Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mansih Chasta | CISSP, CHFI, ITIL
   Principal Consultant @ Indusface, India   Over 6 years experience in Information and    Application Security   CISSP...
What comes to any Indian’s mind whenthey think of Russia?
   Introduction to Android and Mobile Applications   Working with Android SDK and Emulator   Setting up GoatDroid Appli...
   Gartner Says:     8.2 Billion mobile applications have been      downloaded in 2010     17.7 Billion by 2011     18...
   Most widely used mobile OS   Developed by Google   OS + Middleware + Applications   Android Open Source Project (AO...
   Linux kernel with system services:     Security     Memory and process management     Network stack   Provide driv...
   Core Libraries:     Written in Java     Provides the functionality of Java programming language     Interpreted by ...
   Thick and Thin Client   Security Measures   User Awareness
   Handset / Android Device   Android SDK and Eclipse   Emulator   Wireless Connectivity   And of course… Application...
   What we need:       Android SDK       Eclips       GoatDroid (Android App from OWASP)       MySQL       .Net Fram...
   Development Environment for Android    Application Development   Components:     SDK Manager     AVD Manager     E...
   Can be downloaded from :    developer.android.com/sdk/   Requires JDK to be installed   Install Eclipse   Install A...
   Simple Next-next process
   Go to Help->Install new Software   Click Add   Give Name as ADT Plugin   Provide the below address in Location: htt...
   Now go to Window -> Preferences   Click on Android in left panel   Browse the Android SDK directory   Press OK
   Click on Start
   Android Debug Bridge (adb) is a versatile command    line tool that lets you communicate with an    emulator instance ...
   Install an application to emulator or device:
   Push data to emulator / device     adb push <local> <remote>   Pull data to emulator / device     adb pull <remote>...
   Getting Shell of Emulator or Device     adb shell   Reading Logs     adb logcat
   Reading SQLite3 database     adb shell     Go to the path     SQLite3 database_name.db     .dump to see content of...
   What is Android Rooting?
Step 1: Download CF Rooted Kernel        files and Odin3 Software
   Step 2: Keep handset on debugging mode
   Step 3: Run Odin3
   Step 4: Reboot the phone in download mode   Step 5: Connect to the PC
   Step 6: Select required file i.e: PDA, Phone, CSC files   Step 7: Click on Auto Reboot and F. Reset Time and hit Star...
   If your phone is Rooted... You will see PASS!! In Odin3
   Terminal Emulator   Proxy tool (transproxy)
   Both Android Phone and laptop (machine to be used    in auditing) needs to be in same wireless LAN.   Provide Laptops...
   Burp is a HTTP proxy tool   Able to intercept layer 7 traffic and allows    users to manipulate the HTTP Requests and...
   DD Command:     dd if=filename.xyz of=/sdcard/SDA.dd   Application path on Android Device:     /data/data/com.appli...
   Install MySQL   Install fourgoats database.   Create a user with name as "goatboy", password as    "goatdroid" and L...
   Run goatdroid-beta-v0.1.2.jar file   Set the path for Android SDK Root directory    and Virtual Devices:     Click C...
   Start web services   Start emulator through GoatDroid jar file   Push / Install the application to Device   Run Fou...
Demo / Hands On
   Assuming FourGoat is already installed   Run goatdroid-beta-v0.1.2.jar file and start web services   Start any HTTP ...
   Open the FourGoat application in emulator   Click on Mene to set Destination Info   Set Destination Info as below:  ...
Demo / Hands On
Demo / Hands On
Demo / Hands On
Demo / Hands On
•   Install the app in Android device•   Set the destination info as below:     • Server: IP address (WLAN) of your laptop...
Next Topic
   Vulnerabilities can be found through Reverse    Engineering :     Vulnerabilities in Source Code     Re-compile the ...
   Dex to jar (dex2jar)     C:dex2jar-versiondex2jar.bat someApk.apk   Open code files in any Java decompile
Demo / Hands On
   Mobile Application Coder Review tool   Install: Next-Next process   Can analyze Codebase as well as .apk file
Demo / Hands On
   SQLite Database:     SQLite is a widely used, lightweight database     Used by most mobile OS i.e. iPhone, Android, ...
   Pull the .db files out of the emulator / Device    as explained eirler   Tools     SQLite browser     Epilog
Demo / Hands On
Demo / Hands On
Спасибо       Manish Chasta           Email: manish.chasta@owasp.org         Twitter: twitter.com/manish_chastaLinkedIn: h...
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Upcoming SlideShare
Loading in …5
×

