hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy

1,792 views

Published on

This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.
Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,792
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
65
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking Android apps is easy

  1. 1. Reversing  Android  Apps  Hacking  and  cracking  Android  apps  is  easy   Tobias  Ospelt  
  2. 2. Agenda  •  Issues  (in  the  past)  •  Android  security  /  code  concept  •  Techniques  for  pentesters  /  reverse  engineers  •  My  experiences  and  the  general  quality  of   apps  
  3. 3. My  approach  •  Bought  HTC  Desire/Bravo  with  Android  2.0   (now  2.2.0)  in  2010  •  Finding  security  related  issues  
  4. 4. Issues  (in  the  past?)  
  5. 5. Losing  phones  
  6. 6. CircumvenNng  lock  screen  
  7. 7. CircumvenNng  lock  screen  •  Poor  lock  screen  implementaNon   –  Home  buPon  mashing,  not  all  brands<=  2.2   –  Back  buPon  during  call,  not  all  brands  <=  2.0   –  Plug  into  car  dock,  unknown   –  Gmail  address  &  password  „null“,  unknown  •  Lock  screen  not  acNvated  •  USB  debug  on  (adb  shell)  •  Associated  Google  account  •  OpenRecovery,  Milestone  <=  2.1  •  Acquire  physical  memory  (forensic  tools)  
  8. 8. Android  or  Google?  •  Android  is  Open  Source   –  Google  is  the  strong  force  behind  it  •  Google  Market  is  not  (it‘s  Google‘s)  •  You  can  create  your  own  market  
  9. 9. Google  Market  –  a  feel  free   environment  
  10. 10. Malware  •  Malware  in  the  Google  Market   –  DroidDream  aka  Rootcager  •  Other  malware  (o]en  in  Chinese  markets)   –  Bgserv,  Pjabbs,  Geinimi,  FakePlayer,   GingerMaster,  Zeus,  SpyEye  
  11. 11. Bring  malware  to  the  mobile  •  Convince  users  (aka  put  on  market)  •  XSS  on  Google  Market  website  •  App  without  permissions  installs  apps  with   permissions   –  Angry  Birds  extra  level  malware,  fixed   –  Browser  vulnerability  (cookie  stealing),  <  2.3.5   –  New  technique  going  to  be  released  in  November   •  Oberheide/Lanie,  Source  Barcelona  
  12. 12. Android  Browser  •  Puts  nice  liPle  bookmark  pics  on  your  SD  card  
  13. 13. Other  issues  •  Facebook-­‐App  V.  1.6  is  able  to  read/write/edit   SMS/MMS  •  Plain  authenNcaNon  tokens,  fixed  •  SMS  receiver  incorrect,  fixed  •  Htclogger,  HTC  only  •  App  reversing  •  Many  more  
  14. 14. Nuclear  chain  of  command...   xkcd.com  
  15. 15. ...  is  similar  to  the  Android  chain  of   security  
  16. 16. My  situaNon  •  Bought  HTC  Desire  in  2010  •  SNll  on  Android  2.2.0,  means:   –  Screen  lock  circumvenNon  (buPon  mashing)   –  Vulnerable  to  DroidDream  malware   –  Browser  vulnerability     •  Cookie  stealing  /  XSS   •  Can  be  used  to  install  apps  
  17. 17. Android  security  /  code  concept  
  18. 18. Android  code  •  Write  app  in  Java  and  HTML/Javascript  (Android  SDK)   –  The  obvious  approach   –  Most  apps  from  the  Google  Market   –  Easy  to  decompile/disassemble/reassemble  •  Write  app  in  ARM  naNve  code  (Android  NDK)   –  Together  with  Java  code   –  ARM  Assembler  Reverse  Engineering  and  JNI  •  Use  a  framework/generator   –  appmakr.com   –  PhoneGap   –  Others?  
