Mobile security part 1(Android Apps Pentesting)- Romansh yadav

Mobile
Security
part-1
Android
apps
Pen testing
Null Mumbai
PuliyaWorkshop
25 November
2017
RomanshYadav
copyright 2017 | Romansh Yadav | All right reserved.

Content
Copyright 2017 | Romansh Yadav | All right reserved.
What is mobile
Security
Types of mobile
security
what is Android
Android
architecture
Process of app
development.
Android apps file
structure.
Tools for the app
pen testing setup a lab owasp top 10
Power of Drozer MobSF

The power of
smart phone
.
• Smartphones have change our life.As IOT is coming the
number of smartphone uses will increased.
• Smartphone is like our new part of body.
• Company know the next market of business will be IOT
devices.
• Here mobile apps play a great role.
• You need to make sure you customer can use your
mobile apps with confidence.

What is mobile security
• Mobile application security testing can help ensure there aren’t any
loopholes in the software that may cause data loss.
• The sets of tests are meant to attack the app to identify possible
threats and vulnerabilities that would allow external persons or
systems to access private information stored on the mobile device.

Types of mobile apps security testing
• Static mobile apps security testing.
• Dynamic mobile apps security testing.

Static mobile apps security testing
• In the static mobile apps security testing ,we do testing when the code is in
rest mode.
• We review the source code and check hashing algorithm used in the code.
• We analysis the manifest.xml file.

Dynamic mobile apps security testing
• In the dynamic testing we do testing when the app is running or we can say
at the run time label.
• We analysis the flow and try to call the activity and many more .

Platform
for mobile
security
testing
Android Windows iOS Blackberry etc

What is Android
•Android is an operating system
bought by google in 2005.
•Originally developed by Andy
Rubin, Rich Miner, Nick Sears, and
Chris White at Android Inc.
•It is based on Linux kernel.
•Ore0 upcoming android version 8.1

Android architecture
• Application
• Application framework
• Libraries
• Android Runtime
• Hardware abstraction Layer
• Linux Kernel

Application
Layer
•Android app are written in
java programming language.
•Java compiler convert java
code into .class file or byte
code
•The dex tool converts the .class
files to Dalvik byte code. Any 3rd
party libraries and .class files that
you have included in your project
are also converted into .dex files
so that they can be packaged
into the final .apk file.

• All non-compiled resources (such
as images), compiled resources,
and the .dex files are sent to the
apkbuilder tool to be packaged
into an .apk file.
• Once the .apk is built, it must be
signed with either a debug or
release key before it can be
installed to a device.

Application
Framework
• The Application Framework layer provides many higher-
level services to applications in the form of Java classes.
Application developers are allowed to make use of these
services in their applications

Libraries
• The libraries shown in the image are very necessary
without which application will not run likeWebkit library
is used for browsing the web , SQLite library is used for
maintaining SQL database and so on.

Dalvik virtual
Machine
• DalvikVirtual Machine is to execute application written
for Android . Each app running in the Android Device has
its own DalvikVirtual Machine.

Android runtime
• Android Runtime (ART) is a alternative to DalvikVirtual
Machine. New in ART is because of Ahead-of-time(AOT)
Compilation and Garbage Collection. InAhead-of-
time(AOT) Compilation ,android apps will be compiled
when user installs them on their device whereas in the
Dalvik used Just-in-time(JIT) compilation in which
bytecode are compiled when user runs the app.

Hardware abstraction Layer
• Hardware Abstraction Layer just gives Applications direct access to the
Hardware resources

Linux Kernel
Android is built up on the
Linux Kernel.
Linux Kernel provides basic
system functionality like
process management,
memory management,
device management like
camera, keypad, display etc
As a multiuser operating
system, a fundamental
security objective of the
Linux kernel is to isolate user
resources from one another.
Prevents userA from
reading user B’s files
Ensures that user A does not
exhaust user B’s memory
Ensures that user A does not
exhaust user B’s CPU
resources

Development tools
• An Integrated Development Environment (IDE) is a
software application that provides comprehensive
facilities to computer programmers for software
development
• A software development kit (SDK or devkit) is
typically a set of software development tools that
allows the creation of applications for a
certain software package, software framework,
hardware platform, computer system, video game
console, operating system, or similar development
platform.(wikipedia)
IDE
SDK

Developed an android app
Demo with Android Studio

Android file structure

AndroidManifest.xml File
• AndroidManifest.xml is the control file in every app.
• Every service, ContentProvider, activity, Broadcast Receiver need to be
mentioned in the AndroidManifest.xml file.
• We will explore this file in details in our testing module.

