This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
(Presentation at HITcon 2011) This talk introduces how to do Android application reverse engineering by real example. And, it covers the advanced topics like optimized DEX and JNI.
Slides from my beginner level talk on FRIDA and its usage while Pentesting Android Applications. Covers topics like Installation of Frida and Bypassing Pinning and Root Detection using Frida.
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
Api flow mo ims_call_initiation from telephony _ android Arindom Saikia
A brief overview on the API flow while making an MO Call through IMS in a VOLTE capable Phone.
The document is a walk through the code flow of a Call delegation from Framework to GII and to the vendor IMS applications from GII.
There are many books, articles and paper publications about Android and related applications but only a few are related to how Android operating system works internally.In this talk we will see how android boots up , an overview of zygote , how system server and package manager works. This talk will be extremely helpful to foster understanding among android developers about Android Internals as well as everybody else who desires a general understanding of the internal working of Android powered devices.
(Presentation at HITcon 2011) This talk introduces how to do Android application reverse engineering by real example. And, it covers the advanced topics like optimized DEX and JNI.
Slides from my beginner level talk on FRIDA and its usage while Pentesting Android Applications. Covers topics like Installation of Frida and Bypassing Pinning and Root Detection using Frida.
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
Api flow mo ims_call_initiation from telephony _ android Arindom Saikia
A brief overview on the API flow while making an MO Call through IMS in a VOLTE capable Phone.
The document is a walk through the code flow of a Call delegation from Framework to GII and to the vendor IMS applications from GII.
There are many books, articles and paper publications about Android and related applications but only a few are related to how Android operating system works internally.In this talk we will see how android boots up , an overview of zygote , how system server and package manager works. This talk will be extremely helpful to foster understanding among android developers about Android Internals as well as everybody else who desires a general understanding of the internal working of Android powered devices.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Embedded Android System Development - Part II talks about Hardware Abstraction Layer (HAL). HAL is an interfacing layer through which Android service can place a request to device. Uses functions provided by Linux system to service the request from android framework. A C/C++ layer with purely vendor specific implementation. Packaged into modules (.so) file & loaded by Android system at appropriate time
Reapresentação do trabalho na Linux Developer Conference Brazil 2019.
Overview about Linux malware. Extended version including analysis and evasion hands on examples: strace, ltrace, ptrace, ld_preload rootkits.
Android is NOT just 'Java on Linux'.
Android uses Linux kernel. But only kernel. I show you how different Android is from normal Linux systems.
Visit this page.
http://kobablog.wordpress.com/2011/05/22/android-is-not-just-java-on-linux/
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
An Introduction to the Android Framework -- a core architecture view from app...William Liang
This presentation, following the previous "An Introduction to the Linux Kernel and Device Drivers", is for another 3-hours lecture in the "Open Source System Software & Practice" class, organized and hosted by Prof. Shih-Hao Hung, in the Department of Computer Science and Information Engineering, National Taiwan University.
The slides cover the architecture of the Android Framework, including the Android architecture overview, system integration of the Android operating system, the Activity and Service framework components, life cycles, inter-component communication methods, how the framework works, the Android device control model, core system services, hardware abstraction layer, and related important issues, etc.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Embedded Android System Development - Part II talks about Hardware Abstraction Layer (HAL). HAL is an interfacing layer through which Android service can place a request to device. Uses functions provided by Linux system to service the request from android framework. A C/C++ layer with purely vendor specific implementation. Packaged into modules (.so) file & loaded by Android system at appropriate time
Reapresentação do trabalho na Linux Developer Conference Brazil 2019.
Overview about Linux malware. Extended version including analysis and evasion hands on examples: strace, ltrace, ptrace, ld_preload rootkits.
Android is NOT just 'Java on Linux'.
Android uses Linux kernel. But only kernel. I show you how different Android is from normal Linux systems.
