Droidcon Berlin, profile picture
Uploaded byDroidcon Berlin
PDF, PPTX1,111 views

Mwri security testing-android-with-mercury-2013-04-02

This document summarizes Daniel Bradberry's presentation on using the Mercury security assessment framework to test Android application security. It introduces Bradberry as the head of security tools development at MWR. The presentation covers Android security concepts like sandboxes and inter-process communication (IPC), common Android vulnerabilities, and how Mercury allows dynamic analysis of Android apps to identify vulnerabilities without debugging. It concludes with a demonstration of Mercury finding vulnerabilities in a sample Android password manager app.

Embed presentation

Download as PDF, PPTX
Security Testing Android with Mercury Daniel Bradberry 9th April 2013
Who is this guy? Daniel Bradberry Head of Security Tools Development at MWR We build tools for security assessment and assurance.
Agenda • Introduction • Android (In)Security • Mercury • Performing an Assessment • Summary
Android Security • Code runs in a Dalvik VM • Apps are constrained by a “Sandbox”: – one Unix user per app – granular permissions. • Apps interact through Inter-Process Communication (IPC)
Android Insecurity • ‘Normal’ Coding Issues • Use of Native Code • Use of the SD Card • Misuse of IPC • Apps shipped with Debugging enabled
Android IPC • Apps export features to share: com.ex.app1 – activities – broadcast receivers – content providers Binder – services • The ‘Binder’ routes com.ex.app2 messages between apps.
Android IPC <activity android:name=“.MainActivity” android:exported=“true”> <intent-filter> <action name="android.search.action.MAIN" /> <category name="android.intent.category .LAUNCHER" /> </intent-filter> </activity>
Tools to Help • adb • aapt • Custom Scripts • Decompilers
Mercury Security Assessment Framework for Android • Dynamic Analysis • Rapid Iteration • Does not require debugging • Can be used over the Internet
mwr.to/mercury
How it Works • Agent – single permission Mobile Android app Agent Device – runs on your device or emulator. • Console – command-line interface to interact with the Console PC Agent – runs on your PC.
Performing an Assessment Investigate Identify the Find Potential Exploit Attack Surface Vulnerabilities Attack Vectors
Let’s Do It! • Sieve is a Password Manager • It’s installed in an Android 4.1.2 emulator, along with the Mercury Agent.
Demo Time
Summary • We seem to have largely forgotten security when developing Android apps. • These vulnerabilities expose our users and businesses to risk. • We can use Mercury to discover all sorts of Android vulnerabilities.
mwr.to/mercury Questions? @droidhg
Mwri security testing-android-with-mercury-2013-04-02

More Related Content

PPTX
Humla workshop on Android Security Testing - null Singapore
byn|u - The Open Security Community
 
PDF
Andriod Pentesting and Malware Analysis
byn|u - The Open Security Community
 
PPTX
Android Security
byArqum Ahmad
 
PDF
Android Security
byLars Jacobs
 
PDF
Android Security
byMehrnaz Amoon
 
PDF
Android Security & Penetration Testing
bySubho Halder
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
PDF
Android security - an enterprise perspective
byPietro F. Maggi
 
Humla workshop on Android Security Testing - null Singapore
byn|u - The Open Security Community
 
Andriod Pentesting and Malware Analysis
byn|u - The Open Security Community
 
Android Security
byArqum Ahmad
 
Android Security
byLars Jacobs
 
Android Security
byMehrnaz Amoon
 
Android Security & Penetration Testing
bySubho Halder
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
Android security - an enterprise perspective
byPietro F. Maggi
 

What's hot

PPTX
Pentesting Android Applications
byCláudio André
 
PDF
CNIT 128 6. Analyzing Android Applications (Part 1)
bySam Bowne
 
PPTX
Mobile application security
byShubhneet Goel
 
PDF
Mobile application security tools
byQTMContent
 
PDF
6. Analyzing Android Applications Part 2
bySam Bowne
 
PDF
CNIT 128 6. Analyzing Android Applications (Part 3)
bySam Bowne
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
PPTX
Understanding android security model
byPragati Rai
 
ODP
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
PPTX
Permission in Android Security: Threats and solution
byTandhy Simanjuntak
 