Component of android apps
• Activity
• Content Provider
• Services
• Broadcast Receiver

BasicTools for android apps
Pen testing
• Drozer(Best for dynamic)
• mobSF(Mobile security framework-Best for static)
• dex2jar
• Jd-gui
• A proxy tools like brup Suite or Zap
• Appie(set of many tools for windows)
• Santaku(an operating system for mobile apps pen testing like Kali)

Setup small Lab
• Download Genymotion with virtual machine and install.
• Download Appie(only for windows) tool kit and install.
• Drozer
• mobSF
• Alternative emulator nox

Vulnerable apps
• Sieve
• Diva.
• FourGoats.
• Herd-Financial.

Owasp top 10 -2014
for Mobile security

M1-weak server side
control

• A testing web server was setup to provide web service for mobile websites
to access. It demonstrated how weak server side controls would result in
unintended access of the web services.
• In order for this vulnerability to be exploited, the organization must expose
a web service orAPI call that is consumed by the mobile app.

• The exposed service or API call is implemented using insecure coding
techniques that produce an OWASPTopTen vulnerability within the server.
Through the mobile interface, an attacker is able to feed malicious inputs or
unexpected sequences of events to the vulnerable endpoint.

M2-Insecure data storage

• In this vulnerability developer stored data locally.
• By default, files that you create on internal storage are accessible only to
your app.This protection is implemented by Android and is sufficient for
most applications.

• But developers often use MODE_WORLD_READBALE &
MODE_WORLD_WRITABLE to provide those file to some application but
this doesn’t limit other apps(Malicious) from accessing them.
• Path for local storage- data/data/app-package-name/
• Many time it can be stored in external storage

Demo
• Let’s check data/data/app-package-name/ directory
• Let’s check either application is using any content provide with exported
permission.
• Let’s also check the external storage(sdcard)

M3-Insufficient transport
layer protection

• Transfer data from client to server in plain text.
• Now a days most application prefer to send data over Secure Channel to
prevent interception and leaking to an malicious user.
• We can check this kind of vulnerability by any proxy tool.
• We will use burpsuite.

• Now we are going to set a proxy in our android device/emulator to intercept
the traffic between application and the server. If you are using
Genymotionor Nox then go toWifi under Settings. TapWiredSSID for a
While and then tap on Modify Network.
• In proxy settings, choose manual then enter IP Address and port on which
Burp Suite is listening.
• Now device http traffic can be intercepted by Burp Suite.

For https traffic
• For https traffic we have to install the burp self sign certificate.
• Just type https://burp or https://ipwithlistinerport.
• Download certificate and go to security install from the sd card, give a name
with .cert extension.
• Go to trusted credential and look user tab, you will find a PortSwigger CA.

SSl Certificate Pinning
• It means hard-coding the certificate known to be used by the server in the
mobile application.The app can then ignore the device’s trust store and rely
on its own, and allow only SSL connections to hosts signed with certificates
stored inside the application.

Bypassing ssl certificate pinning
• There are two bypass SSL Certificate Pinning, first by changing the source
code and other by Android-SSL-Trust-Killer. Changing source code is
always a tedious Job, because every Application has it’s own
implementation of Encryption.

• We would instead take a simpler path for now, will install Android SSL-
Trust-Killer application in the android device which will bypass SSL
Certificate Pinning for nearly all application.
• Let’s do this.

M4-unintended data
leakage

• It also called Logging based vulnerability.
• When application accidently leaks the data.
• If an application crashes during runtime and it saves logs somewhere.

• Often Developers leave debugging information publicly. So any application
with READ_LOGS permission can access those logs and can gain sensitive
information through that.
• We can use logcat or pidcat for checking this kind of vulnerability.
• adb logcat pid or packagename

M5-poor authentication
and authorization

• After authentication on an Android Application , it shift to a new activity
which basically users are aware off. But developers keep those activities
exported and even without custom permissions.
• Example – directly start a after login activity without login
• Directly open OTP activity without card number and pin or cvs.
• Username enumeration via Reset password.

