solutions In memory analysis • Using in built command in ADB named “dumpsys” • Command to get memory dump – # Dumpsys meminfo • Can be run only by “su” (Rooting a device is mandatory)
  50. 50. © Blueinfy Solutions Uncovering vulnerability from Manifest File
  51. 51. © Blueinfy Solutions Quick Recap of Manifest tags • Manifest • Application • Activity • Activity-alias • Receiver • Service • Uses-permission
  52. 52. © Blueinfy Solutions Decompiling Android Applications
  53. 53. © Blueinfy Solutions Decompiling android application • Using Apktool - http://code.google.com/p/android-apktool/ • Using Dex2Jar - http://code.google.com/p/dex2jar/ • Using aapt (Bundled with Android SDK)
  54. 54. © Blueinfy Solutions Use Apktool to convert the XML to readable format Android manifest file: APK Tool
  55. 55. © Blueinfy Solutions Use dex2jar to convert classes.dex file in the extracted folder to .class files Use JAD to convert the class files into JAVA files Dex2Jar and JAD
  56. 56. © Blueinfy Solutions Debuggable flag in Android • One of the key attribute in android manifest file • Under “application” section • Describes debugging in enabled • If “Debuggable”attribute is set o true, the application will try to connect to a local unix socket “@jdwp-control” • Using JDWP, It is possible to gain full access to the Java process and execute arbitrary code in the context of the debugable application
  57. 57. © Blueinfy Solutions CheckDebuggable Script • Checks in APK whether debuggable is enabled • Script can be found at – http://www.espheresecurity.com/resourcest ools.html • Paper can be found at - http://www.espheresecurity.com/CheckDebu ggable.pdf
  58. 58. © Blueinfy Solutions Conclusion

×