Visit this page.
http://kobablog.wordpress.com/2011/05/22/android-is-not-just-java-on-linux/
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
An Introduction to the Android Framework -- a core architecture view from app...William Liang
This presentation, following the previous "An Introduction to the Linux Kernel and Device Drivers", is for another 3-hours lecture in the "Open Source System Software & Practice" class, organized and hosted by Prof. Shih-Hao Hung, in the Department of Computer Science and Information Engineering, National Taiwan University.
The slides cover the architecture of the Android Framework, including the Android architecture overview, system integration of the Android operating system, the Activity and Service framework components, life cycles, inter-component communication methods, how the framework works, the Android device control model, core system services, hardware abstraction layer, and related important issues, etc.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
www.webliquidinfotech.com/
Android apps are huge market(over 80% of mobile devices worldwide run android), and it’s continuously growing.
If you are going to invest in an app development, then its important to choose a developer with great track record.
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Android Application Development Training by NITIN GUPTA NITIN GUPTA
Android Application Development Please SUBSCRIBE TECH POINT Channel on YouTube.
Here's Channel Link
PLEASE SUBSCRIBE Our channel TECH POINT ..
FOLLOW US ON TWITTER:https://twitter.com/Nitin_TECHPOINT
Follow us on Facebook:https://www.facebook.com/NitinGupta1054.Official.PSIT
Follow us on Instagram:https://www.instagram.com/nitingupta_official
SUBSCRIBE Our channel:https://www.youtube.com/channel/UCj3XVydYG3oPVJeZscU4NIg?sub_confirmation=1
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
A presentation about security of mobile apps by our senior quality assurance engineer Kristaps Felzenbergs. It was presented at TAPOST 2017 software testing conference.
This slide deck contains the requirement for Android Penetration testing using some open source tools and techniques. And it also cover OWASP TOP 10 Mobile, MSTG and MASVS guidelines for Mobile Application Penetration testing
In this slides deck, we gonna look into Wireless penetration testing requirements like hardware & software, Various IEEE standards. and also deep dive into WEP, WPA, WPA2 & its Security threats & Security best practices.
The Slides deck contains Network penetration testing requirements & Tools used in real world pentesting. For Demo purposes, I had used a vulnhub machine called Metasploitable 2 for testing purposes. Looking into various Ports and Services Vulnerabilities using Kali open source tools.
This slide deck covers Networking Fundamentals, Various Penetration testing standards, OWASP TOP 10 Vulnerabilities of Web Application and the Lab Setup required for Penetration testing.
Golden Ticket Attack - AD - Domain PersistenceMohammed Adam
A Golden Ticket attack is a kind of cyberattack targeting the access control privileges of a Windows environment where Active Directory (AD) is in use.
Evading Antivirus software for fun and profitMohammed Adam
Antivirus evasion techniques are used by malware writers, as well as by penetration testers and vulnerability researchers, in order to bypass one or more antivirus software applications.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
Vulnerability assessment & Penetration testing Basics Mohammed Adam
In these days of widespread Internet usage, security is of prime importance. The almost universal use of mobile and Web applications makes systems vulnerable to cyber attacks. Vulnerability assessment can help identify the loopholes in a system while penetration testing is a proof-of-concept approach to actually explore and exploit a vulnerability.
Network Security, What is security?
Why do we need security?
Who is vulnerable? Common security attacks and countermeasures, Firewalls & Intrusion Detection Systems
Denial of Service Attacks
TCP Attacks
Packet Sniffing
Social Problems
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
3. Intro to
MOBSf
framework
• Mobile Security Framework (MobSF) is an automated, open
source, all-in-one mobile application (Android/iOS/Windows) pen-
testing framework capable of performing static, dynamic and
malware analysis.
• It is suggested by OWASP MSTG for static analysis of security in
mobile applications.
• It can be used for effective and fast security analysis of Android, iOS
and Windows mobile applications and support both binaries (APK,
IPA & APPX ) and zipped source code.
• MobSF can do dynamic application testing at runtime for Android
apps and has Web API fuzzing capabilities powered by CapFuzz, a
Web API specific security scanner.
• MobSF is designed to make your CI/CD or DevSecOps pipeline
integration seamless.
