This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
The presentation focus on some known and unknown methods of android pentetration testing. I have taken help from many resources which I have mentioned in PPT.
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
The presentation focus on some known and unknown methods of android pentetration testing. I have taken help from many resources which I have mentioned in PPT.
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
OWASP Top 10 Proactive Controls 2016
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Best online js training institute in chandigarh andshubhamrana767862
The best online js training institute in chandigarh ,Here you can learn all the coding languages easily, We provide online &offline classes,
100% job placement,certified by google.
WHY: Why do we need to care about mobility, management and security. WHAT: What cloud-based solutions are available from Samsung to support your mobility needs. HOW: How does this work? How can you start using the solutions?
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
Dominic Chell presents "Breaking Secure Mobile Applications" at Hack In The Box 2014.
This presentation details common vulnerabilities that can be found in supposedly secure applications, including BYOD and MDM apps. It also provides an overview of the binary protections that can be implemented to complicate these types of attacks.
Best online js training institute in chandigarh and convertedshubhamrana767862
The best online js training institute in chandigarh ,Here you can learn all the coding languages easily, We provide online &offline classes,
100% job placement,certified by google.
Security as a top of mind issue for mobile application developmentȘtefan Popa
Mobile technologies bring to life new capabilities and opportunities for consumers all around the world. However, the advent of mobile has also resulted in new points of attack for hackers. This presentation it's about how to assess security vulnerabilities in the development process, and how to deliver high-performing applications that provide functionality with security in mind.
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
As more SaaS businesses come online it is critical they follow security architecture and operational best practices. The changing regulatory framework from agencies such as SEC, FTC and other agencies requires SaaS companies to implement security best practices.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Overview on Edible Vaccine: Pros & Cons with Mechanism
Android Pentesting
1.
2. ./ABOUT ME
• MOHAMMED ADAM
• INFORMATION SECURITY RESEARCHER
• SECURITY CONSULTANT AT CROSSBOW LABS
• FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP)
• ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA,
HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER,
DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK
ETC IN BUG BOUNTIES.
3. ./AGENDA
• INTRODUCTION TO ANDROID PENETRATION TESTING
• REQUIREMENTS & TOOLS
• STATIC ANALYSIS - AUTOMATION & MANUAL TESTING
• DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING
• DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
4. ANDROID INTERNALS
• BASED ON LINUX KERNEL
• LATEST VERSION - ANDROID PIE
• ANDROID Q 10.0 ON THE WAY
• APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL
MACHINE)
• DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK
EXECUTABLE) OR APK FILES
• APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES,
CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
5. ANDROID SECURITY MODEL
• APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID)
• ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION
• EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM
• SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S
• PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
6. ANDROID APPLICATION .APK
• JUST AN ARCHIVE !
• WRITTEN MAINLY IN JAVA & XML
• MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS,
CONTENT PROVIDERS, ETC.
9. WHAT IS ADB ?
• ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU
COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE.
• ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER
• WIRELESS - ADB CONNECT - ADB USB
• PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST
PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR
• NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB
SHELL IP
• LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE
• REFERENCES - HTTP://ADBSHELL.COM/
10. STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS
• THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE
STORED INSIDE THE APK.
11. APKTOOL
• APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY,
CLOSED, BINARY ANDROID APPS. IT CAN DECODE
RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD
THEM AFTER MAKING SOME MODIFICATIONS.
• DISASSEMBLING ANDROID APK FILE
APKTOOL D <APK FILE>
12. EVERY APK CONTAINS
THE FOLLOWING FILES:
• ANDROIDMANIFEST.XML -
DEFINES THE PERMISSIONS OF
THE APPLICATION
• CLASSES.DEX - CONTAINS ALL
THE JAVA CLASS FILES
• RESOURCES.ARSC - CONTAINS
ALL THE META-INFORMATION
ABOUT THE RESOURCES AND
NODES
17. ANDROID MANIFEST.XML OMG!
• ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A
NIGHTMARE!
• BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION
OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER.
• FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17"
OR HIGHER, THE DEFAULT IS "FALSE"
18. DEBUG MODE
• THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE
DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT
CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER.
<APPLICATION
ANDROID:DEBUGGABLE="FALSE"
</APPLICATION>
19. BACKUP FLAG
• THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED
UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING.
THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE
INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC.
<APPLICATION
ANDROID:ALLOWBACKUP="FALSE"
</APPLICATION>
20. EXTERNAL STORAGE
• APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO
EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO
SENSITIVE INFORMATION IS STORED.
• <USES-PERMISSION
ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
21. ANDROID:PROTECTIONLEVEL
• THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD
FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE
ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE:
• NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM
• ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT
THEY DON’T INTRODUCE A SECURITY RISK.
<PERMISSION>
ANDROID:PROTECTIONLEVEL="SIGNATURE"
</PERMISSION>
22. INTENTS
• INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY
INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO
COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES
SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY
SENSITIVE INFORMATION THAT COULD BE INTERCEPTED.
<INTENT-FILTER>
<ACTION ANDROID:NAME="STRING" />
<CATEGORY ANDROID:NAME="STRING" />
</INTENT-FILTER>
23. CLASSES DEX
• THE CLASSES.DEX
FILE CONTAINS ALL
THE JAVA CLASSES
OF THE APPLICATION
AND IT CAN BE
DISASSEMBLED WITH
BAKSMALI TOOL TO
RETRIEVE THE JAVA
SOURCE CODE.
