SlideShare a Scribd company logo

Android Pentesting

n|u - The Open Security Community
n|u - The Open Security Community

This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.

1 of 53
Download to read offline
Android Pentesting
./ABOUT ME • MOHAMMED ADAM • INFORMATION SECURITY RESEARCHER • SECURITY CONSULTANT AT CROSSBOW LABS • FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP) • ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA, HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER, DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK ETC IN BUG BOUNTIES.
./AGENDA • INTRODUCTION TO ANDROID PENETRATION TESTING • REQUIREMENTS & TOOLS • STATIC ANALYSIS - AUTOMATION & MANUAL TESTING • DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING • DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
ANDROID INTERNALS • BASED ON LINUX KERNEL • LATEST VERSION - ANDROID PIE • ANDROID Q 10.0 ON THE WAY • APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL MACHINE) • DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK EXECUTABLE) OR APK FILES • APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES, CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
ANDROID SECURITY MODEL • APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID) • ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION • EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM • SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S • PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
ANDROID APPLICATION .APK • JUST AN ARCHIVE ! • WRITTEN MAINLY IN JAVA & XML • MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS, CONTENT PROVIDERS, ETC.
REQUIREMENTS & TOOLS • Android Tamer- https://androidtamer.com/ • Genymotion - https://www.genymotion.com/fun-zone/
Android Pentesting
WHAT IS ADB ? • ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE. • ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER • WIRELESS - ADB CONNECT - ADB USB • PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR • NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB SHELL IP • LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE • REFERENCES - HTTP://ADBSHELL.COM/
STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS • THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE STORED INSIDE THE APK.
APKTOOL • APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY, CLOSED, BINARY ANDROID APPS. IT CAN DECODE RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD THEM AFTER MAKING SOME MODIFICATIONS. • DISASSEMBLING ANDROID APK FILE APKTOOL D <APK FILE>
EVERY APK CONTAINS THE FOLLOWING FILES: • ANDROIDMANIFEST.XML - DEFINES THE PERMISSIONS OF THE APPLICATION • CLASSES.DEX - CONTAINS ALL THE JAVA CLASS FILES • RESOURCES.ARSC - CONTAINS ALL THE META-INFORMATION ABOUT THE RESOURCES AND NODES
SECURITY GUIDELINES FOR ANDROID MANIFEST.XML
CAN THESE PERMISSION BE BYPASSED ?
ANDROID MANIFEST.XML OMG! • ACTIVITIES, SERVICES, RECEIVERS SHOULD NOT BE EXPORTED OR ELSE YOU CAN BYPASS THOSE ACTIVITIES!
UPLOADING A SENSITIVE FILES FROM SD-CARD TO REMOTE SERVER WITHOUT ANY PERMISSION !
ANDROID MANIFEST.XML OMG! • ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A NIGHTMARE! • BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER. • FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17" OR HIGHER, THE DEFAULT IS "FALSE"
DEBUG MODE • THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER. <APPLICATION ANDROID:DEBUGGABLE="FALSE" </APPLICATION>
BACKUP FLAG • THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING. THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC. <APPLICATION ANDROID:ALLOWBACKUP="FALSE" </APPLICATION>
EXTERNAL STORAGE • APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO SENSITIVE INFORMATION IS STORED. • <USES-PERMISSION ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
ANDROID:PROTECTIONLEVEL • THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE: • NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM • ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT THEY DON’T INTRODUCE A SECURITY RISK. <PERMISSION> ANDROID:PROTECTIONLEVEL="SIGNATURE" </PERMISSION>
INTENTS • INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY SENSITIVE INFORMATION THAT COULD BE INTERCEPTED. <INTENT-FILTER> <ACTION ANDROID:NAME="STRING" /> <CATEGORY ANDROID:NAME="STRING" /> </INTENT-FILTER>