• It has a graphic UI in the form of web service. Web service consist
of a dashboard that presents the results of the analysis, its own
documentation site, an integrated emulator & an API that allows
users to trigger the analysis automatically.
• It is hosted on a local environment, so sensitive data never
interacts with the cloud.
4. How MOBSF works ?
In static analysis application is
tested from the inside out.
It analyses the source code or
binary without executing the
application.
It does not rely on runtime
environment.
It can be used to test code
during development, caching
vulnerabilities early on.
Static analysis security testing
tools must be run on the
application on a regular basis,
such as during daily/monthly
builds, every time code is
checked in, or a code release.
6. Requirements
for MOBSF
• Python 3.6+ — Python 3.6 Download
• Oracle JDK 1.7 or above — Java JDK Download
• Mac OS Users must install Command-line tools —
How to Install Command line Tools in Mac
• iOS IPA Analysis works only on Mac and Linux.
• Windows App Static analysis requires a Windows
Host or Windows VM for Mac and Linux. For
Windows App Static Analysis, Read Windows App
Static Analysis
NOTE:
• On Linux and Mac, install Oracle Java 1.7 or above
and make it the default one.
• On Linux, make sure you have 32 bit execution
support enabled.
7. MOBSF Installation – Part 1
1. Configuring static analyzer
Run following commands :
• git clone https://github.com/MobSF/Mobile-Security-Framework-
MobSF.git
• cd Mobile-Security-Framework-MobSF
8. MOBSF Installation – Part 2
We need to install dependencies before we are able to run:
• apt-get install python3-venv
• pip3 install -r requirements.txt
9. MOBSF Installation – Part 3
• Once done, we can run the setup file to install MobSF and all the
components automatically
11. Decoding the
MOBSF
Components
1) Information
• Display data such as app icon, app name, size, package
name etc.MD5 & SHA1 are also shown. They can be useful
to detect known malicious applications.
12. 2) Scan options
• Rescan the application
• Start the dynamic analysis
• Check the source, smali files,
java code & the manifest file
13. 3) Signer Certificate Analysis
• In the certificate column, we
can see the signer certificate
where one can find important
information about the
developer, country, state,
type of algo, bit size etc.
14. 4) Application Permissions
• There are various permissions that are
categorized as dangerous or normal.
• It is important from a security analyst’s
point of view to understand which
permissions can lead to further
damage.
• For example, if an application has access
to external media and stores critical
information on the external media it
could prove to be dangerous since the
files stored on external media are
globally readable and writable
15. 5) Browsable Activities
• We can see all the activities that have
implemented a deep link schema.
• To understand all about deep links, its
implementation as well as exploitation.
• https://www.hackingarticles.in/and
roid-pentest-deep-link-
exploitation/
16. 6) Network Security
Analysis
• In the network security section, one can find some details
about network security issues related to the application.
These issues can lead to critical attacks like MiTM sometimes.
• For Example: One can find that the application isn’t using the
SSL pinning mechanism implemented.
17. 7) Manifest Analysis
• One can find many folds of
information from the android
manifest file like which activities are
exported, if the app debuggable or
not, data schemas etc.
18. 8) Code Analysis
• We can see that MobSF has analysed and
compared some behaviour of the
application based on industry security
standard practices like OWASP MSTG and
mapped the vulnerabilities with OWASP
Top 10.
• It is interesting to see CWE mentioned and
CVSS score being assigned here which
might help various analyst scenarios and
help the creation of reports way easier.
19. 9) Malware Analysis
• MobSF also hosts a section where
an APKiD analysis is given.
• APKiD is an open-source tool that
is very helpful to identify various
packers, compilers, obfuscators
etc in android files. It is analogous
to PEiD in APK.
20. 9) Malware Analysis
(Contd.)
• Something related to malware analysis is the domain
malware check feature. Here, MobSF is extracting all the
URLs/IP addresses that are hard-coded or being used in the
application and shows its malware status as well as uses
ip2location to give out its geolocation as well.
