Mohammed Adam, profile picture
Uploaded byMohammed Adam
PPTX, PDF253 views

Android Penetration testing - Day 2

The document provides a detailed agenda for a day 2 Android hacking session focusing on automated static analysis with the MobSF framework. It includes installation instructions, components, and methodology for analyzing Android applications, alongside a manual static analysis and secure code review with an example application called Pivaa. Various vulnerabilities are discussed with recommendations for each to ensure secure application development and maintenance.

Embed presentation

Download to read offline
Day 2 – Android hacking
Agenda for today’s session Automating Static analysis with MOBSF Framework Reverse Engineering the Android APK file Manual static analysis & Secure code review in Android
Intro to MOBSf framework • Mobile Security Framework (MobSF) is an automated, open source, all-in-one mobile application (Android/iOS/Windows) pen- testing framework capable of performing static, dynamic and malware analysis. • It is suggested by OWASP MSTG for static analysis of security in mobile applications. • It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. • MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. • MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. • It has a graphic UI in the form of web service. Web service consist of a dashboard that presents the results of the analysis, its own documentation site, an integrated emulator & an API that allows users to trigger the analysis automatically. • It is hosted on a local environment, so sensitive data never interacts with the cloud.
How MOBSF works ? In static analysis application is tested from the inside out. It analyses the source code or binary without executing the application. It does not rely on runtime environment. It can be used to test code during development, caching vulnerabilities early on. Static analysis security testing tools must be run on the application on a regular basis, such as during daily/monthly builds, every time code is checked in, or a code release.
How MOBSF works ? (Contd.)
Requirements for MOBSF • Python 3.6+ — Python 3.6 Download • Oracle JDK 1.7 or above — Java JDK Download • Mac OS Users must install Command-line tools — How to Install Command line Tools in Mac • iOS IPA Analysis works only on Mac and Linux. • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. For Windows App Static Analysis, Read Windows App Static Analysis NOTE: • On Linux and Mac, install Oracle Java 1.7 or above and make it the default one. • On Linux, make sure you have 32 bit execution support enabled.
MOBSF Installation – Part 1 1. Configuring static analyzer Run following commands : • git clone https://github.com/MobSF/Mobile-Security-Framework- MobSF.git • cd Mobile-Security-Framework-MobSF
MOBSF Installation – Part 2 We need to install dependencies before we are able to run: • apt-get install python3-venv • pip3 install -r requirements.txt
MOBSF Installation – Part 3 • Once done, we can run the setup file to install MobSF and all the components automatically
MOBSF Interface • Visit http://0.0.0.0:8000 in browser to access the mobsf interface
Decoding the MOBSF Components 1) Information • Display data such as app icon, app name, size, package name etc.MD5 & SHA1 are also shown. They can be useful to detect known malicious applications.
2) Scan options • Rescan the application • Start the dynamic analysis • Check the source, smali files, java code & the manifest file
3) Signer Certificate Analysis • In the certificate column, we can see the signer certificate where one can find important information about the developer, country, state, type of algo, bit size etc.
4) Application Permissions • There are various permissions that are categorized as dangerous or normal. • It is important from a security analyst’s point of view to understand which permissions can lead to further damage. • For example, if an application has access to external media and stores critical information on the external media it could prove to be dangerous since the files stored on external media are globally readable and writable
5) Browsable Activities • We can see all the activities that have implemented a deep link schema. • To understand all about deep links, its implementation as well as exploitation. • https://www.hackingarticles.in/and roid-pentest-deep-link- exploitation/
6) Network Security Analysis • In the network security section, one can find some details about network security issues related to the application. These issues can lead to critical attacks like MiTM sometimes. • For Example: One can find that the application isn’t using the SSL pinning mechanism implemented.
7) Manifest Analysis • One can find many folds of information from the android manifest file like which activities are exported, if the app debuggable or not, data schemas etc.
8) Code Analysis • We can see that MobSF has analysed and compared some behaviour of the application based on industry security standard practices like OWASP MSTG and mapped the vulnerabilities with OWASP Top 10. • It is interesting to see CWE mentioned and CVSS score being assigned here which might help various analyst scenarios and help the creation of reports way easier.
9) Malware Analysis • MobSF also hosts a section where an APKiD analysis is given. • APKiD is an open-source tool that is very helpful to identify various packers, compilers, obfuscators etc in android files. It is analogous to PEiD in APK.
9) Malware Analysis (Contd.) • Something related to malware analysis is the domain malware check feature. Here, MobSF is extracting all the URLs/IP addresses that are hard-coded or being used in the application and shows its malware status as well as uses ip2location to give out its geolocation as well.
10) Strings • Strings are ASCII and Unicode- printable sequences of characters embedded within a file. Extracting strings can give clues about the program functionality and indicators associated with a suspect binary. • Many times, a third party IP address with which APK is communicating gets visible here, sometime hardcoded credentials too.
11) Emails • One can also find hardcoded emails in MobSF. This is all done using the decompiled source code. Often a pentester can find critical email IDs that were being used as a credential on a third party site, say, to access the database.
12) URLs • Just like emails, URLs are often found hardcoded as well. One can find juicy URLs that are being used sometimes. Oftentimes analysts find malicious URLs being accessed as well or even a C&C server.