• run app.activity.start --component org.owasp.goatdroid.herdfinancial
org.owasp.goatdroid.herdfinancial.activities.Main

• In the authorization vulnerability we simply bypass the privilege, we can also
called it privilege escalation
• Horizontally -: normal user to normal user
• Vertical -: normal user to root user.

M6-Broken cryptography

• This kind of vulnerability occur when we hardcoded the sensitive
information like username, password.
• Managing Private key of any encryption algorithm.
• Using poor algorithm (RC4, MD4,SHA1).

.
• Jg-Gui and open up the StatmentDBHelper class.
• you can open UserInfoDBHelper class .
• You can see above that password for encrypting db files are stored in
HerdFinancial Application. Passwords
are hammer and havey0us33nb@seball . So anyone with HerdFinancial
Application can get password using reverse engineering and then decrypt
the content using those keys

M7-client side injection

• Sql injection-simple as we used in web application(Boolean based )
• JavaScript Injection: - If you have yourGoogle account attached to device
then you can use yourGoogle account in Android Browser without
authentication.
• Let’s see Diva input validation 1 example

• Mobile malware or other malicious apps may perform a binary attack
against the presentation layer (HTML, JavaScript, Cascading Style Sheets )
or the actual binary of the mobile app’s executable.These code injections
are executed either by the mobile app’s framework or the binary itself at
run-time

M8-security decision via
untrusted data

• Your mobile application can accept data from all kinds of sources. In most
cases this will be an Inter Process Communication (IPC) mechanism.
• Inter Process Communication happened with the help of the intent.
• intent is basically a message that is passed between components (such as
Activities, Services, Broadcast Receivers, and Content Providers)

To be simple Intent can be used for
• To start anActivity, typically opening a user interface for an app
• As broadcasts to inform the system and apps of changes
• To start, stop, and communicate with a background service
• To access data via ContentProviders
• As callbacks to handle events.

• run app.package.attacksurface com.mwr.example.sieve
• wecan see there are two exported Content Providers.
• run app.provider.finuri com.mwr.example.sieve
• So by using the app.provider.finduri modules we have found some of the
exported content provider URIs which can access by other apps installed on
the same devices.
• We can see that there are two similar URIS

• content://com.mwr.example.sieve.DBContentProvider/keys
• content://com.mwr.example.sieve.DBContentProvider/keys/
• run app.provider.query
content://com.mwr.example.sieve.DBContentProvider/keys
• We can also access the password’s saved in this Password Manager App by
query another exported URI.
• run app.provider.query
content://com.mwr.example.sieve.DBContentProvider/password

M9-Improper session
handling

• Session handling is very important part after authentication has been done.
• No session destruction at server side-
when user opt for logout then applications just send a null cookie that
session cookie is valid on server side and is not destroyed after user opted
for logout feature.
• Cookie not set as Secure
The secure flag is an option that can be set by the application server when
sending a new cookie to the user within an HTTP Response.

M10-Binary Protection

• Android Application are delivered through an .apk file format which an
adversary can reverse engineer it and can see all the code contained in it.
• D2j-dex2jar.
• Then open the jar file with jd-gui.
• Also attacker can also insert the malicious code, recompile it and deliver to
normal users.
• Let’s do a reverse shell demo.

The power of drozer
• Drozer is a framework forAndroid security assessments developed by MWR
Labs.
• It is one of the best Android security assessment tools available forAndroid
Security Assessments.
• https://www.mwrinfosecurity.com/products/drozer/community-edition/

• To start working with Drozer for your assessments, we need to connect the
Drozer console we have on the workstation and agent sitting on the
emulator.
• To do this, start the agent on your emulator and run the following command
to port forward. Make sure you are running the embedded server when
launching the agent.
• adb forward tcp:31415 tcp:31415
• Drozer console connect

mobSF

• https://github.com/MobSF/Mobile-Security-Framework-MobSF
• Python 2.7 –download and install
• Oracle JDK 1.7 or above
• c:python27python.exe -m pip install -r "pathrequirements.txt“
• c:python27python.exe "pathmanage.py“ runserver

• You can navigate to http://localhost:8000/ to access the MobSFWeb
interface.
• The pip command is a tool for installing and managing Python packages.

Mobile security part 1(Android Apps Pentesting)- Romansh yadav

More Related Content

What's hot

Similar to Mobile security part 1(Android Apps Pentesting)- Romansh yadav

Mobile security part 1(Android Apps Pentesting)- Romansh yadav