This document outlines an agenda for testing Android security. It discusses various stages of the development cycle and security testing approaches, including static and dynamic analysis, component security, and best practices. Automatic and hybrid tools are presented for analyzing apps through decompilation, emulation, and network traffic inspection. Specific tools are explained like Android Lint, QARK, Drozer, and SQLCipher. The document concludes with recommendations around permissions, encryption, input validation, and references.

1. Testing Android Security
José Manuel Ortega
@jmortegac
AMSTERDAM 11-12 MAY 2016

2. https://speakerdeck.com/jmortega
http://jmortega.github.io

3. AGENDA
▪ Development Cycle
▪ Static and Dynamic Analysis
▪ Components Security
▪ Hybrid Automatic tools
▪ Best Practices & OWASP

4. DEVELOPMENT CYCLE

5. WHITE BOX /BLACK BOX
✓
✓
✓
✓
✓
✓

6. TESTING ANDROID SECURITY

7. FORENSICS

8. FORENSICS
▪
▪
▪
▪
▪
▪

9. STATIC ANALYSIS
✓
✓
✓
✓
✓
✓
✓

10. CODE REVIEW / SOURCE CODE ANALYSIS

11. ANDROID LINT

12. ANDROID STUDIO INSPECT CODE

13. ANDROID SONAR PLUGIN

14. ANDROID SONAR PLUGIN >RULES

15. SONAR SECURITY

16. ANDROWARN

17. QARK
▪ Quick Android Review Kit
▪ https://github.com/linkedin/qark
▪ Static code analysis tool
▪ Look for potential vulnerabilities

18. QARK
▪ Identifies permissions and exported components
(activities,services..) on Manifest
▪ Looks for WORLD_READABLE and
WORLD_WRITABLE files
▪ Looks for X.509 certificates validation issues

19. QARK

20. QARK REPORT

21. REVERSE ENGINEERING
▪ Decompile dalvik to smali
▪ classes.dex in APK
▪ APKTOOL
▪ DEX2JAR
▪ Java Decompiler

22. APK STRUCTURE

23. DISASSEMBLY AND DECOMPILATION

24. JADX-GUI

25. APKTOOL

26. DYNAMIC ANALYSIS TOOLS

27. WIRESHARK

28. BURP SUITE
▪ Intercepting network traffic
▪ HTTP proxy tool
▪ Able to intercept layer traffic and allows users to
manipulate the HTTP request and response

29. DROZER
▪ https://labs.mwrinfosecurity.com/tools/drozer/
▪ Find vulnerabilities automatically
▪ Automate security testing
▪ Interact with your Apps with debugging
disabled

30. INSIDE DROZER

31. DROZER

32. DROZER PACKAGE INFO
▪ app.package.info

33. DROZER COMMANDS

34. DROZER CONTENT PROVIDERS

35. FINDING SQL INJECTION IN CONTENT PROVIDERS

36. EXPLOITING SQL INJECTION VULNERABILITY

37. ANDROID MANIFEST
android:debuggable=true
android:exported=true

38. ANDROID MANIFEST EXPORTED ATTRIBUTE
…
…
…

39. COMPONENTS SECURITY
▪ AndroidManifest.xml
▪ Activities
▪ Content Providers
▪ Services
▪ Shared Preferences
▪ Webview

40. LOG INFORMATION
public static final boolean SHOW_LOG =
BuildConfig.DEBUG;
public static void d(final String tag, final String
msg) {
if (SHOW_LOG)
Log.d(tag, msg);
}

41. THRID PARTY LIBRARIES

42. VULNERABILITIES IN CORDOVA 3.5

43. SECURITY IN CONTENT PROVIDERS
▪ Components provide a standardized interface
for sharing data between applications
▪ URI addressing scheme
▪ Can perform queries equivalent to SELECT,
UPDATE,INSERT, DELETE

44. SQLCIPHER
▪ SQLCipher is a SQL extension that provides
transparent AES encryption of database files
▪ 256-bit AES Encrypt SQLite database
▪ http://sqlcipher.net/sqlcipher-for-android

45. SECURED PREFERENCES
▪ https://github.com/scottyab/secure-preferences
▪ Encrypt your app’s shared preferences
▪ Android Share Preferences wrapper that
provides encryption for keys and values