21. 10) Strings
• Strings are ASCII and Unicode-
printable sequences of
characters embedded within a
file. Extracting strings can give
clues about the program
functionality and indicators
associated with a suspect
binary.
• Many times, a third party IP
address with which APK is
communicating gets visible here,
sometime hardcoded
credentials too.
22. 11) Emails
• One can also find hardcoded emails in
MobSF. This is all done using the decompiled
source code. Often a pentester can find
critical email IDs that were being used as a
credential on a third party site, say, to
access the database.
23. 12) URLs
• Just like emails, URLs are often found hardcoded as well.
One can find juicy URLs that are being used sometimes.
Oftentimes analysts find malicious URLs being accessed as
well or even a C&C server.
24. 13) Hardcoded
secrets
• Oftentimes developers have this habit of storing critical keys
like AWS ID and credentials in strings.xml and use an object
as a reference in java activity. But doing this doesn’t help in
any which way since strings.xml can be decoded easily.
27. Downloading Mobsf reports
• Once you have done the analysis, it is possible to download the
report by sliding the menu bar slider on the left-hand side and click
generate the report.
28. Dependency for report download
• You might notice some errors while generating reports. To resolve
this, you can follow the below command and install wkhtmltopdf
module:
• apt-get install wkhtmltopdf
29. Pre-Requirements
• Application we goanna use for Reverse engineering & Manual static analysis is PIVAA
(Purposefully Insecure and Vulnerable Android Application)
Tools Used:
• ADB (Android Debug bridge)
• Drozer
• Genymotion
• Kali linux VM or other VMs
• Logcat
• APKTool & Jadx
• Hashcat
• Keytool & jarsigner
• dex2jar
31. ADB (Android Debug Bridge)
• Android Debug Bridge (adb) is a versatile command-line tool that lets
you communicate with a device.
• The adb command facilitates a variety of device actions, such as
installing and debugging apps, and it provides access to a Unix shell
that you can use to run a variety of commands on a device.
• adb is included in the Android SDK Platform-Tools package.
sudo apt-get install android-tools-adb
Adb can be connected:
• Via Usb cable; Enable usb debugging
• Via Wi-Fi : enabled wireless debugging
36. Convert Dex files to java files.
If you wish to decompile any java files, you can do the following:
# Convert the Dex files into standard class files
• dex2jar application/classes.dex
# Now use the JD (Java Decompiler) to inspect the source
• jd-gui classes-dex2jar.jar
• You can do the changes in java classes or manifest files
37. Rebuilding the Apk file
# To recompile(build) the apk
• apktool b -f -d application
Or
• Apktool b application
• After recompiling (building) the apk the new apk will be generated in Dist
folder.
• Application — Dist- application.apk
38. Creating keys & Signing the APK file
• The APK must be signed before you run on your device.
• Before signing an apk, create a key if you don’t have an existing one. If
prompted for a password, create your own password.
# To generate a key.
• keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg
RSA -keysize 2048 -validity 10000
Now sign the APK with the key:
# Sign the apk
• jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-
key.keystore my_application.apk alias_name
# Verify apk
• jarsigner -verify -verbose -certs my_application.apk
40. Following code level Vulnerabilities will be
covered in the upcoming slides
• Cleartext SQLite database
• User-supplied input in SQL queries
• Exported Content Providers with Insufficient Protection
• Enabled Application Backup
• Information Disclosure through Logging
• Storing Sensitive Data in External Storage
• Weak Hashing Algorithms
• Predictable Random Number Generators (PRNG)
• Weak Encryption Implementation (AES-ECB)
• Weak Initialization Vectors (IV) (AES-CBC)
• Hard-coded Data
• Enabled Debug Mode
• Exported Broadcast Receivers
• Exported Services
41. 1) Cleartext SQLite database
• The PIVAA application stores data in an unencrypted SQLite database.
• Vulnerability: A malicious user or application with root privileges can
access this file and view potentially sensitive contents.
• Performing static analysis on the PIVAA Java source code recovered by
MobSF, we found a file called “DatabaseHelper.java” and We can see
that the application uses an SQLite database called “pivaaDB”.