13) Hardcoded secrets • Oftentimes developers have this habit of storing critical keys like AWS ID and credentials in strings.xml and use an object as a reference in java activity. But doing this doesn’t help in any which way since strings.xml can be decoded easily.
14) Activity Components Present • A list of all the activities present can also be scrolled using MobSF
15) Other components in Mobile App
Downloading Mobsf reports • Once you have done the analysis, it is possible to download the report by sliding the menu bar slider on the left-hand side and click generate the report.
Dependency for report download • You might notice some errors while generating reports. To resolve this, you can follow the below command and install wkhtmltopdf module: • apt-get install wkhtmltopdf
Pre-Requirements • Application we goanna use for Reverse engineering & Manual static analysis is PIVAA (Purposefully Insecure and Vulnerable Android Application) Tools Used: • ADB (Android Debug bridge) • Drozer • Genymotion • Kali linux VM or other VMs • Logcat • APKTool & Jadx • Hashcat • Keytool & jarsigner • dex2jar
Reverse engineering the Android APK File
ADB (Android Debug Bridge) • Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. • The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. • adb is included in the Android SDK Platform-Tools package. sudo apt-get install android-tools-adb Adb can be connected: • Via Usb cable; Enable usb debugging • Via Wi-Fi : enabled wireless debugging
Handy ADB Commands
Usage of ADB with various Components
Using Jadx to decompile an APK
APKTool for Decompilation & APK rebuilding • A tool for reverse engineering Android Apk files
Convert Dex files to java files. If you wish to decompile any java files, you can do the following: # Convert the Dex files into standard class files • dex2jar application/classes.dex # Now use the JD (Java Decompiler) to inspect the source • jd-gui classes-dex2jar.jar • You can do the changes in java classes or manifest files
Rebuilding the Apk file # To recompile(build) the apk • apktool b -f -d application Or • Apktool b application • After recompiling (building) the apk the new apk will be generated in Dist folder. • Application — Dist- application.apk
Creating keys & Signing the APK file • The APK must be signed before you run on your device. • Before signing an apk, create a key if you don’t have an existing one. If prompted for a password, create your own password. # To generate a key. • keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 Now sign the APK with the key: # Sign the apk • jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release- key.keystore my_application.apk alias_name # Verify apk • jarsigner -verify -verbose -certs my_application.apk
Manual static Analysis & Secure code review in Android
Following code level Vulnerabilities will be covered in the upcoming slides • Cleartext SQLite database • User-supplied input in SQL queries • Exported Content Providers with Insufficient Protection • Enabled Application Backup • Information Disclosure through Logging • Storing Sensitive Data in External Storage • Weak Hashing Algorithms • Predictable Random Number Generators (PRNG) • Weak Encryption Implementation (AES-ECB) • Weak Initialization Vectors (IV) (AES-CBC) • Hard-coded Data • Enabled Debug Mode • Exported Broadcast Receivers • Exported Services
1) Cleartext SQLite database • The PIVAA application stores data in an unencrypted SQLite database. • Vulnerability: A malicious user or application with root privileges can access this file and view potentially sensitive contents. • Performing static analysis on the PIVAA Java source code recovered by MobSF, we found a file called “DatabaseHelper.java” and We can see that the application uses an SQLite database called “pivaaDB”.
Recommendations • Use the SQLCipher library to password-encrypt the SQLite database. • Ensure the password used to encrypt the database is not hard coded or stored insecurely on the filesystem (e.g. shared preferences, etc.). • An example of how the password can be retrieved to decrypt the SQLite database file is by requiring the user to enter a password or pin when the application is opened.
2) User-supplied input in SQL queries • The PIVAA application allows user-supplied input in SQL queries. • Vulnerability: User-supplied input into SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application. • You can interact with the “pivaaDB” database mentioned earlier by using the application and inputting SQL queries.
User-supplied input in SQL queries (Contd.) • The query is being executed by the rawSQL method available in SQLitedatabase class & no sanitization is being performed
Recommendations: • Use SQL Prepared statements, which implement a pre-compiled SQL query and parameters that act as placeholders for user input which are required before the SQL query can be executed. This treats user input as data and not as commands, e.g.: # SQL Prepared Statement Example • db.rawQuery("select * from " + DATABASE_TABLE + " where " + "username=? and password=?", new String [] {loginUsername, loginpass}) • Try to sanitize input from users where possible and appropriate, • e.g. if you are expecting an integer as input, then you can validate for integers only.
3) Exported Content Providers with Insufficient Protection • The PIVAA application has implemented an exported content provider with insufficient protections. • Content providers are used to share app data with other applications, which is normally stored inside a database or file. Vulnerability: Insufficient protections for exported content providers can lead to security issues such as information disclosure. • Looking at the AndroidManifest.xml file for the PIVAA application, we can see the content provider that has been exported.
Recommendations: • Implement basic access control with the “android:permission” attribute in the AndroidManifest.xml file. N.B. this defines both read and write permissions to the content provider. • Implement principle of least privilege with separate “android:readPermission” and “android:writePermission” attributes in the AndroidManifest.xml file to specify what apps can read and write to the content provider. • Following the principle of least privilege, the “<path-permission>” element can be implemented in the AndroidManifest.xml file to control access to subsets of data.
