Mansih Chasta | CISSP, CHFI, ITIL
   Principal Consultant @ Indusface, India   Over 6 years experience in Information and    Application Security   CISSP...
What comes to any Indian’s mind whenthey think of Russia?
   Introduction to Android and Mobile Applications   Working with Android SDK and Emulator   Setting up GoatDroid Appli...
   Gartner Says:     8.2 Billion mobile applications have been      downloaded in 2010     17.7 Billion by 2011     18...
   Most widely used mobile OS   Developed by Google   OS + Middleware + Applications   Android Open Source Project (AO...
   Linux kernel with system services:     Security     Memory and process management     Network stack   Provide driv...
   Core Libraries:     Written in Java     Provides the functionality of Java programming language     Interpreted by ...
   Thick and Thin Client   Security Measures   User Awareness
   Handset / Android Device   Android SDK and Eclipse   Emulator   Wireless Connectivity   And of course… Application...
   What we need:       Android SDK       Eclips       GoatDroid (Android App from OWASP)       MySQL       .Net Fram...
   Development Environment for Android    Application Development   Components:     SDK Manager     AVD Manager     E...
   Can be downloaded from :    developer.android.com/sdk/   Requires JDK to be installed   Install Eclipse   Install A...
   Simple Next-next process
   Go to Help->Install new Software   Click Add   Give Name as ADT Plugin   Provide the below address in Location: htt...
   Now go to Window -> Preferences   Click on Android in left panel   Browse the Android SDK directory   Press OK
   Click on Start
   Android Debug Bridge (adb) is a versatile command    line tool that lets you communicate with an    emulator instance ...
   Install an application to emulator or device:
   Push data to emulator / device     adb push <local> <remote>   Pull data to emulator / device     adb pull <remote>...
   Getting Shell of Emulator or Device     adb shell   Reading Logs     adb logcat
   Reading SQLite3 database     adb shell     Go to the path     SQLite3 database_name.db     .dump to see content of...
   What is Android Rooting?
Step 1: Download CF Rooted Kernel        files and Odin3 Software
   Step 2: Keep handset on debugging mode
   Step 3: Run Odin3
   Step 4: Reboot the phone in download mode   Step 5: Connect to the PC
   Step 6: Select required file i.e: PDA, Phone, CSC files   Step 7: Click on Auto Reboot and F. Reset Time and hit Star...
   If your phone is Rooted... You will see PASS!! In Odin3
   Terminal Emulator   Proxy tool (transproxy)
   Both Android Phone and laptop (machine to be used    in auditing) needs to be in same wireless LAN.   Provide Laptops...
   Burp is a HTTP proxy tool   Able to intercept layer 7 traffic and allows    users to manipulate the HTTP Requests and...
   DD Command:     dd if=filename.xyz of=/sdcard/SDA.dd   Application path on Android Device:     /data/data/com.appli...
   Install MySQL   Install fourgoats database.   Create a user with name as "goatboy", password as    "goatdroid" and L...
   Run goatdroid-beta-v0.1.2.jar file   Set the path for Android SDK Root directory    and Virtual Devices:     Click C...
   Start web services   Start emulator through GoatDroid jar file   Push / Install the application to Device   Run Fou...
Demo / Hands On
   Assuming FourGoat is already installed   Run goatdroid-beta-v0.1.2.jar file and start web services   Start any HTTP ...
   Open the FourGoat application in emulator   Click on Mene to set Destination Info   Set Destination Info as below:  ...
Demo / Hands On
Demo / Hands On
Demo / Hands On
Demo / Hands On
•   Install the app in Android device•   Set the destination info as below:     • Server: IP address (WLAN) of your laptop...
Next Topic
   Vulnerabilities can be found through Reverse    Engineering :     Vulnerabilities in Source Code     Re-compile the ...
   Dex to jar (dex2jar)     C:dex2jar-versiondex2jar.bat someApk.apk   Open code files in any Java decompile
Demo / Hands On
   Mobile Application Coder Review tool   Install: Next-Next process   Can analyze Codebase as well as .apk file
Demo / Hands On
   SQLite Database:     SQLite is a widely used, lightweight database     Used by most mobile OS i.e. iPhone, Android, ...
   Pull the .db files out of the emulator / Device    as explained eirler   Tools     SQLite browser     Epilog
Demo / Hands On
Demo / Hands On
Спасибо       Manish Chasta           Email: manish.chasta@owasp.org         Twitter: twitter.com/manish_chastaLinkedIn: h...
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Upcoming SlideShare
Loading in …5
×

Manish Chasta - Securing Android Applications

1,956 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,956
On SlideShare
0
From Embeds
0
Number of Embeds
44
Actions
Shares
0
Downloads
85
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • The figure have reached 17.7 Billion which is 117% increase compared to applications downloaded in 2010
  • Manish Chasta - Securing Android Applications