42. Recommendations
• Use the SQLCipher library to password-encrypt the SQLite database.
• Ensure the password used to encrypt the database is not hard coded
or stored insecurely on the filesystem (e.g. shared preferences, etc.).
• An example of how the password can be retrieved to decrypt the
SQLite database file is by requiring the user to enter a password or
pin when the application is opened.
43. 2) User-supplied input in SQL queries
• The PIVAA application allows user-supplied input in SQL queries.
• Vulnerability: User-supplied input into SQL queries can potentially
lead to a local SQL injection vulnerability in the mobile application.
• You can interact with the “pivaaDB” database mentioned earlier by
using the application and inputting SQL queries.
44. User-supplied input in SQL queries (Contd.)
• The query is being executed by the rawSQL method available in
SQLitedatabase class & no sanitization is being performed
45. Recommendations:
• Use SQL Prepared statements, which implement a pre-compiled SQL
query and parameters that act as placeholders for user input which
are required before the SQL query can be executed. This treats user
input as data and not as commands, e.g.:
# SQL Prepared Statement Example
• db.rawQuery("select * from " + DATABASE_TABLE + " where " + "username=?
and password=?", new String [] {loginUsername, loginpass})
• Try to sanitize input from users where possible and appropriate,
• e.g. if you are expecting an integer as input, then you can validate for integers
only.
46. 3) Exported Content Providers with
Insufficient Protection
• The PIVAA application has implemented an exported content
provider with insufficient protections.
• Content providers are used to share app data with other
applications, which is normally stored inside a database or file.
Vulnerability: Insufficient protections for exported content providers
can lead to security issues such as information disclosure.
• Looking at the AndroidManifest.xml file for the PIVAA application, we
can see the content provider that has been exported.
47. Recommendations:
• Implement basic access control with the “android:permission”
attribute in the AndroidManifest.xml file. N.B. this defines both read
and write permissions to the content provider.
• Implement principle of least privilege with separate
“android:readPermission” and “android:writePermission” attributes
in the AndroidManifest.xml file to specify what apps can read and
write to the content provider.
• Following the principle of least privilege, the “<path-permission>”
element can be implemented in the AndroidManifest.xml file to
control access to subsets of data.
48. 4) Enabled Application Backup
• The PIVAA application has the “android:allowBackup” attribute set to
true in the AndroidManifest.xml file.
• Vulnerability: Creating backups of an application may lead to
sensitive information disclosure.
• I can use the ADB “backup” command to create a backup of the
“com.htbridge.pivaa” package. Depending on the Android OS version
you have, you may be prompted for a password that will be needed
later to unpack the backup file.
49. Recommendations:
• Set the “android:allowBackup” attribute to false to disable backups.
• If the “allowBackup” attribute in the manifest file is not set, then by
default a backup of the apps data can be made.
50. 5) Information Disclosure through Logging
• The PIVAA application produces log messages when performing a lot
of tasks.
• Vulnerability: Logging sensitive data may expose the data to attackers
or malicious applications, and it violates user confidentiality.
Recommendations:
• Use tools like ProGuard (included in Android Studio).
• ProGuard is a free Java class file shrinker, optimizer, obfuscator, and
preverifier.
• It detects and removes unused classes, fields, methods, and
attributes and can also be used to delete logging-related code.
51. 6) Storing Sensitive Data in External Storage
• The PIVAA application stores sensitive data on a external SD card.
• Vulnerability: Files saved to external storage are world-readable and
can be modified.
Recommendations:
• Do not store sensitive data in external storage.
• Store sensitive data and files in internal storage. Files saved to
internal storage are by default private to your application; neither the
user nor other applications can access them. When users uninstall
your application, these files are removed.
52. 7) Weak Hashing Algorithms
• The PIVAA application provides a feature that allows users to hash any
string they enter using the MD5 hashing algorithm.
• Vulnerability: MD5 hashing algorithm should not be used when
reliable hashing of data is required.