4) Enabled Application Backup • The PIVAA application has the “android:allowBackup” attribute set to true in the AndroidManifest.xml file. • Vulnerability: Creating backups of an application may lead to sensitive information disclosure. • I can use the ADB “backup” command to create a backup of the “com.htbridge.pivaa” package. Depending on the Android OS version you have, you may be prompted for a password that will be needed later to unpack the backup file.
Recommendations: • Set the “android:allowBackup” attribute to false to disable backups. • If the “allowBackup” attribute in the manifest file is not set, then by default a backup of the apps data can be made.
5) Information Disclosure through Logging • The PIVAA application produces log messages when performing a lot of tasks. • Vulnerability: Logging sensitive data may expose the data to attackers or malicious applications, and it violates user confidentiality. Recommendations: • Use tools like ProGuard (included in Android Studio). • ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. • It detects and removes unused classes, fields, methods, and attributes and can also be used to delete logging-related code.
6) Storing Sensitive Data in External Storage • The PIVAA application stores sensitive data on a external SD card. • Vulnerability: Files saved to external storage are world-readable and can be modified. Recommendations: • Do not store sensitive data in external storage. • Store sensitive data and files in internal storage. Files saved to internal storage are by default private to your application; neither the user nor other applications can access them. When users uninstall your application, these files are removed.
7) Weak Hashing Algorithms • The PIVAA application provides a feature that allows users to hash any string they enter using the MD5 hashing algorithm. • Vulnerability: MD5 hashing algorithm should not be used when reliable hashing of data is required. Recommendations: • Use stronger hash algorithm's such as SHA-256, SHA-3, bcrypt , scrypt ,etc. when reliable hashing is required. • Make sure to salt password hashes, which is an additional input of data that helps to safeguard passwords in storage.
8) Predictable Random Number Generator (PRNG) • The PIVAA application uses the Random Java class to generate pseudorandom numbers: • java.util.Random • Vulnerability: The numbers generated by this class are not random and can be predictable.
Recommendations: • Use a cryptographically strong random number generator (RNG) like “java.security.SecureRandom” in place of this PRNG when a cryptographically strong random number needs to be used. • Use the generated random values only once. • You should not expose the generated random value. • If you have to store it, make sure that the database or file is secure.
9) Weak Encryption Implementation • The PIVAA application implements AES encryption with Electronic Code Book mode. • Vulnerability: “AES/ECB/PKCS5Padding” has been proven to be insecure. Recommendations: • Do not use ECB mode for cryptographic operations. Use the code below instead for cryptographic operations: • Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding"); • Be aware that the code below will default to ECB mode, even if it is not specified: • Cipher cipher = Cipher.getInstance("AES");
10) Usage of Weak Initialization Vector • The PIVAA application implements AES encryption with Cipher Block Chaining (CBC) mode but uses a predictable initialization vector (IV). • Vulnerability: Predictable IVs can be exploited by chosen plain text attack.
Recommendations: • Initialization Vector should be unpredictable. • Initialization Vector should be Random. • Initialization Vector should not be hard coded. • Initialization Vector should be created using java.security.SecureRandom rather than java.util.Random .
11) Hard-coded Data • The PIVAA application contains sensitive hard-coded data. • Vulnerability: Sensitive data hard-coded into an applications code can be easily retrieved by malicious users and used to perform other attacks.
Recommendations: • Store sensitive data in a external file located in a secure directory from where it can be retrieved. • Use the Android KeyStore to securely store cryptographic keys.
12) Enabled Debug Mode • The PIVAA application has debug mode enabled. • Vulnerability: Debug mode should be disabled in production build applications because it can expose technical information and facilitate reverse engineering.
Recommendations: • For Android applications, make sure the “android:debuggable” attribute is set to false in the AndroidManifest.xml file to disable debug mode.
13) Exported Broadcast Receivers • The PIVAA application has exported a broadcast receiver without any permissions set. Broadcast receivers are designed to listen to system wide events called broadcasts (e.g. network activity, application updates, etc.) and then trigger something if the broadcast message matches the current parameters inside the Broadcast Receiver. • Vulnerability: Any application, including malicious ones, can send an intent to this broadcast receiver causing it to be triggered without any restrictions.
Recommendations: • Control what applications can receive a broadcast sent from your application by passing a permission alongside the intent when attempting to trigger a broadcast receiver. Only applications that have requested and been granted that permission can receive the broadcast intent from the sending application. • Control what broadcasts can be received by your application by setting a permission in the AndroidManifest.xml file which restricts access to a broadcast receiver to only those apps that have requested and been granted that permission.
14) Exported Service • The PIVAA application has exported a service that performs audio recording and stops after the file reaches 1MB in size. Services are an Android component that runs in the background and does not normally provide a user interface to interact with. These services are used to perform tasks in the background such as downloading large files or playing music, without blocking the user interface. • Vulnerability: This service is exported without any permissions in the AndroidManifest.xml file, which means any application can abuse this feature to record audio.
Recommendations: • Determine if a service needs to be exported. • A service is generally not exported but if it is, then strong permissions should be set in the AndroidManifest.xml file. • Keep in mind that specifying intent filters with a component in the AndroidManifest.xml file will result in the component being exported by default unless the export attribute is set to false.
Q & A Session
Thank you !