25. TO READ JAR FILE
– USE JDGUI
• IN JDGUI, FILE->
OPEN THE
FILE/DIRECTORY
WHERE JAR FILE IS
PRESENTED
26. ANDROID WEBVIEW VULNERABILITIES
• WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT
AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS
FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE
SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT
RISK.
27. LOADING CLEAR-TEXT CONTENT
• IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE
INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK
SUCH AS MITM.
• MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
28. SSL ERROR HANDLING
• THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS
MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN
ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE
WOULD BE ACCEPTED BY THE APPLICATION.
@OVERRIDE
PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER,
SSLERROR ERROR)
{
HANDLER.PROCEED();
}
29. JAVASCRIPT ENABLED
• ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE
APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN
ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO
PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO
EXECUTE JAVASCRIPT CODE.
WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS();
WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
30. ACCESSING LOCAL RESOURCES
• IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER
APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE
POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE
THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION
THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE
TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
31. ANDROID CODING BEST PRACTICES
• FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY
• TOP 10 MOBILE RISKS OWASP 2016 –
HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10
• HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02-
J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU
GH+FILE+SCHEME
• HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW-
ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/
• HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD
DJAVASCRIPTINTERFACE
33. INTERCEPTING MOBILE APP
TRAFFIC USING BURPSUITE
• TO CONFIGURE THE PROXY GO
TO SETTINGS. A SCREEN
SOMETHING LIKE THE BELOW
ONE WILL COME UP. SELECT
“MORE”.
36. INTERCEPTING MOBILE APP TRAFFIC USING
BURPSUITE
• NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND
THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE
IMAGE BELOW. CHOOSE THIS NETWORK.
37. INTERCEPTING MOBILE APP
TRAFFIC USING BURPSUITE
• PUT THE IP ADDRESS OF YOUR
INTERFACE WHERE YOU WILL BE
LISTENING THE TRAFFIC, I.E. WHERE
YOU WILL RUN BURP. DOWN TO THAT,
PUT THE PORT NUMBER ON WHICH
YOU WANT TO LISTEN. BY DEFAULT
IT’S 8080 IN BURP, BUT FEEL FREE
TO CHANGE IT, JUST MAKE SURE
YOU HAVE SAME PORT NUMBER
CONFIGURED AT BOTH END POINTS.
38. INTERCEPTING MOBILE
APP TRAFFIC USING
BURPSUITE
• NOW IN BURPSUITE,
GO TO THE “PROXY”
TAB, SELECT THE
“OPTIONS” TAB.
SELECT THE DEFAULT
CONFIGURED
INTERFACE, AND
CLICK ON “EDIT”.
41. SSL PINNING BYPASS
• REQUIRED TOOLS
FOR SSL PINNING
BYPASS
• ROOTED MOBILE
• SSLUNPINNING APK
• XPOSED
FRAMEWORK &
XPOSED INSTALLER
APK FOR SPECIFIC
MOBILE (DEPENDS ON
SDK)
42. DROZER – GAME CHANGER TOOL
FOR ANDROID APP PT
• CONNECTING DROZER TO THE MOBILE
DEVICE
• CONNECT YOUR MOBILE DEVICE TO YOUR
COMPUTER USING A USB CABLE;
• OPEN DROZER AGENT APPLICATION ON
YOUR MOBILE DEVICE AND CLICK THE ON
BUTTON FROM THE BOTTOM-RIGHT;
43. DROZER – CONT.
• USE ADB.EXE TO OPEN A TCP SOCKET
BETWEEN YOUR COMPUTER AND THE
SERVER EMBEDDED IN DROZER
AGENT:
• ADB.EXE FORWARD TCP:31415
TCP:31415
• GO TO THE FOLDER WHERE YOU
INSTALLED DROZER AND CONNECT
TO THE MOBILE DEVICE:
• DROZER CONSOLE CONNECT
44. STARTING AN ACTIVITY
FROM ANOTHER
PACKAGE
• OK, NOW WE HAVE AN
INTERACTIVE DROZER
CONSOLE. WHAT CAN WE
DO? LET’S START AN
ACTIVITY, COMMAND BY
COMMAND:
• LIST, WILL DISPLAY A LIST OF
COMMANDS AVAILABLE IN
DROZER
45. FIND A LIST OF PACKAGES
• RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES
THAT CONTAIN THE STRING “FIREFOX”; WE
FOUND ORG.MOZILLA.FIREFOX.
46. IDENTIFY THE ATTACK SURFACE FOR OUR
APPLICATION
• RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO
IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND
113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8
EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A
GOOD EXAMPLE OF A BIG ATTACK SURFACE.
49. LIST THE EXPORTED
ACTIVITIES
• RUN APP.ACTIVITY.INFO -A
ORG.MOZILLA.FIREFOX TO
LIST THE EXPORTED
ACTIVITIES; WE CAN SEE
THAT THERE IS AN
EXPORTED ACTIVITY
NAMED ORG.MOZILLA.FIR
EFOX.APP THAT DOES NOT
REQUIRE ANY
PERMISSION TO BE
STARTED.
50. LIST OF VULNERABLE ANDROID APPLICATIONS
• DAMN VULNERABLE HYBRID MOBILE APPLICATION
• ANDROID DIGITAL BANK
• DAMN INSECURE AND VULNERABLE APPLICATION
• HACKME BANK
• INSECURE BANK
• DAMN VULNERABLE ANDROID APPLICATION
• OWASP GOATDROID
• DODO VULNERABLE BANK