    1. 1. Mansih Chasta | CISSP, CHFI, ITIL
    2. 2.  Principal Consultant @ Indusface, India Over 6 years experience in Information and Application Security CISSP, CHFI, ITIL
    3. 3. What comes to any Indian’s mind whenthey think of Russia?
    4. 4.  Introduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application
    5. 5.  Gartner Says:  8.2 Billion mobile applications have been downloaded in 2010  17.7 Billion by 2011  185 Billion application will have been downloaded by 2014
    6. 6.  Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is responsible for maintenance and further development
    7. 7.  Linux kernel with system services:  Security  Memory and process management  Network stack Provide driver to access hardware:  Camera  Display and audio  Wifi  …
    8. 8.  Core Libraries:  Written in Java  Provides the functionality of Java programming language  Interpreted by Dalvik VM Dalvik VM:  Java based VM, a lightweight substitute to JVM  Unlike JVM, DVM is a register based Virtual Machine  DVM is optimized to run on limited main memory and less CPU usage  Java code (.class files) converted into .dex format to be able to run on Android platform
    9. 9.  Thick and Thin Client Security Measures User Awareness
    10. 10.  Handset / Android Device Android SDK and Eclipse Emulator Wireless Connectivity And of course… Application file
    11. 11.  What we need:  Android SDK  Eclips  GoatDroid (Android App from OWASP)  MySQL  .Net Framwork  Proxy tool (Burp)  Agnitio  Android Device (Optional)  SQLitebrowser
    12. 12.  Development Environment for Android Application Development Components:  SDK Manager  AVD Manager  Emulator
    13. 13.  Can be downloaded from : developer.android.com/sdk/ Requires JDK to be installed Install Eclipse Install ADT Plugin for Eclipse
    14. 14.  Simple Next-next process
    15. 15.  Go to Help->Install new Software Click Add Give Name as ADT Plugin Provide the below address in Location: http://dl- ssl.google.com/android/eclipse/ Press OK Check next to ‘Developer Tool’ and press next Click next and accept the ‘Terms and Conditions’ Click Finish
    16. 16.  Now go to Window -> Preferences Click on Android in left panel Browse the Android SDK directory Press OK
    17. 17.  Click on Start
    18. 18.  Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. You can find the adb tool in <sdk>/platform-tools/
    19. 19.  Install an application to emulator or device:
    20. 20.  Push data to emulator / device  adb push <local> <remote> Pull data to emulator / device  adb pull <remote> <local> Remote - > Emulator and Local -> Machine
    21. 21.  Getting Shell of Emulator or Device  adb shell Reading Logs  adb logcat
    22. 22.  Reading SQLite3 database  adb shell  Go to the path  SQLite3 database_name.db  .dump to see content of the db file and .schema to print the schema of the database on the screen Reading Logs  adb logcat
    23. 23.  What is Android Rooting?
    24. 24. Step 1: Download CF Rooted Kernel files and Odin3 Software
    25. 25.  Step 2: Keep handset on debugging mode
    26. 26.  Step 3: Run Odin3
    27. 27.  Step 4: Reboot the phone in download mode Step 5: Connect to the PC
    28. 28.  Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button
    29. 29.  If your phone is Rooted... You will see PASS!! In Odin3
    30. 30.  Terminal Emulator Proxy tool (transproxy)
    31. 31.  Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN. Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.
    32. 32.  Burp is a HTTP proxy tool Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response
    33. 33.  DD Command:  dd if=filename.xyz of=/sdcard/SDA.dd Application path on Android Device:  /data/data/com.application_name
    34. 34.  Install MySQL Install fourgoats database. Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.
    35. 35.  Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory and Virtual Devices:  Click Configure -> edit and click on Android tab  Set path for Android SDK, typically it should be ▪ C:Program FilesAndroidandroid-sdk  Set path for Virtual Devices, typically it should be ▪ C:Documents and SettingsManishandroidavd
    36. 36.  Start web services Start emulator through GoatDroid jar file Push / Install the application to Device Run FourGoat application from emulator Click on Menu and then click on Destination Info Provide following information in required fields:  Server: 10.0.2.2 and Port 8888
    37. 37. Demo / Hands On
    38. 38.  Assuming FourGoat is already installed Run goatdroid-beta-v0.1.2.jar file and start web services Start any HTTP Proxy (Burp) tool on port 7000 Configure Burp to forward the incoming traffic to port 8888 Start emulator from command line by giving following command:  emulator –avd test2 –http-proxy 127.0.0.1:7000
    39. 39.  Open the FourGoat application in emulator Click on Mene to set Destination Info Set Destination Info as below:  Server: 10.0.2.2 and port as 7000 Now see if you are able to intercept the trrafic in Burp 
    40. 40. Demo / Hands On
    41. 41. Demo / Hands On
    42. 42. Demo / Hands On
    43. 43. Demo / Hands On
    44. 44. • Install the app in Android device• Set the destination info as below: • Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)• Memory Analysis through Terminal Emulator and DD command
    45. 45. Next Topic
    46. 46.  Vulnerabilities can be found through Reverse Engineering :  Vulnerabilities in Source Code  Re-compile the application  Commented Code  Hard coded information
    47. 47.  Dex to jar (dex2jar)  C:dex2jar-versiondex2jar.bat someApk.apk Open code files in any Java decompile
    48. 48. Demo / Hands On
    49. 49.  Mobile Application Coder Review tool Install: Next-Next process Can analyze Codebase as well as .apk file
    50. 50. Demo / Hands On
    51. 51.  SQLite Database:  SQLite is a widely used, lightweight database  Used by most mobile OS i.e. iPhone, Android, Symbian, webOS  SQLite is a free to use and open source database  Zero-configuration - no setup or administration needed.  A complete database is stored in a single cross-platform disk file.
    52. 52.  Pull the .db files out of the emulator / Device as explained eirler Tools  SQLite browser  Epilog
    53. 53. Demo / Hands On
    54. 54. Demo / Hands On
    55. 55. Спасибо Manish Chasta Email: manish.chasta@owasp.org Twitter: twitter.com/manish_chastaLinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta

    ×