46. SECURED PREFERENCES

47. DATA STORAGE

48. PROTECTING DATA FILES

49. SECURE COMMUNICATIONS
▪ Ensure that all sensitive data is encrypted
▪ Certificate pinning for avoid MITM attacks

50. CERTIFICATES
SSLSocketFactory.ALLOW_ALLHOSTNAME_VERIFIER
TrustManager where checkServerTrusted() always
returns true

51. CERTIFICATE PINNING

52. X.509 CERTIFICATES

53. HTTPS Connection

54. HTTPS Connection

55. ENCRYPT NETWORK REQUESTS
▪ Best practice is to always encrypt network
communications
▪ HTTPS and SSL can protect against MitM attacks
and prevent casual sniffing traffic.
▪ Server certificate validity is checked by default

56. VALIDATE SERVER CERTIFICATE
▪ https://www.ssllabs.com/ssltest

57. CHECK CERTIFICATES TOOLS
▪ OpenSSL
▪ Keytool
▪ Jarsigner

58. Runtime Permissions
▪ All permissions granted at install time
▪ Dangerous permissions require user
confirmation
▪ Prompt for dangerous permissions at
runtime
▪ Granted/revoked by permission group
▪ Managed per app, per user
▪ /data/system/users/0/runtime-permissions.xml

59. Group permissions on Android M

60. Permissions FLOW on Android M

61. Permissions on Android M

62. Permissions on Android M

63. OBFUSCATION
▪ The obfuscator can use several techniques to protect
a Java/Android application:
▪ change names of classes, methods, fields
▪ modify the control flow
▪ code optimization
▪ dynamic code loading
▪ change instructions with metamorphic technique

64. PROGUARD
▪ File shrinker: detects and removes unused
classes, fields, methods,and attributes
▪ Optimizer: optimizes bytecode and removes
unused instructions
▪ Obfuscator: renames classes, fields, and
methods using short meaningless names

65. OBFUSCATION WITH PROGUARD

66. OBFUSCATION WITH PROGUARD

67. HYBRID AUTOMATIC ONLINE TOOLS
▪ SandDroid
▪ ApkScan
▪ Visual Threat
▪ TraceDroid
▪ CopperDroid
▪ APK Analyzer
▪ ForeSafe
▪ AndroTotal
▪ NowSecure Lab

68. VULNERABILTIY ANALYSIS

69. HYBRID AUTOMATIC ONLINE TOOLS
▪ http://sanddroid.xjtu.edu.cn/#home

70. SANDROID

71. SANDROID

72. TRACEDROID

73. NOWSECURE LAB

74. NOWSECURE LAB

75. NOWSECURE LAB

76. BEST PRACTICES
▪ Don’t hardcode sensitive information
▪ Don’t store sensitive information
▪ Don’t store at easily readable location like
memory card
▪ Encrypt the stored data
▪ Implement SSL

77. BEST PRACTICES
▪ Protect the webserver against application layer
attacks
▪ Prefer encryption over encoding or obfuscation
▪ Sanitize inputs, use prepared statements
(protection against sql injection)

78. BEST PRACTICES

79. Android Secure Coding Checklist
▪ Use least privilege in request permissions
▪ Don’t unnecessarily export components
▪ Handle intents carefully
▪ Justify any custom permissions
▪ Mutually authenticate services
▪ Use APIs to construct ContentProvider URIs
▪ Use HTTPS
▪ Follow best practices from OWASP project http://owasp.
org/index.php/OWASP_Mobile_Security_Project

80. OWASP MOBILE TOP 10 RISKS

81. OWASP MOBILE TOP 10 RISKS

82. Open Android Security Assesment Methodology

83. PENTESTING TOOLS / SANTOKU LINUX
o
o
o

84. PENTESTING TOOLS / NOWSECURE
▪ https://www.nowsecure.com/resources/freetools/

85. REFERENCES
▪ http://proguard.sourceforge.net
▪ http://code.google.com/p/dex2jar
▪ http://code.google.com/p/android-apktool
▪ https://labs.mwrinfosecurity.com/tools/drozer
▪ http://sqlcipher.net/sqlcipher-for-android
▪ https://www.owasp.org/index.
php/OWASP_Mobile_Security_Project
▪ https://developer.android.
com/training/articles/security-tips.html

86. BOOKS

87. BOOKS

88. Thanks!
@jmortegac
AMSTERDAM 9-12 MAY 2016