Securing Android Applications

1,384 views

Published on

Securing Android Applications

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,384
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
74
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing Android Applications

  1. 1. PRESENTED BY Manish Chasta | CISSP, CHFI, ITIL Principal Consultant, Indusface Securing Android Applications01 www.indusface.com | Copyright 2012
  2. 2. Agenda Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application02 www.indusface.com | Copyright 2012
  3. 3. What NUMBERS say!!!  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 201403 www.indusface.com | Copyright 2012
  4. 4. Market Share04 www.indusface.com | Copyright 2012
  5. 5. Introduction to Android  Most widely used mobile OS  Developed by Google  OS + Middleware + Applications  Android Open Source Project (AOSP) is responsible for maintenance and further development05 www.indusface.com | Copyright 2012
  6. 6. Android Architecture06 www.indusface.com | Copyright 2012
  7. 7. Android Architecture: Linux Kernel  Linux kernel with system services:  Security  Memory and process management  Network stack  Provide driver to access hardware:  Camera  Display and audio  Wifi  …07 www.indusface.com | Copyright 2012
  8. 8. Android Architecture: Android RunTime  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM  Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform08 www.indusface.com | Copyright 2012
  9. 9. Android Applications09 www.indusface.com | Copyright 2012
  10. 10. Mobile Apps vs Web Applications  Thick and Thin Client  Security Measures  User Awareness010 www.indusface.com | Copyright 2012
  11. 11. Setting-up Environment  Handset / Android Device  Android SDK and Eclipse  Emulator  Wireless Connectivity  And of course… Application file011 www.indusface.com | Copyright 2012
  12. 12. Setting-up Lab  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser012 www.indusface.com | Copyright 2012
  13. 13. Working with Android SDK013 www.indusface.com | Copyright 2012
  14. 14. Android SDK  Development Environment for Android Application Development  Components:  SDK Manager  AVD Manager  Emulator014 www.indusface.com | Copyright 2012
  15. 15. Android SDK  Can be downloaded from : developer.android.com/sdk/  Requires JDK to be installed  Install Eclipse  Install ADT Plugin for Eclipse015 www.indusface.com | Copyright 2012
  16. 16. Android SDK : Installing SDK  Simple Next-next process016 www.indusface.com | Copyright 2012
  17. 17. Android SDK: Configuring Eclipse  Go to Help->Install new Software  Click Add  Give Name as ADT Plugin  Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/  Press OK  Check next to ‘Developer Tool’ and press next  Click next and accept the ‘Terms and Conditions’  Click Finish017 www.indusface.com | Copyright 2012
  18. 18. Android SDK: Configuring Eclipse  Now go to Window -> Preferences  Click on Android in left panel  Browse the Android SDK directory  Press OK018 www.indusface.com | Copyright 2012
  19. 19. SDK Manager019 www.indusface.com | Copyright 2012
  20. 20. AVD Manager020 www.indusface.com | Copyright 2012
  21. 21. Emulator: Running Click on Start021 www.indusface.com | Copyright 2012
  22. 22. Emulator: Running from Command Line022 www.indusface.com | Copyright 2012
  23. 23. Emulator: Running with proxy023 www.indusface.com | Copyright 2012
  24. 24. ADB: Android Debug Bridge  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device.  You can find the adb tool in <sdk>/platform-tools/024 www.indusface.com | Copyright 2012
  25. 25. ADB: Important Commands Install an application to emulator or device:025 www.indusface.com | Copyright 2012
  26. 26. ADB: Important Commands  Push data to emulator / device  adb push <local> <remote>  Pull data to emulator / device  adb pull <remote> <local>  Remote - > Emulator and Local -> Machine026 www.indusface.com | Copyright 2012
  27. 27. ADB: Important Commands  Getting Shell of Emulator or Device  adb shell  Reading Logs  adb logcat027 www.indusface.com | Copyright 2012
  28. 28. ADB: Important Commands  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen  Reading Logs  adb logcat028 www.indusface.com | Copyright 2012
  29. 29. Auditing Application from Android Phone029 www.indusface.com | Copyright 2012
  30. 30. Need of Rooting What is Android Rooting?030 www.indusface.com | Copyright 2012
  31. 31. Rooting Android Phone Step 1: Download CF Rooted Kernel files and Odin3 Software031 www.indusface.com | Copyright 2012
  32. 32. Rooting Android Phone Step 2: Keep handset on debugging mode032 www.indusface.com | Copyright 2012
  33. 33. Rooting Android Phone Step 3: Run Odin3033 www.indusface.com | Copyright 2012
  34. 34. Rooting Android Phone Step 4: Reboot the phone in download mode Step 5: Connect to the PC034 www.indusface.com | Copyright 2012
  35. 35. Rooting Android Phone Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button035 www.indusface.com | Copyright 2012
  36. 36. Rooting Android Phone If your phone is Rooted... You will see PASS!! In Odin3036 www.indusface.com | Copyright 2012
  37. 37. Important Tools  Terminal Emulator  Proxy tool (transproxy)037 www.indusface.com | Copyright 2012
  38. 38. Setting Proxy  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN.  Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.038 www.indusface.com | Copyright 2012