PDF
Is My App Secure ?
byHerman Duarte
 
PPTX
Mind the gap
byPietro F. Maggi
 
PPTX
[Wroclaw #2] iOS Security - 101
byOWASP
 
PDF
CNIT 128 7. Attacking Android Applications (Part 2)
bySam Bowne
 
PPT
Understanding Android Security
byAsanka Dilruk
 
PDF
Increasing DevSecOps Maturity Level in 2021
byAlexandre Rebert
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
byWhiteSource
 
PPTX
Whats different in android L, M, N and O
byPietro F. Maggi
 
PDF
Android Security Development
byhackstuff
 
PDF
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 
Pentesting Android Applications
byCláudio André
 
CNIT 128 6. Analyzing Android Applications (Part 1)
bySam Bowne
 
Mobile application security
byShubhneet Goel
 
Mobile application security tools
byQTMContent
 
6. Analyzing Android Applications Part 2
bySam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 3)
bySam Bowne
 
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
Understanding android security model
byPragati Rai
 
Mobile App Security Testing -2
byKrisshhna Daasaarii
 
Permission in Android Security: Threats and solution
byTandhy Simanjuntak
 
Is My App Secure ?
byHerman Duarte
 
Mind the gap
byPietro F. Maggi
 
[Wroclaw #2] iOS Security - 101
byOWASP
 
CNIT 128 7. Attacking Android Applications (Part 2)
bySam Bowne
 
Understanding Android Security
byAsanka Dilruk
 
Increasing DevSecOps Maturity Level in 2021
byAlexandre Rebert
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
byWhiteSource
 
Whats different in android L, M, N and O
byPietro F. Maggi
 
Android Security Development
byhackstuff
 
Testing Android Security Codemotion Amsterdam edition
byJose Manuel Ortega Candel
 

Similar to Mwri security testing-android-with-mercury-2013-04-02

PDF
Deep Dive Into Android Security
byMarakana Inc.
 
PDF
I haz you and pwn your maal
byc0c0n - International Cyber Security and Policing Conference
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PPTX
Mobile security
bypriyanka pandey
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PDF
Towards the methods of analysis malicious applications for Android
bySergey Staroletov
 
PPTX
Mobile platform security models
byPrachi Gulihar
 
PDF
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
byCanSecWest
 
PPTX
Security testing of mobile applications
byGTestClub
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PDF
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
PPTX
I haz you and pwn your maal
byHarsimran Walia
 
PDF
I haz you and pwn your maal whitepaper
byHarsimran Walia
 
PDF
Brief Tour about Android Security
byNational Cheng Kung University
 
PDF
Hacking your Droid (Aditya Gupta)
byClubHack
 
PDF
Hacking your Android (slides)
byJustin Hoang
 
PPTX
Untitled 1
bySergey Kochergan
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
byAngelill0
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
Deep Dive Into Android Security
byMarakana Inc.
 
I haz you and pwn your maal
byc0c0n - International Cyber Security and Policing Conference
 
Android village @nullcon 2012
byhakersinfo
 
Mobile security
bypriyanka pandey
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
Android pentesting
byMykhailo Antonishyn
 
Towards the methods of analysis malicious applications for Android
bySergey Staroletov
 
Mobile platform security models
byPrachi Gulihar
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
byCanSecWest
 
Security testing of mobile applications
byGTestClub
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
I haz you and pwn your maal
byHarsimran Walia
 
I haz you and pwn your maal whitepaper
byHarsimran Walia
 
Brief Tour about Android Security
byNational Cheng Kung University
 
Hacking your Droid (Aditya Gupta)
byClubHack
 
Hacking your Android (slides)
byJustin Hoang
 
Untitled 1
bySergey Kochergan
 
Securely Deploying Android Device - ISSA (Ireland)
byAngelill0
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 

More from Droidcon Berlin

PDF
Tuning android for low ram devices
byDroidcon Berlin
 
PDF
Android industrial mobility
byDroidcon Berlin
 
PDF
Droidcon2013 security genes_trendmicro
byDroidcon Berlin
 
PDF
Froyo to kit kat two years developing & maintaining deliradio
byDroidcon Berlin
 