Recommendations:
• Use stronger hash algorithm's such as SHA-256, SHA-3, bcrypt ,
scrypt ,etc. when reliable hashing is required.
• Make sure to salt password hashes, which is an additional input of
data that helps to safeguard passwords in storage.
53. 8) Predictable Random Number Generator
(PRNG)
• The PIVAA application uses the Random Java class to generate
pseudorandom numbers:
• java.util.Random
• Vulnerability: The numbers generated by this class are not random
and can be predictable.
54. Recommendations:
• Use a cryptographically strong random number generator (RNG) like
“java.security.SecureRandom” in place of this PRNG when a
cryptographically strong random number needs to be used.
• Use the generated random values only once.
• You should not expose the generated random value.
• If you have to store it, make sure that the database or file is secure.
55. 9) Weak Encryption Implementation
• The PIVAA application implements AES encryption with Electronic Code
Book mode.
• Vulnerability: “AES/ECB/PKCS5Padding” has been proven to be insecure.
Recommendations:
• Do not use ECB mode for cryptographic operations. Use the code below
instead for cryptographic operations:
• Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
• Be aware that the code below will default to ECB mode, even if it is not
specified:
• Cipher cipher = Cipher.getInstance("AES");
56. 10) Usage of Weak Initialization Vector
• The PIVAA application implements AES encryption with Cipher Block
Chaining (CBC) mode but uses a predictable initialization vector (IV).
• Vulnerability: Predictable IVs can be exploited by chosen plain text
attack.
57. Recommendations:
• Initialization Vector should be unpredictable.
• Initialization Vector should be Random.
• Initialization Vector should not be hard coded.
• Initialization Vector should be created using
java.security.SecureRandom rather than java.util.Random .
58. 11) Hard-coded Data
• The PIVAA application contains sensitive hard-coded data.
• Vulnerability: Sensitive data hard-coded into an applications code can
be easily retrieved by malicious users and used to perform other
attacks.
59. Recommendations:
• Store sensitive data in a external file located in a secure directory
from where it can be retrieved.
• Use the Android KeyStore to securely store cryptographic keys.
60. 12) Enabled Debug Mode
• The PIVAA application has debug mode enabled.
• Vulnerability: Debug mode should be disabled in production build
applications because it can expose technical information and facilitate
reverse engineering.
61. Recommendations:
• For Android applications, make sure the “android:debuggable”
attribute is set to false in the AndroidManifest.xml file to disable
debug mode.
62. 13) Exported Broadcast Receivers
• The PIVAA application has exported a broadcast receiver without any
permissions set. Broadcast receivers are designed to listen to system
wide events called broadcasts (e.g. network activity, application
updates, etc.) and then trigger something if the broadcast message
matches the current parameters inside the Broadcast Receiver.
• Vulnerability: Any application, including malicious ones, can send an
intent to this broadcast receiver causing it to be triggered without any
restrictions.
63. Recommendations:
• Control what applications can receive a broadcast sent from your
application by passing a permission alongside the intent when
attempting to trigger a broadcast receiver. Only applications that have
requested and been granted that permission can receive the
broadcast intent from the sending application.
• Control what broadcasts can be received by your application by
setting a permission in the AndroidManifest.xml file which restricts
access to a broadcast receiver to only those apps that have requested
and been granted that permission.
64. 14) Exported Service
• The PIVAA application has exported a service that performs audio
recording and stops after the file reaches 1MB in size. Services are an
Android component that runs in the background and does not
normally provide a user interface to interact with. These services are
used to perform tasks in the background such as downloading large
files or playing music, without blocking the user interface.
• Vulnerability: This service is exported without any permissions in the
AndroidManifest.xml file, which means any application can abuse this
feature to record audio.
65. Recommendations:
• Determine if a service needs to be exported.
• A service is generally not exported but if it is, then strong permissions
should be set in the AndroidManifest.xml file.
• Keep in mind that specifying intent filters with a component in the
AndroidManifest.xml file will result in the component being exported
by default unless the export attribute is set to false.