More Related Content

PPTX
Android Penetration Testing - Day 1
byMohammed Adam
 
PDF
Android pentesting
byMykhailo Antonishyn
 
PPTX
Introduction to Android ppt
byTaha Malampatti
 
PPTX
Authentication and Authorization in Asp.Net
byShivanand Arur
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Getting started with Android pentesting
byMinali Arora
 
PPTX
Pentesting Android Applications
byCláudio André
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
Android Penetration Testing - Day 1
byMohammed Adam
 
Android pentesting
byMykhailo Antonishyn
 
Introduction to Android ppt
byTaha Malampatti
 
Authentication and Authorization in Asp.Net
byShivanand Arur
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Getting started with Android pentesting
byMinali Arora
 
Pentesting Android Applications
byCláudio André
 
Android pentesting
byMykhailo Antonishyn
 

What's hot

PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
PPTX
Android Penetration Testing - Day 3
byMohammed Adam
 
PDF
Android application security testing
byMykhailo Antonishyn
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PPTX
Ide description
byNidhi Baranwal
 
PDF
Understanding the Dalvik bytecode with the Dedexer tool
byGabor Paller
 
PDF
Android Security & Penetration Testing
bySubho Halder
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
PPTX
Express js
byManav Prasad
 
PPT
Node.js Basics
byTheCreativedev Blog
 
PPT
Android ppt
byAnsh Singh
 
PDF
Android application penetration testing
byRoshan Kumar Gami
 
PDF
Angular - Chapter 3 - Components
byWebStackAcademy
 
PDF
Docker by Example - Basics
byCodeOps Technologies LLP
 
PPTX
An introduction to Xamarin
byCynoteck Technology Solutions Private Limited
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PDF
Express node js
byYashprit Singh
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
ODP
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
PPT
Java Persistence API (JPA) Step By Step
byGuo Albert
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
Android Penetration Testing - Day 3
byMohammed Adam
 
Android application security testing
byMykhailo Antonishyn
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
Ide description
byNidhi Baranwal
 
Understanding the Dalvik bytecode with the Dedexer tool
byGabor Paller
 
Android Security & Penetration Testing
bySubho Halder
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
Express js
byManav Prasad
 
Node.js Basics
byTheCreativedev Blog
 
Android ppt
byAnsh Singh
 
Android application penetration testing
byRoshan Kumar Gami
 
Angular - Chapter 3 - Components
byWebStackAcademy
 
Docker by Example - Basics
byCodeOps Technologies LLP
 
An introduction to Xamarin
byCynoteck Technology Solutions Private Limited
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Express node js
byYashprit Singh
 
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
Java Persistence API (JPA) Step By Step
byGuo Albert
 

Similar to Android Penetration testing - Day 2

PDF
AppSec PNW: Android and iOS Application Security with MobSF
byAjin Abraham
 
PDF
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
byShadowman Kung
 
PPTX
Droidcon mobile security
byJudy Ngure
 
PPTX
Dynamic Security Analysis & Static Security Analysis for Android Apps.
byVodqaBLR
 
PPTX
Rapid Android Application Security Testing
byNutan Kumar Panda
 
PPTX
Android application analyzer
bySanjay Gondaliya
 
PPTX
MOBISEC 2018 - 08 - Reverse Engineering.pptx
byEnigma58
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
PPTX
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
PDF
mobsf.pdf
byTaseen Ali
 
PDF
Top 15 Mobile Hacking Tools for Android and iOS Testing.pdf
bymanisha06650
 
PPTX
Pentesting Android Apps
byAbdelhamid Limami
 
PPTX
Mobile SF
byyarden hanan
 
PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
PDF
Attacking and Defending Mobile Applications
byJerod Brennen
 
PPTX
Droidstat-X, Android Applications Security Analyser Xmind Generator
byCláudio André
 
PDF
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
byIRJET Journal
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
PDF
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
byAliAlwesabi
 
AppSec PNW: Android and iOS Application Security with MobSF
byAjin Abraham
 
PTS2022-Talk-19-MobSF-for-penetration-testers_0.pdf
byShadowman Kung
 
Droidcon mobile security
byJudy Ngure
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
byVodqaBLR
 