PDF
Testing and Building Android
byDroidcon Berlin
 
PDF
20140508 quantified self droidcon
byDroidcon Berlin
 
PDF
crashing in style
byDroidcon Berlin
 
PDF
Matchinguu droidcon presentation
byDroidcon Berlin
 
PDF
Droidcon de 2014 google cast
byDroidcon Berlin
 
PDF
Android programming -_pushing_the_limits
byDroidcon Berlin
 
PDF
Android open gl2_droidcon_2014
byDroidcon Berlin
 
PDF
Raspberry Pi
byDroidcon Berlin
 
PDF
Details matter in ux
byDroidcon Berlin
 
PDF
Raesch, gries droidcon 2014
byDroidcon Berlin
 
PDF
From sensor data_to_android_and_back
byDroidcon Berlin
 
PDF
5 tips of monetization
byDroidcon Berlin
 
PDF
new_age_graphics_android_x86
byDroidcon Berlin
 
PDF
droidparts
byDroidcon Berlin
 
PDF
The artofcalabash peterkrauss
byDroidcon Berlin
 
PDF
Cgm life sdk_droidcon_2014_v3
byDroidcon Berlin
 
Tuning android for low ram devices
byDroidcon Berlin
 
Android industrial mobility
byDroidcon Berlin
 
Droidcon2013 security genes_trendmicro
byDroidcon Berlin
 
Froyo to kit kat two years developing & maintaining deliradio
byDroidcon Berlin
 
Testing and Building Android
byDroidcon Berlin
 
20140508 quantified self droidcon
byDroidcon Berlin
 
crashing in style
byDroidcon Berlin
 
Matchinguu droidcon presentation
byDroidcon Berlin
 
Droidcon de 2014 google cast
byDroidcon Berlin
 
Android programming -_pushing_the_limits
byDroidcon Berlin
 
Android open gl2_droidcon_2014
byDroidcon Berlin
 
Raspberry Pi
byDroidcon Berlin
 
Details matter in ux
byDroidcon Berlin
 
Raesch, gries droidcon 2014
byDroidcon Berlin
 
From sensor data_to_android_and_back
byDroidcon Berlin
 
5 tips of monetization
byDroidcon Berlin
 
new_age_graphics_android_x86
byDroidcon Berlin
 
droidparts
byDroidcon Berlin
 
The artofcalabash peterkrauss
byDroidcon Berlin
 
Cgm life sdk_droidcon_2014_v3
byDroidcon Berlin
 

Mwri security testing-android-with-mercury-2013-04-02

  • 1.
  • 2.
    Who is thisguy? Daniel Bradberry Head of Security Tools Development at MWR We build tools for security assessment and assurance.
  • 3.
    Agenda • Introduction • Android (In)Security • Mercury • Performing an Assessment • Summary
  • 4.
    Android Security • Coderuns in a Dalvik VM • Apps are constrained by a “Sandbox”: – one Unix user per app – granular permissions. • Apps interact through Inter-Process Communication (IPC)
  • 5.
    Android Insecurity • ‘Normal’ Coding Issues • Use of Native Code • Use of the SD Card • Misuse of IPC • Apps shipped with Debugging enabled
  • 6.
    Android IPC • Appsexport features to share: com.ex.app1 – activities – broadcast receivers – content providers Binder – services • The ‘Binder’ routes com.ex.app2 messages between apps.
  • 7.
    Android IPC <activity android:name=“.MainActivity” android:exported=“true”> <intent-filter> <action name="android.search.action.MAIN" /> <category name="android.intent.category .LAUNCHER" /> </intent-filter> </activity>
  • 8.
    Tools to Help • adb • aapt • Custom Scripts • Decompilers
  • 9.
    Mercury Security Assessment Framework forAndroid • Dynamic Analysis • Rapid Iteration • Does not require debugging • Can be used over the Internet
  • 10.
  • 11.
    How it Works •Agent – single permission Mobile Android app Agent Device – runs on your device or emulator. • Console – command-line interface to interact with the Console PC Agent – runs on your PC.
  • 12.
    Performing an Assessment Investigate Identify the Find Potential Exploit Attack Surface Vulnerabilities Attack Vectors
  • 13.
    Let’s Do It! •Sieve is a Password Manager • It’s installed in an Android 4.1.2 emulator, along with the Mercury Agent.
  • 14.
  • 15.
    Summary • We seemto have largely forgotten security when developing Android apps. • These vulnerabilities expose our users and businesses to risk. • We can use Mercury to discover all sorts of Android vulnerabilities.
  • 16.