  19. 19. Techniques  for  pentesters  /   reverse  engineers  
  20. 20. 1.  Gemng  hundrets  of  Android   Apps  (apk  files)  
  21. 21. Obvious  download  approach  •  Open  market  app  on  mobile  •  Click  app  and  install  •  SCP  apk  file  from  phone  à  Too  slow,  not  enough  space  on  mobile,  etc    
  22. 22. How  to  download  all  Android  apps  •  Connect  mobile  to  laptop  Wi-­‐Fi  with  airbase-­‐ ng  /  dnsmasq  •  Use  iptables  to  redirect  to  local  Burp   –  thx  Android  for  not  having  a  proxy  opNon  •  BurpExtender  to  save  responses  with  apk  files  •  Send  mobile  a  HTTP  404  not  found  
  23. 23. Install  all  apps?  •  One  HTTPS  request  to  market.android.com  •  Change  the  app  name   –  com.google.android.youtube  •  Modified  w3af  spider  /  regex  plugin   –  Search  for  terms  A  ...  ZZ  on  market.android.com   –  No  restricNons  (e.g.  captcha)  as  in  Google  search  •  Wrote  script  that  sends  HTTPS  requests  with   app  name  
  24. 24. Download  environment  
  25. 25. Metadata  •  About  300’000  apps  in  market  •  Crawled  about  10’000  app  names  •  Successfully  downloaded  and  decompiled   about  3’500  apps  (about  15  GB)   –  Took  about  3  days  to  download  all  these  apps  
  26. 26. 2.  Decompile/disassemble  
  27. 27. The  apktool  disassembled  structure  •  Apk  unzipped   à          apktool  disassembled   +assets +assets +res +res +drawable +drawable -icon.png -icon.png +layout +layout -main.xml -main.xml +values +values -strings.xml -strings.xml +META-INF -AndroidManifest.xml -AndroidManifest.xml -classes.dex +smali +com +... -apktool.yml
  28. 28. Two  approaches  •  Disassembling  to  smali   –  Similar  to  Jasmin  syntax  (Java  assembler  code)   –  Apktool   •  Correct  smali  code   •  Didn’t  use  dexdump/dedexer  •  Decompiling  to  Java   –  Dex2Jar  +  Java-­‐Decompiler   •  SomeNmes  incorrect  Java  code  
  29. 29. Disassembling  how-­‐to  •  Apktool  me$ java -jar apktool.jar d app.apk output-folder
  30. 30. Disassembled  example  
  31. 31. Reassembling  how-­‐to  •  Apktool  me$ echo "change something"change somethingme$ java -jar apktool.jar b output-folder/ fake.apk[…]me$ keytool -genkey -alias someone -validity 100000 -keystore someone.keystore[…]me$ jarsigner -keystore someone.keystore fake.apk someoneme$ adb install fake-app.apk
  32. 32. 3.  Other  techniques  for   pentesters  
  33. 33. Heap  dump  me$ sume# ps | grep kee 949 10082 183m S com.android.keepass 960 0 1964 S grep keeme# kill -10 949me# grep password /data/misc/heap-dump-tm1312268434-pid949.hprofthisisasecretpassword•  In  Android  >  2.3   –  BuPon  in  DDMS  tool  or  call   android.os.Debug.dumpHprofData(fileName)  
  34. 34. Invoking  AcNviNes  •  AcNviNes  are  basically  user  interfaces   –  „one  screen“   me$ dumpsys package > packages.txt me$ am start -n com.android.keepass/ com.keepassdroid.PasswordActivity•  Fortunately  this  example  doesn‘t  work  
