Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter

1. Android "Fight Club"
In pursuit of “Appiness”
“The things you own end up owning you.”

2. Ice breaking session
● Your Name
● Experience with android | android hacking
● Something cool about yourself.
● Have you seen “Fight Club (1999)” ?
● C:Usersabhinav>whoami
○ Abhinav Mishra | 0ctac0der | Freelancer | Bug Hunter | Penetration Tester
● Why is the session named “Fight Club”?
● What are you expecting & what I am going to tell here…..
Disclaimer: Some images and quotes have been used which are movie material taken from google.

3. Rules of the fight club
1. You do talk about the “Fight Club”
2. If it’s your first day @fightclub, you have to ask questions…. A lot of questions
3. If someone asks something, you either listen to the answer or answer it
4. Only one question at a time
5. The discussion will go on as long as needed
6. You can ask a question at any time
7. No iOS, no apple
8. If you haven’t seen fight club, you will watch it today

4. Where should we start?
● Let’s talk a bit about android
○ Architecture: Who remembers what ?
○ Privilege and permissions
○ Applications and issues you know about
● Whats tools to use?
○ ADB & SDK
○ Dex2jar
○ JDGUI
○ AVD
○ Drozer
○ QARK
○ Any more ????

5. Building a “coliseum”
What we need?
1. Android studio with updated SDK and AVD
2. Dex2Jar, Java decompiler, apktool, burp suite, java debugger
3. Drozer
4. Automated analyzers
5. QARK , Run time analyzer
6. May be a lot more…..
So, I decided to help you all. This is what I did:
Ubuntu → install apps → update sdk → create AVD → setup everything → Droider

6. What are we going to do next
● Create your lab:
○ Minimum: Android SDK, emulator, ADB, drozer, dex2jar, jdgui, apktool | Or AppUse
● Choose your target app
○ Suggestions: Herd Financials or Four goats. Link
○ Need more adventure? Choose bug bounty apps: Coinbase, Ola Cabs, Dropbox, LastPass
● Let’s hack it
○ Static analysis
○ Dynamic analysis
○ Looking for some common vulnerabilities
● Earning money the Gangsta style

7. Take your time and collect your breath (Break Time)
If you are failing, remember:

8. Are you ready? “It's only after we've lost everything that we're free to do anything.”
Need help?
Ask your Self
If the problem got solved
Problem persists
Ask the guy next to you (and if its a girl. Your life rocks dude)
Still Stuck?

9. Because “Why” is also more important than “How”
● Android holds the biggest market share in mobile operating system.
● Google play has more than 48 billion app installs.
● Your android device has:
○ Personal Info, Credit card details, all social accounts, chats, financial details, PIN, OTP …
● One malicious application in your phone … and you are gone.
● A android application vulnerability may leak critical information
● Security of android app is vital for the business
● Android apps are less secure than web, hence apps are the prime target
● Free apps can lead to huge monetary loss.
● Bug Bounty earnings, secure app development

10. Now we will talk about “How”
● Static analysis of android application
○ Looking into the apk file for info leakage, hidden accounts, confidential data
○ Local storage of user/application data
○ Reverse engineering the application
○ Binary Protections, backup info leakage, application signature, crypto issues, data leakage
● Dynamic analysis of the android application
○ Run time analysis
○ Application components: Activities, Broadcast receivers, services, content providers
○ Application data capture and analysis
○ Web based vulnerabilities

11. Static Analysis - Part 1
● APK → apktool → read AndroidManifest.xml → permissions, components
○ Command used: $apktool d application_file_name
● APK → Un-archive → classes.dex to classes.dex.jar → read java code
○ Command used: $dex2jar classes.dex
● SMALI files → read the code for confidential data
● Tool? Mobilizer.py
● Application signatures and decompilation
● Binary protection
● Debuggable and Backup enabled applications

12. Static Analysis - Part 2
● Installing app in the emulator
○ $adb install apk_full_name
● Inspecting the application local storage.
○ $adb shell
○ $ ls -la
○ $ cd data/data/package_name/
● Insecure storage of confidential data
● Logcat and android monitor
● Memory dumps
● Unintended Data leakage
● Crypto issues

13. Tea Break Time
In the meantime,
for iOS lovers

14. Dynamic Analysis - Part 1
Drozer Analysis:
● Drozer console connect: $drozer console connect
● Drozer attack surface: $run app.package.attacksurface
● Exploiting application components
○ Exported activities
○ Exported Broadcast receivers
○ Exported services
○ Exported content providers

15. Dynamic Analysis - Part 2
● SSL pinning in applications and bypass
● Setting up proxy on an emulator/device
● Capturing the application traffic
● Web related attacks and testing
○ Authorization and authentication
○ Improper session management
○ Client side injection

16. Dynamic Analysis - Part 3
● Fuzzing android applications
● Run time code executions
● Insufficient Transport layer protection
● Logical vulnerabilities
● Insufficient server side controls

17. Common vulnerabilities and finding them
● Insecure storage
○ Who will answer this?
● Insufficient transport layer protection
○ How to find this in any applications. Coolest answer will get a prize.
● Insecure application components
○ Give me three examples.
● Binary protection
○ Anyone got this? What did you do?

18. Some common solutions
● Installing Google play on emulator: Link
● Setting up burp proxy on emulator/device: Link
● Installing Burp certificate on android device: Link
● Bypassing SSL pinning on android: Link
Scanner and tool tutorials to watch
● QARK: Android App Exploit and SCA Tool - AppSecUSA 2015 : Link
● MobSF: Security Framework for Mobile Application Testing: Link
● Androbugs : An Android Application Security Vulnerability Scanner: Link

19. Questions | Grudges | Suggestions | Compliments
Thanks Guys.