Rapid Android Application Security Testing
byNutan Kumar Panda
 
Android application analyzer
bySanjay Gondaliya
 
MOBISEC 2018 - 08 - Reverse Engineering.pptx
byEnigma58
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
Mobile Application Security Testing (Static Code Analysis) of Android App
byAbhilash Venkata
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
mobsf.pdf
byTaseen Ali
 
Top 15 Mobile Hacking Tools for Android and iOS Testing.pdf
bymanisha06650
 
Pentesting Android Apps
byAbdelhamid Limami
 
Mobile SF
byyarden hanan
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Attacking and Defending Mobile Applications
byJerod Brennen
 
Droidstat-X, Android Applications Security Analyser Xmind Generator
byCláudio André
 
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
byIRJET Journal
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
byAliAlwesabi
 

More from Mohammed Adam

PPTX
Wireless Penetration Testing
byMohammed Adam
 
PPTX
Network Penetration Testing
byMohammed Adam
 
PPTX
Basic Foundation For Cybersecurity
byMohammed Adam
 
PPTX
Golden Ticket Attack - AD - Domain Persistence
byMohammed Adam
 
PPTX
Evading Antivirus software for fun and profit
byMohammed Adam
 
PDF
Introduction to Network Fundamentals
byMohammed Adam
 
PPTX
Breaking out of crypto authentication
byMohammed Adam
 
PPTX
Cybersecurity Awareness Session by Adam
byMohammed Adam
 
PPTX
Career Guidance on Cybersecurity by Mohammed Adam
byMohammed Adam
 
PPTX
Introduction to null villupuram community
byMohammed Adam
 
PPTX
Internet security
byMohammed Adam
 
PDF
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
byMohammed Adam
 
PPTX
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
byMohammed Adam
 
PPTX
Vulnerability assessment &amp; Penetration testing Basics
byMohammed Adam
 
PPT
What is SSL ? The Secure Sockets Layer (SSL) Protocol
byMohammed Adam
 
PPT
Network Security
byMohammed Adam
 
PPTX
Networking in Windows Operating System
byMohammed Adam
 
PPT
Introduction to Networking
byMohammed Adam
 
PPT
Firewall basics
byMohammed Adam
 
Wireless Penetration Testing
byMohammed Adam
 
Network Penetration Testing
byMohammed Adam
 
Basic Foundation For Cybersecurity
byMohammed Adam
 
Golden Ticket Attack - AD - Domain Persistence
byMohammed Adam
 
Evading Antivirus software for fun and profit
byMohammed Adam
 
Introduction to Network Fundamentals
byMohammed Adam
 
Breaking out of crypto authentication
byMohammed Adam
 
Cybersecurity Awareness Session by Adam
byMohammed Adam
 
Career Guidance on Cybersecurity by Mohammed Adam
byMohammed Adam
 
Introduction to null villupuram community
byMohammed Adam
 
Internet security
byMohammed Adam
 
BugBounty Roadmap with Mohammed Adam
byMohammed Adam
 
Webinar On Ethical Hacking & Cybersecurity - Day2
byMohammed Adam
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
byMohammed Adam
 
Vulnerability assessment &amp; Penetration testing Basics
byMohammed Adam
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
byMohammed Adam
 