  39. 39. Intercepting Traffic (Burp)  Burp is a HTTP proxy tool  Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response039 www.indusface.com | Copyright 2012
  40. 40. Memory Analysis with Terminal Emulator  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd  Application path on Android Device:  /data/data/com.application_name040 www.indusface.com | Copyright 2012
  41. 41. Memory Analysis with Terminal Emulator041 www.indusface.com | Copyright 2012
  42. 42. Memory Analysis with Terminal Emulator042 www.indusface.com | Copyright 2012
  43. 43. Lab: GoatDroid A vulnerable Android application from the OW ASP043 www.indusface.com | Copyright 2012
  44. 44. GoatDroid : Setting up  Install MySQL  Install fourgoats database.  Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.044 www.indusface.com | Copyright 2012
  45. 45. GoatDroid : Setting up  Run goatdroid-beta-v0.1.2.jar file  Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be  C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be  C:Documents and SettingsManishandroidavd045 www.indusface.com | Copyright 2012
  46. 46. GoatDroid : Setting up  Start web services  Start emulator through GoatDroid jar file  Push / Install the application to Device  Run FourGoat application from emulator  Click on Menu and then click on Destination Info  Provide following information in required fields:  Server: 10.0.2.2 and Port 8888046 www.indusface.com | Copyright 2012
  47. 47. GoatDroid : Setting up Demo / Hands On047 www.indusface.com | Copyright 2012
  48. 48. GoatDroid : Setting up proxy  Assuming FourGoat is already installed  Run goatdroid-beta-v0.1.2.jar file and start web services  Start any HTTP Proxy (Burp) tool on port 7000  Configure Burp to forward the incoming traffic to port 8888  Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000048 www.indusface.com | Copyright 2012
  49. 49. GoatDroid : Setting up proxy  Open the FourGoat application in emulator  Click on Mene to set Destination Info  Set Destination Info as below:  Server: 10.0.2.2 and port as 7000  Now see if you are able to intercept the trrafic in Burp 049 www.indusface.com | Copyright 2012
  50. 50. GoatDroid : Setting up Proxy Demo / Hands On050 www.indusface.com | Copyright 2012
  51. 51. GoatDroid: Intercepting Traffic Demo / Hands On051 www.indusface.com | Copyright 2012
  52. 52. GoatDroid: Parameter Manipulation Attack Demo / Hands On052 www.indusface.com | Copyright 2012
  53. 53. GoatDroid: Handset Memory Analysis Demo / Hands On053 www.indusface.com | Copyright 2012
  54. 54. GoatDroid: Auditing from Android Device  Install the app in Android device  Set the destination info as below:  Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)  Memory Analysis through Terminal Emulator and DD command054 www.indusface.com | Copyright 2012
  55. 55. GoatDroid: Reverse Engineering Next Topic055 www.indusface.com | Copyright 2012
  56. 56. Reverse Engineering Android Applications056 www.indusface.com | Copyright 2012
  57. 57. Reverse Engineering Android Application  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information057 www.indusface.com | Copyright 2012
  58. 58. Reverse Engineering Android Application  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk  Open code files in any Java decompile058 www.indusface.com | Copyright 2012
  59. 59. Reverse Engineering Android Application Demo / Hands On059 www.indusface.com | Copyright 2012
  60. 60. Agnitio  Mobile Application Coder Review tool  Install: Next-Next process  Can analyze Codebase as well as .apk file060 www.indusface.com | Copyright 2012
  61. 61. Agnitio Demo / Hands On061 www.indusface.com | Copyright 2012
  62. 62. Analyzing SQLite Database062 www.indusface.com | Copyright 2012
  63. 63. Analyzing SQLite Database  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file.063 www.indusface.com | Copyright 2012
  64. 64. Analyzing SQLite Database  Pull the .db files out of the emulator / Device as explained eirler  Tools  SQLite browser  Epilog064 www.indusface.com | Copyright 2012
  65. 65. Analyzing SQLite Database Demo / Hands On065 www.indusface.com | Copyright 2012
  66. 66. ExploitMe One more Vulnerable application from Security Compass066 www.indusface.com | Copyright 2012
  67. 67. ExploitMe Demo / Hands On067 www.indusface.com | Copyright 2012
  68. 68. Manish Chasta Email: manish.chasta@indusface.com068 www.indusface.com | Copyright 2012
  69. 69. Thank You Sales : sales@indusface.com Marketing : marketing@indusface.com Technical : support@indusface.com VADODARA, INDIA BANGALORE, INDIA MUMBAI, INDIA A/2-3, 3rd Floor, Status Plaza 408, 2nd Floor 1357 / 1359, Regus Serviced Opp Relish Resort Regency Enclave Offices, Level 13, Platinum Atladara Old Padra Road 4, Magrath Road Techno Park 17 & 18, Sector 30, Vadodara – 390020 Bangalore – 560025 Vashi, Navi Mumbai – 400705 Gujarat, India Karnataka, India Maharashtra, India. T: +91 265 3933000 T: +91 80 65608570 T : +91 22 61214961 F: +91 265 2355820 +91 80 65608571 F : +91 80 41129296 OTTAWA, CANADA HOUSTON, USA 137 Goodman Drive 1001 Fannin Street, Ste 1250 Kanata, Ottawa K2W 1C7 Houston, Texas 77002 Ontario, Canada USA T : +1 613 721 9363 T : +1 832 295 1462069 www.indusface.com | Copyright 2012

×