SlideShare a Scribd company logo

Pentesting Android Applications

Download as PPTX, PDF
Cláudio André
Cláudio André

This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester. So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.

Technology
1 of 36
@clviper ca@integrity.pt Cláudio André
whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
- Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
Physical Equipment Android SDK Emulator Android x86 Environment Setup
Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
- Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
http://youtu.be/H4ysZblviZg DEMO QtADB Tools OfTheTrade
Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
Android-SSL-TrustKiller Tools OfTheTrade http://youtu.be/8NwbmSI9OWo DEMO
Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
http://youtu.be/KAWPfHLHO0Y DEMO Drozer(ex-mercury) Tools OfTheTrade
Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
XML format file with key-value pairs. App settings. Shared Preferences App Analysis
Single file relational database used to store application data and settings. SQLite Databases App Analysis
OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
GoatDroid App Analysis http://youtu.be/3DpLKK90oAY DEMO
http://youtu.be/tAyLOn5ttFo DEMO GoatDroid App Analysis
App Analysis The Lost Art of Keeping a Secret
http://youtu.be/QJF-pvpRSFE DEMO App Analysis The Lost Art of Keeping a Secret
Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
• Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up

Recommended

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 

Recommended

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Mobile Application Security Testing
Mobile Application Security TestingMobile Application Security Testing
Mobile Application Security TestingSpv Reddy
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 

More Related Content

What's hot

Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Chandrapal Badshah
 
Mobile Application Security Testing
Mobile Application Security TestingMobile Application Security Testing
Mobile Application Security TestingSpv Reddy
 

What's hot (20)

Android security
Android securityAndroid security
Android security
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Android Security
Android SecurityAndroid Security
Android Security
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
Mobile security
Mobile securityMobile security
Mobile security
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Android Security
Android SecurityAndroid Security
Android Security
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
Mobile Application Security Testing
Mobile Application Security TestingMobile Application Security Testing
Mobile Application Security Testing
 
Android security
Android securityAndroid security
Android security
 

Viewers also liked

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]RootedCON
 
Pentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web ScanPentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web ScanDylan Irzi
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on AndroidDEVCORE
 
Image handling in Android
Image handling in AndroidImage handling in Android
Image handling in AndroidTyrone Nicholas
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking forCláudio André
 
Android Applications
Android ApplicationsAndroid Applications
Android ApplicationsPrachiWadekar
 
Android applications By #Manoj_Rockstar
Android applications By #Manoj_RockstarAndroid applications By #Manoj_Rockstar
Android applications By #Manoj_RockstarManoj Magatapalli
 
Android and it’s applications
Android and it’s applicationsAndroid and it’s applications
Android and it’s applicationsamee yaami
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 

Viewers also liked (20)

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Pentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web ScanPentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web Scan
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
Image handling in Android
Image handling in AndroidImage handling in Android
Image handling in Android
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android applications By #Manoj_Rockstar
Android applications By #Manoj_RockstarAndroid applications By #Manoj_Rockstar
Android applications By #Manoj_Rockstar
 
Android and it’s applications
Android and it’s applicationsAndroid and it’s applications
Android and it’s applications
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 

Similar to Pentesting Android Applications

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTinovex GmbH
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Cross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobileCross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobileSPRITLE SOFTWARE PRIVATE LIMIT ED
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & DebuggingIvano Malavolta
 
Visual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and IonicVisual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and IonicJustin James
 
Introduction phonegap
Introduction phonegapIntroduction phonegap
Introduction phonegapRakesh Jha
 
Advanced programing in phonegap
Advanced programing in phonegapAdvanced programing in phonegap
Advanced programing in phonegapRakesh Jha
 

Similar to Pentesting Android Applications (20)

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Cross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobileCross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobile
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Visual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and IonicVisual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and Ionic
 
Introduction phonegap
Introduction phonegapIntroduction phonegap
Introduction phonegap
 
Advanced programing in phonegap
Advanced programing in phonegapAdvanced programing in phonegap
Advanced programing in phonegap
 

Recently uploaded

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Pentesting Android Applications

  • 2. whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
  • 3. - Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
  • 4. Physical Equipment Android SDK Emulator Android x86 Environment Setup
  • 5. Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
  • 6. - Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
  • 7. Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
  • 8. Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
  • 9. Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
  • 10. QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
  • 12. Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
  • 13. Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
  • 14. Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
  • 15. Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
  • 16. Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
  • 17. Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
  • 18. Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
  • 20. Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
  • 22. Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
  • 23. Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
  • 24. Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
  • 25. Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
  • 26. Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
  • 27. XML format file with key-value pairs. App settings. Shared Preferences App Analysis
  • 28. Single file relational database used to store application data and settings. SQLite Databases App Analysis
  • 29. OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
  • 30. GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
  • 33. App Analysis The Lost Art of Keeping a Secret
  • 35. Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
  • 36. • Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up

Editor's Notes

  1. Activities – GUI disponibilizado ao utilizador; Services – Componente que corre operações em background sem user interface BroadCast Receivers – Componente que permite receber notifcações de sistema ou de outras aplicações. Content Provider – Componente que gere acesso a dados estruturados tipicamente SQLite
  2. DexGuard