Network Security
byMohammed Adam
 
Networking in Windows Operating System
byMohammed Adam
 
Introduction to Networking
byMohammed Adam
 
Firewall basics
byMohammed Adam
 

Recently uploaded

PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 

Android Penetration testing - Day 2

  • 1.
    Day 2 –Android hacking
  • 2.
    Agenda for today’s session Automating Staticanalysis with MOBSF Framework Reverse Engineering the Android APK file Manual static analysis & Secure code review in Android
  • 3.
    Intro to MOBSf framework • MobileSecurity Framework (MobSF) is an automated, open source, all-in-one mobile application (Android/iOS/Windows) pen- testing framework capable of performing static, dynamic and malware analysis. • It is suggested by OWASP MSTG for static analysis of security in mobile applications. • It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. • MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. • MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. • It has a graphic UI in the form of web service. Web service consist of a dashboard that presents the results of the analysis, its own documentation site, an integrated emulator & an API that allows users to trigger the analysis automatically. • It is hosted on a local environment, so sensitive data never interacts with the cloud.
  • 4.
    How MOBSF works? In static analysis application is tested from the inside out. It analyses the source code or binary without executing the application. It does not rely on runtime environment. It can be used to test code during development, caching vulnerabilities early on. Static analysis security testing tools must be run on the application on a regular basis, such as during daily/monthly builds, every time code is checked in, or a code release.
  • 5.
    How MOBSF works? (Contd.)
  • 6.
    Requirements for MOBSF • Python3.6+ — Python 3.6 Download • Oracle JDK 1.7 or above — Java JDK Download • Mac OS Users must install Command-line tools — How to Install Command line Tools in Mac • iOS IPA Analysis works only on Mac and Linux. • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. For Windows App Static Analysis, Read Windows App Static Analysis NOTE: • On Linux and Mac, install Oracle Java 1.7 or above and make it the default one. • On Linux, make sure you have 32 bit execution support enabled.
  • 7.
    MOBSF Installation –Part 1 1. Configuring static analyzer Run following commands : • git clone https://github.com/MobSF/Mobile-Security-Framework- MobSF.git • cd Mobile-Security-Framework-MobSF
  • 8.
    MOBSF Installation –Part 2 We need to install dependencies before we are able to run: • apt-get install python3-venv • pip3 install -r requirements.txt
  • 9.
    MOBSF Installation –Part 3 • Once done, we can run the setup file to install MobSF and all the components automatically
  • 10.
    MOBSF Interface • Visithttp://0.0.0.0:8000 in browser to access the mobsf interface
  • 11.
    Decoding the MOBSF Components 1) Information •Display data such as app icon, app name, size, package name etc.MD5 & SHA1 are also shown. They can be useful to detect known malicious applications.
  • 12.
    2) Scan options •Rescan the application • Start the dynamic analysis • Check the source, smali files, java code & the manifest file
  • 13.
    3) Signer CertificateAnalysis • In the certificate column, we can see the signer certificate where one can find important information about the developer, country, state, type of algo, bit size etc.
  • 14.
    4) Application Permissions •There are various permissions that are categorized as dangerous or normal. • It is important from a security analyst’s point of view to understand which permissions can lead to further damage. • For example, if an application has access to external media and stores critical information on the external media it could prove to be dangerous since the files stored on external media are globally readable and writable
  • 15.
    5) Browsable Activities •We can see all the activities that have implemented a deep link schema. • To understand all about deep links, its implementation as well as exploitation. • https://www.hackingarticles.in/and roid-pentest-deep-link- exploitation/
  • 16.
    6) Network Security Analysis •In the network security section, one can find some details about network security issues related to the application. These issues can lead to critical attacks like MiTM sometimes. • For Example: One can find that the application isn’t using the SSL pinning mechanism implemented.
  • 17.
    7) Manifest Analysis •One can find many folds of information from the android manifest file like which activities are exported, if the app debuggable or not, data schemas etc.
  • 18.
    8) Code Analysis •We can see that MobSF has analysed and compared some behaviour of the application based on industry security standard practices like OWASP MSTG and mapped the vulnerabilities with OWASP Top 10. • It is interesting to see CWE mentioned and CVSS score being assigned here which might help various analyst scenarios and help the creation of reports way easier.
  • 19.
    9) Malware Analysis •MobSF also hosts a section where an APKiD analysis is given. • APKiD is an open-source tool that is very helpful to identify various packers, compilers, obfuscators etc in android files. It is analogous to PEiD in APK.
  • 20.
    9) Malware Analysis (Contd.) •Something related to malware analysis is the domain malware check feature. Here, MobSF is extracting all the URLs/IP addresses that are hard-coded or being used in the application and shows its malware status as well as uses ip2location to give out its geolocation as well.
  • 21.
    10) Strings • Stringsare ASCII and Unicode- printable sequences of characters embedded within a file. Extracting strings can give clues about the program functionality and indicators associated with a suspect binary. • Many times, a third party IP address with which APK is communicating gets visible here, sometime hardcoded credentials too.
  • 22.
    11) Emails • Onecan also find hardcoded emails in MobSF. This is all done using the decompiled source code. Often a pentester can find critical email IDs that were being used as a credential on a third party site, say, to access the database.
  • 23.
    12) URLs • Justlike emails, URLs are often found hardcoded as well. One can find juicy URLs that are being used sometimes. Oftentimes analysts find malicious URLs being accessed as well or even a C&C server.
  • 24.
    13) Hardcoded secrets • Oftentimesdevelopers have this habit of storing critical keys like AWS ID and credentials in strings.xml and use an object as a reference in java activity. But doing this doesn’t help in any which way since strings.xml can be decoded easily.