  35. 35. Tons  of  other  tools  •  Androguard  •  Apkinspector   –  GUI  combining  apktool,  dex2jar,  a  Java  decompiler,  byte   code,  etc.  •  DED  •  androidAuditTools  •  Smartphonesdumbapps  •  Taintdroid  (Privacy  issues)  •  Android  Forensic  Toolkit  •  viaExtract  •  More  
  36. 36. Experiences  when  decompiling/ disassembling  3‘500  apps   Finding  security  related  issues  
  37. 37. Metadata  •  About  3’500  apps   –  2’300  unique  email  addresses   –  1’000  «fuck»   –  Several  twiPer  /  facebook  /  flickr  /  geocaching  API   keys  
  38. 38. Low  hanging  fruits  
  39. 39. Hashing  and  encrypNon  –  a  short  best   pracNces  refresh  •  Secure  algorithms/implementaNons  •  Random,  long  salts/keys  •  Hashing   –  Separate  salt  for  every  hash   –  Several  hashing  rounds   •  E.g.  hash(hash(  ...  hash(pwd+salt)+salt  ...  ))  •  EncrypNon   –  Keep  the  key  secret  
  40. 40. Key:  MSB  always  0   r  sending  passwords  in  HTTPS  Used  f o
  41. 41. rver  that  in-­‐Used  t o  signalise  the  se ame  goods  wer e  purchased  g
  42. 42. Obfuscated  code   o  calls  this  „ah“  constructor?   Wh
  43. 43. Obfuscated  code  •  4  greps  later...  •  c.f  includes  the  key   –  c.f  calls  a.bs(key)   •  a.bs  calls  a.ah(key)   –  a.ah  uses  the  key  and  locale  variables  for  encrypNon  •  We  know  all  the  input  data  for  the  encrypNon   rouNne  •  It‘s  symmetric  crypto  •  We  can  decrypt  „it“  (whatever  it  might  be)  
  44. 44. TestXXXXX.java  •  Yeah,  let’s  copy/paste  a  test  email!  
  45. 45. TestXXXXX2.java  •  And  credenNals  for  the  test  server...  
  46. 46. Some  apps  I  looked  at  more   closely   (it’s  gemng  worse)  
  47. 47. App  1  -­‐  banking  app  •  Who  really  wants  banking  on  the  mobile?  •  A  lot  of  banking  apps!  Yay!  •  App  1   –  No  obfuscaNon  +  can  easily  be  recompiled   –  App  simply  shows  the  website   –  Hides  the  URL  and  SSL  cert/lock  from  the  user   –  Can  only  be  used  with  mTAN  
  48. 48. App  2  •  Server  had  self-­‐signed  SSL  cerNficate  •  SSL  MITM  Dump:    /usernam e=B1436A 13E85D20 F2428D6E 232C2B93FE....pa ssword=2 C30F3866 016E6C59 52655C06400BCC6. imei=405 23204606 E450... ... Wow,  it’s  e ncrypted... need  a  key  Don’t  we    for  that?  
  49. 49. App  2  •  AES  key   public byte[] cryptKey42 = {-31, -21, 4, 24, -21, 54, -63, -40, -38, 61, -47, -115, -95, -36, -142, 64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80, -102, 95, -20, 110, 36, -11};  
  50. 50. App  3  –  root  detecNon  private boolean deviceRoot(){ try{ Runtime.getRuntime().exec("su"); return true; } catch (IOException localIOException){ return false; }}
  51. 51. App  3  –  CircumvenNng  root  detecNon  •  Not  necessary  
  52. 52. App  4    –  Another  root  detecNon   public static boolean isDeviceRooted(){ File f = new File(“/system/sbin/su”) return f.exists() }  
  53. 53. App  4  -­‐  Removing  root  detecNon  me$ java -jar apktool.jar d app.apk source[…]me$ sed -i "" s/system/sbin/su/system/sbin/CEW1PFSLK/g source/smali/net/example/checks.smalime$ java -jar apktool.jar b source/ fake.apk[…]me$ keytool -genkey -alias someone -validity 100000-keystore someone.keystore[…]me$ jarsigner -keystore someone.keystore fake.apksomeoneme$ adb install fake.apk
