The figure have reached 17.7 Billion which is 117% increase compared to applications downloaded in 2010
Manish Chasta - Securing Android Applications
Mansih Chasta | CISSP, CHFI, ITIL
Principal Consultant @ Indusface, India Over 6 years experience in Information and Application Security CISSP, CHFI, ITIL
What comes to any Indian’s mind whenthey think of Russia?
Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application
Gartner Says: 8.2 Billion mobile applications have been downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been downloaded by 2014
Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is responsible for maintenance and further development
Linux kernel with system services: Security Memory and process management Network stack Provide driver to access hardware: Camera Display and audio Wifi …
Core Libraries: Written in Java Provides the functionality of Java programming language Interpreted by Dalvik VM Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory and less CPU usage Java code (.class files) converted into .dex format to be able to run on Android platform
Thick and Thin Client Security Measures User Awareness
Handset / Android Device Android SDK and Eclipse Emulator Wireless Connectivity And of course… Application file
What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser
Development Environment for Android Application Development Components: SDK Manager AVD Manager Emulator
Can be downloaded from : developer.android.com/sdk/ Requires JDK to be installed Install Eclipse Install ADT Plugin for Eclipse
Go to Help->Install new Software Click Add Give Name as ADT Plugin Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/ Press OK Check next to ‘Developer Tool’ and press next Click next and accept the ‘Terms and Conditions’ Click Finish
Now go to Window -> Preferences Click on Android in left panel Browse the Android SDK directory Press OK
Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. You can find the adb tool in <sdk>/platform-tools/
Install an application to emulator or device:
Push data to emulator / device adb push <local> <remote> Pull data to emulator / device adb pull <remote> <local> Remote - > Emulator and Local -> Machine
Getting Shell of Emulator or Device adb shell Reading Logs adb logcat
Reading SQLite3 database adb shell Go to the path SQLite3 database_name.db .dump to see content of the db file and .schema to print the schema of the database on the screen Reading Logs adb logcat
Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN. Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.
Burp is a HTTP proxy tool Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response
Install MySQL Install fourgoats database. Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.
Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory and Virtual Devices: Click Configure -> edit and click on Android tab Set path for Android SDK, typically it should be ▪ C:Program FilesAndroidandroid-sdk Set path for Virtual Devices, typically it should be ▪ C:Documents and SettingsManishandroidavd
Start web services Start emulator through GoatDroid jar file Push / Install the application to Device Run FourGoat application from emulator Click on Menu and then click on Destination Info Provide following information in required fields: Server: 10.0.2.2 and Port 8888
Assuming FourGoat is already installed Run goatdroid-beta-v0.1.2.jar file and start web services Start any HTTP Proxy (Burp) tool on port 7000 Configure Burp to forward the incoming traffic to port 8888 Start emulator from command line by giving following command: emulator –avd test2 –http-proxy 127.0.0.1:7000
Open the FourGoat application in emulator Click on Mene to set Destination Info Set Destination Info as below: Server: 10.0.2.2 and port as 7000 Now see if you are able to intercept the trrafic in Burp
• Install the app in Android device• Set the destination info as below: • Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)• Memory Analysis through Terminal Emulator and DD command
SQLite Database: SQLite is a widely used, lightweight database Used by most mobile OS i.e. iPhone, Android, Symbian, webOS SQLite is a free to use and open source database Zero-configuration - no setup or administration needed. A complete database is stored in a single cross-platform disk file.
Pull the .db files out of the emulator / Device as explained eirler Tools SQLite browser Epilog