  • 25.
    14) Activity Components Present •A list of all the activities present can also be scrolled using MobSF
  • 26.
  • 27.
    Downloading Mobsf reports •Once you have done the analysis, it is possible to download the report by sliding the menu bar slider on the left-hand side and click generate the report.
  • 28.
    Dependency for reportdownload • You might notice some errors while generating reports. To resolve this, you can follow the below command and install wkhtmltopdf module: • apt-get install wkhtmltopdf
  • 29.
    Pre-Requirements • Application wegoanna use for Reverse engineering & Manual static analysis is PIVAA (Purposefully Insecure and Vulnerable Android Application) Tools Used: • ADB (Android Debug bridge) • Drozer • Genymotion • Kali linux VM or other VMs • Logcat • APKTool & Jadx • Hashcat • Keytool & jarsigner • dex2jar
  • 30.
  • 31.
    ADB (Android DebugBridge) • Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. • The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. • adb is included in the Android SDK Platform-Tools package. sudo apt-get install android-tools-adb Adb can be connected: • Via Usb cable; Enable usb debugging • Via Wi-Fi : enabled wireless debugging
  • 32.
  • 33.
    Usage of ADBwith various Components
  • 34.
    Using Jadx todecompile an APK
  • 35.
    APKTool for Decompilation& APK rebuilding • A tool for reverse engineering Android Apk files
  • 36.
    Convert Dex filesto java files. If you wish to decompile any java files, you can do the following: # Convert the Dex files into standard class files • dex2jar application/classes.dex # Now use the JD (Java Decompiler) to inspect the source • jd-gui classes-dex2jar.jar • You can do the changes in java classes or manifest files
  • 37.
    Rebuilding the Apkfile # To recompile(build) the apk • apktool b -f -d application Or • Apktool b application • After recompiling (building) the apk the new apk will be generated in Dist folder. • Application — Dist- application.apk
  • 38.
    Creating keys &Signing the APK file • The APK must be signed before you run on your device. • Before signing an apk, create a key if you don’t have an existing one. If prompted for a password, create your own password. # To generate a key. • keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 Now sign the APK with the key: # Sign the apk • jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release- key.keystore my_application.apk alias_name # Verify apk • jarsigner -verify -verbose -certs my_application.apk
  • 39.
    Manual static Analysis& Secure code review in Android
  • 40.
    Following code levelVulnerabilities will be covered in the upcoming slides • Cleartext SQLite database • User-supplied input in SQL queries • Exported Content Providers with Insufficient Protection • Enabled Application Backup • Information Disclosure through Logging • Storing Sensitive Data in External Storage • Weak Hashing Algorithms • Predictable Random Number Generators (PRNG) • Weak Encryption Implementation (AES-ECB) • Weak Initialization Vectors (IV) (AES-CBC) • Hard-coded Data • Enabled Debug Mode • Exported Broadcast Receivers • Exported Services
  • 41.
    1) Cleartext SQLitedatabase • The PIVAA application stores data in an unencrypted SQLite database. • Vulnerability: A malicious user or application with root privileges can access this file and view potentially sensitive contents. • Performing static analysis on the PIVAA Java source code recovered by MobSF, we found a file called “DatabaseHelper.java” and We can see that the application uses an SQLite database called “pivaaDB”.
  • 42.
    Recommendations • Use theSQLCipher library to password-encrypt the SQLite database. • Ensure the password used to encrypt the database is not hard coded or stored insecurely on the filesystem (e.g. shared preferences, etc.). • An example of how the password can be retrieved to decrypt the SQLite database file is by requiring the user to enter a password or pin when the application is opened.
  • 43.
    2) User-supplied inputin SQL queries • The PIVAA application allows user-supplied input in SQL queries. • Vulnerability: User-supplied input into SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application. • You can interact with the “pivaaDB” database mentioned earlier by using the application and inputting SQL queries.
  • 44.
    User-supplied input inSQL queries (Contd.) • The query is being executed by the rawSQL method available in SQLitedatabase class & no sanitization is being performed
  • 45.
    Recommendations: • Use SQLPrepared statements, which implement a pre-compiled SQL query and parameters that act as placeholders for user input which are required before the SQL query can be executed. This treats user input as data and not as commands, e.g.: # SQL Prepared Statement Example • db.rawQuery("select * from " + DATABASE_TABLE + " where " + "username=? and password=?", new String [] {loginUsername, loginpass}) • Try to sanitize input from users where possible and appropriate, • e.g. if you are expecting an integer as input, then you can validate for integers only.
  • 46.
    3) Exported ContentProviders with Insufficient Protection • The PIVAA application has implemented an exported content provider with insufficient protections. • Content providers are used to share app data with other applications, which is normally stored inside a database or file. Vulnerability: Insufficient protections for exported content providers can lead to security issues such as information disclosure. • Looking at the AndroidManifest.xml file for the PIVAA application, we can see the content provider that has been exported.
  • 47.
    Recommendations: • Implement basicaccess control with the “android:permission” attribute in the AndroidManifest.xml file. N.B. this defines both read and write permissions to the content provider. • Implement principle of least privilege with separate “android:readPermission” and “android:writePermission” attributes in the AndroidManifest.xml file to specify what apps can read and write to the content provider. • Following the principle of least privilege, the “<path-permission>” element can be implemented in the AndroidManifest.xml file to control access to subsets of data.
  • 48.
    4) Enabled ApplicationBackup • The PIVAA application has the “android:allowBackup” attribute set to true in the AndroidManifest.xml file. • Vulnerability: Creating backups of an application may lead to sensitive information disclosure. • I can use the ADB “backup” command to create a backup of the “com.htbridge.pivaa” package. Depending on the Android OS version you have, you may be prompted for a password that will be needed later to unpack the backup file.