  54. 54. App  4  –  Was  that  a  good  method  to   remove  the  root  detecNon?  •  Altering  the  app   –  No  updates  •  We  only  want  to  fail  that  simple  check  
  55. 55. App  4  -­‐  Prevent  root  detecNon   root  stays  r o ot!  me$ adb shell$ su# cd /system/bin/; mount -o remount,rw -o rootfs rootfs /;mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system# echo $PATH/sbin:/system/sbin:/system/bin:/system/xbin# mv /system/sbin/su /system/xbin/
  56. 56. A  special  secret  key  •  445  apps  use  the  same  AES  key   –  byte[]  a  =  {  10,  55,  -­‐112,  -­‐47,  -­‐6,  7,  11,  75,  -­‐7,  -­‐121,   121,  69,  80,  -­‐61,  15,  5  }  
  57. 57. Google  Ads  •  Encrypt  last  known  locaNon   –  All  locaNon  providers  (GPS,  Wifi,  ...)  •  Send  via  the  „uule“  JSON  parameter  •  NoNfied  Google  on  the  23th  of  June   –  No  response  yet  •  To  be  honest  I  haven‘t  seen  the  „uule“   parameter  in  my  network  yet  
  58. 58. Google  Ads  •  Why  didn‘t  they  use  asymmetric  crypto?  
  59. 59. Countermeasures  •  Use  asymmetric  crypto  instead  of  symmetric   when  transferring  data  to  a  server  •  Store  hashes/session  tokens  instead  of   passwords  •  Good  obfuscaNon  is  Security  Through   Obscurity  •  Pentest  your  apps  •  Know  the  limitaNons   –  root  stays  root  
  60. 60. References  •  hPp://designora.com/graphics/android-­‐logo/  •  hPp://blog.duosecurity.com/2011/05/when-­‐angry-­‐birds-­‐aPack-­‐android-­‐ediNon/  •  hPp://jon.oberheide.org/blog/2011/03/07/how-­‐i-­‐almost-­‐won-­‐pwn2own-­‐via-­‐xss/  •  hPp://www.h-­‐online.com/open/news/item/Android-­‐apps-­‐send-­‐unencrypted-­‐authenNcaNon-­‐token-­‐1243968.html  •  hPps://www.infosecisland.com/blogview/13459-­‐Google-­‐Sued-­‐for-­‐SurrepNNous-­‐Android-­‐LocaNon-­‐Tracking.html  •  hPp://www.h-­‐online.com/open/news/item/Android-­‐malware-­‐acNvates-­‐itself-­‐through-­‐incoming-­‐calls-­‐1253807.html  •  hPp://www.slideshare.net/bsideslondon/bsideslondon-­‐spo#text-­‐version  •  hPps://www.hashdays.ch/assets/files/slides/burns_android_security_the%20fun%20details.pdf  •  hPps://theassurer.com/p/756.html  •  hPp://thomascannon.net/blog/2011/02/android-­‐lock-­‐screen-­‐bypass/  •  hPp://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf? om_ext_cid=biz_socmed_twiPer_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp  •  hPp://www.xkcd.com/898  •  hPp://www.madaxeman.com/general/2009/11/lost-­‐phone.html  •  hPp://thomascannon.net/projects/android-­‐reversing/  •  hPp://www.infsec.cs.uni-­‐saarland.de/projects/android-­‐vuln/  •  hPp://www.madaxeman.com/general/2009/11/lost-­‐phone.html  •  hPp://www.heise.de/mobil/meldung/Android-­‐verschickt-­‐SMS-­‐an-­‐falsche-­‐Empfaenger-­‐2-­‐Update-­‐1162685.html  •  hPp://blog.duosecurity.com/2011/09/android-­‐vulnerabiliNes-­‐and-­‐source-­‐barcelona/  
  61. 61. Thx!  •  TwiPer:  floyd_ch  •  hPp://floyd.ch  

×