Manish Chasta - Securing Android Applications

2,061 views

Published on

Published in: Technology
  • Be the first to comment

Manish Chasta - Securing Android Applications

  1. 1. Mansih Chasta | CISSP, CHFI, ITIL
  2. 2.  Principal Consultant @ Indusface, India Over 6 years experience in Information and Application Security CISSP, CHFI, ITIL
  3. 3. What comes to any Indian’s mind whenthey think of Russia?
  4. 4.  Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application
  5. 5.  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 2014
  6. 6.  Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is responsible for maintenance and further development
  7. 7.  Linux kernel with system services:  Security  Memory and process management  Network stack Provide driver to access hardware:  Camera  Display and audio  Wifi  …
  8. 8.  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform
  9. 9.  Thick and Thin Client Security Measures User Awareness
  10. 10.  Handset / Android Device Android SDK and Eclipse Emulator Wireless Connectivity And of course… Application file
  11. 11.  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser
  12. 12.  Development Environment for Android Application Development Components:  SDK Manager  AVD Manager  Emulator
  13. 13.  Can be downloaded from : developer.android.com/sdk/ Requires JDK to be installed Install Eclipse Install ADT Plugin for Eclipse
  14. 14.  Simple Next-next process
  15. 15.  Go to Help->Install new Software Click Add Give Name as ADT Plugin Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/ Press OK Check next to ‘Developer Tool’ and press next Click next and accept the ‘Terms and Conditions’ Click Finish
  16. 16.  Now go to Window -> Preferences Click on Android in left panel Browse the Android SDK directory Press OK
  17. 17.  Click on Start
  18. 18.  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. You can find the adb tool in <sdk>/platform-tools/
  19. 19.  Install an application to emulator or device:
  20. 20.  Push data to emulator / device  adb push <local> <remote> Pull data to emulator / device  adb pull <remote> <local> Remote - > Emulator and Local -> Machine
  21. 21.  Getting Shell of Emulator or Device  adb shell Reading Logs  adb logcat
  22. 22.  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen Reading Logs  adb logcat
  23. 23.  What is Android Rooting?
  24. 24. Step 1: Download CF Rooted Kernel files and Odin3 Software
  25. 25.  Step 2: Keep handset on debugging mode
  26. 26.  Step 3: Run Odin3
  27. 27.  Step 4: Reboot the phone in download mode Step 5: Connect to the PC
  28. 28.  Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button
  29. 29.  If your phone is Rooted... You will see PASS!! In Odin3
  30. 30.  Terminal Emulator Proxy tool (transproxy)
  31. 31.  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN. Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.
  32. 32.  Burp is a HTTP proxy tool Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response
  33. 33.  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd Application path on Android Device:  /data/data/com.application_name
  34. 34.  Install MySQL Install fourgoats database. Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.
  35. 35.  Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be ▪ C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be ▪ C:Documents and SettingsManishandroidavd
  36. 36.  Start web services Start emulator through GoatDroid jar file Push / Install the application to Device Run FourGoat application from emulator Click on Menu and then click on Destination Info Provide following information in required fields:  Server: 10.0.2.2 and Port 8888
  37. 37. Demo / Hands On
  38. 38.  Assuming FourGoat is already installed Run goatdroid-beta-v0.1.2.jar file and start web services Start any HTTP Proxy (Burp) tool on port 7000 Configure Burp to forward the incoming traffic to port 8888 Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000
  39. 39.  Open the FourGoat application in emulator Click on Mene to set Destination Info Set Destination Info as below:  Server: 10.0.2.2 and port as 7000 Now see if you are able to intercept the trrafic in Burp 
  40. 40. Demo / Hands On
  41. 41. Demo / Hands On
  42. 42. Demo / Hands On
  43. 43. Demo / Hands On
  44. 44. • Install the app in Android device• Set the destination info as below: • Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)• Memory Analysis through Terminal Emulator and DD command
  45. 45. Next Topic
  46. 46.  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information
  47. 47.  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk Open code files in any Java decompile
  48. 48. Demo / Hands On
  49. 49.  Mobile Application Coder Review tool Install: Next-Next process Can analyze Codebase as well as .apk file
  50. 50. Demo / Hands On
  51. 51.  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file.
  52. 52.  Pull the .db files out of the emulator / Device as explained eirler Tools  SQLite browser  Epilog
  53. 53. Demo / Hands On
  54. 54. Demo / Hands On
  55. 55. Спасибо Manish Chasta Email: manish.chasta@owasp.org Twitter: twitter.com/manish_chastaLinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta

×