  • 49.
    Recommendations: • Set the“android:allowBackup” attribute to false to disable backups. • If the “allowBackup” attribute in the manifest file is not set, then by default a backup of the apps data can be made.
  • 50.
    5) Information Disclosurethrough Logging • The PIVAA application produces log messages when performing a lot of tasks. • Vulnerability: Logging sensitive data may expose the data to attackers or malicious applications, and it violates user confidentiality. Recommendations: • Use tools like ProGuard (included in Android Studio). • ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. • It detects and removes unused classes, fields, methods, and attributes and can also be used to delete logging-related code.
  • 51.
    6) Storing SensitiveData in External Storage • The PIVAA application stores sensitive data on a external SD card. • Vulnerability: Files saved to external storage are world-readable and can be modified. Recommendations: • Do not store sensitive data in external storage. • Store sensitive data and files in internal storage. Files saved to internal storage are by default private to your application; neither the user nor other applications can access them. When users uninstall your application, these files are removed.
  • 52.
    7) Weak HashingAlgorithms • The PIVAA application provides a feature that allows users to hash any string they enter using the MD5 hashing algorithm. • Vulnerability: MD5 hashing algorithm should not be used when reliable hashing of data is required. Recommendations: • Use stronger hash algorithm's such as SHA-256, SHA-3, bcrypt , scrypt ,etc. when reliable hashing is required. • Make sure to salt password hashes, which is an additional input of data that helps to safeguard passwords in storage.
  • 53.
    8) Predictable RandomNumber Generator (PRNG) • The PIVAA application uses the Random Java class to generate pseudorandom numbers: • java.util.Random • Vulnerability: The numbers generated by this class are not random and can be predictable.
  • 54.
    Recommendations: • Use acryptographically strong random number generator (RNG) like “java.security.SecureRandom” in place of this PRNG when a cryptographically strong random number needs to be used. • Use the generated random values only once. • You should not expose the generated random value. • If you have to store it, make sure that the database or file is secure.
  • 55.
    9) Weak EncryptionImplementation • The PIVAA application implements AES encryption with Electronic Code Book mode. • Vulnerability: “AES/ECB/PKCS5Padding” has been proven to be insecure. Recommendations: • Do not use ECB mode for cryptographic operations. Use the code below instead for cryptographic operations: • Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding"); • Be aware that the code below will default to ECB mode, even if it is not specified: • Cipher cipher = Cipher.getInstance("AES");
  • 56.
    10) Usage ofWeak Initialization Vector • The PIVAA application implements AES encryption with Cipher Block Chaining (CBC) mode but uses a predictable initialization vector (IV). • Vulnerability: Predictable IVs can be exploited by chosen plain text attack.
  • 57.
    Recommendations: • Initialization Vectorshould be unpredictable. • Initialization Vector should be Random. • Initialization Vector should not be hard coded. • Initialization Vector should be created using java.security.SecureRandom rather than java.util.Random .
  • 58.
    11) Hard-coded Data •The PIVAA application contains sensitive hard-coded data. • Vulnerability: Sensitive data hard-coded into an applications code can be easily retrieved by malicious users and used to perform other attacks.
  • 59.
    Recommendations: • Store sensitivedata in a external file located in a secure directory from where it can be retrieved. • Use the Android KeyStore to securely store cryptographic keys.
  • 60.
    12) Enabled DebugMode • The PIVAA application has debug mode enabled. • Vulnerability: Debug mode should be disabled in production build applications because it can expose technical information and facilitate reverse engineering.
  • 61.
    Recommendations: • For Androidapplications, make sure the “android:debuggable” attribute is set to false in the AndroidManifest.xml file to disable debug mode.
  • 62.
    13) Exported BroadcastReceivers • The PIVAA application has exported a broadcast receiver without any permissions set. Broadcast receivers are designed to listen to system wide events called broadcasts (e.g. network activity, application updates, etc.) and then trigger something if the broadcast message matches the current parameters inside the Broadcast Receiver. • Vulnerability: Any application, including malicious ones, can send an intent to this broadcast receiver causing it to be triggered without any restrictions.
  • 63.
    Recommendations: • Control whatapplications can receive a broadcast sent from your application by passing a permission alongside the intent when attempting to trigger a broadcast receiver. Only applications that have requested and been granted that permission can receive the broadcast intent from the sending application. • Control what broadcasts can be received by your application by setting a permission in the AndroidManifest.xml file which restricts access to a broadcast receiver to only those apps that have requested and been granted that permission.
  • 64.
    14) Exported Service •The PIVAA application has exported a service that performs audio recording and stops after the file reaches 1MB in size. Services are an Android component that runs in the background and does not normally provide a user interface to interact with. These services are used to perform tasks in the background such as downloading large files or playing music, without blocking the user interface. • Vulnerability: This service is exported without any permissions in the AndroidManifest.xml file, which means any application can abuse this feature to record audio.
  • 65.
    Recommendations: • Determine ifa service needs to be exported. • A service is generally not exported but if it is, then strong permissions should be set in the AndroidManifest.xml file. • Keep in mind that specifying intent filters with a component in the AndroidManifest.xml file will result in the component being exported by default unless the export attribute is set to false.
  • 66.
    Q & ASession
  • 67.