CLASSES DEX • THE CLASSES.DEX FILE CONTAINS ALL THE JAVA CLASSES OF THE APPLICATION AND IT CAN BE DISASSEMBLED WITH BAKSMALI TOOL TO RETRIEVE THE JAVA SOURCE CODE.
CONVERT CLASSES.DEX FILES TO JAR • TO DECOMPILE CLASSES.DEX FILE > D2J-DEX2JAR CLASSES.DEX
TO READ JAR FILE – USE JDGUI • IN JDGUI, FILE-> OPEN THE FILE/DIRECTORY WHERE JAR FILE IS PRESENTED
ANDROID WEBVIEW VULNERABILITIES • WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT RISK.
LOADING CLEAR-TEXT CONTENT • IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK SUCH AS MITM. • MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
SSL ERROR HANDLING • THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE WOULD BE ACCEPTED BY THE APPLICATION. @OVERRIDE PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER, SSLERROR ERROR) { HANDLER.PROCEED(); }
JAVASCRIPT ENABLED • ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO EXECUTE JAVASCRIPT CODE. WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS(); WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
ACCESSING LOCAL RESOURCES • IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
ANDROID CODING BEST PRACTICES • FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY • TOP 10 MOBILE RISKS OWASP 2016 – HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10 • HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02- J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU GH+FILE+SCHEME • HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW- ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/ • HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD DJAVASCRIPTINTERFACE
DYNAMIC ANALYSIS WIDELY USED TOOLS •BURPSUITE •DROZER
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • TO CONFIGURE THE PROXY GO TO SETTINGS. A SCREEN SOMETHING LIKE THE BELOW ONE WILL COME UP. SELECT “MORE”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE INTERCEPTION CAN BE DONE BY USING WIFI NETWORKS AS WELL AS MOBILE NETWORKS. HERE IM SHOWING MOBILE NETWORK IN THE NEXT MENU, SELECT “MOBILE NETWORKS”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE SELECT ACCESS POINT NAMES OPTION AS SHOWN IN THE IMAGE.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE IMAGE BELOW. CHOOSE THIS NETWORK.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • PUT THE IP ADDRESS OF YOUR INTERFACE WHERE YOU WILL BE LISTENING THE TRAFFIC, I.E. WHERE YOU WILL RUN BURP. DOWN TO THAT, PUT THE PORT NUMBER ON WHICH YOU WANT TO LISTEN. BY DEFAULT IT’S 8080 IN BURP, BUT FEEL FREE TO CHANGE IT, JUST MAKE SURE YOU HAVE SAME PORT NUMBER CONFIGURED AT BOTH END POINTS.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NOW IN BURPSUITE, GO TO THE “PROXY” TAB, SELECT THE “OPTIONS” TAB. SELECT THE DEFAULT CONFIGURED INTERFACE, AND CLICK ON “EDIT”.
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE PROXY > INTERCEPT > “INTERCEPT IS ON”
INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE “INTERCEPT RESPONSE BASED ON THE FOLLOWING RULES”
SSL PINNING BYPASS • REQUIRED TOOLS FOR SSL PINNING BYPASS • ROOTED MOBILE • SSLUNPINNING APK • XPOSED FRAMEWORK & XPOSED INSTALLER APK FOR SPECIFIC MOBILE (DEPENDS ON SDK)
DROZER – GAME CHANGER TOOL FOR ANDROID APP PT • CONNECTING DROZER TO THE MOBILE DEVICE • CONNECT YOUR MOBILE DEVICE TO YOUR COMPUTER USING A USB CABLE; • OPEN DROZER AGENT APPLICATION ON YOUR MOBILE DEVICE AND CLICK THE ON BUTTON FROM THE BOTTOM-RIGHT;
DROZER – CONT. • USE ADB.EXE TO OPEN A TCP SOCKET BETWEEN YOUR COMPUTER AND THE SERVER EMBEDDED IN DROZER AGENT: • ADB.EXE FORWARD TCP:31415 TCP:31415 • GO TO THE FOLDER WHERE YOU INSTALLED DROZER AND CONNECT TO THE MOBILE DEVICE: • DROZER CONSOLE CONNECT
STARTING AN ACTIVITY FROM ANOTHER PACKAGE • OK, NOW WE HAVE AN INTERACTIVE DROZER CONSOLE. WHAT CAN WE DO? LET’S START AN ACTIVITY, COMMAND BY COMMAND: • LIST, WILL DISPLAY A LIST OF COMMANDS AVAILABLE IN DROZER
FIND A LIST OF PACKAGES • RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES THAT CONTAIN THE STRING “FIREFOX”; WE FOUND ORG.MOZILLA.FIREFOX.
IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION • RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND 113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8 EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A GOOD EXAMPLE OF A BIG ATTACK SURFACE.
MORE INFORMATION ABOUT A SPECIFIC PACKAGE
INSPECT THE MANIFEST FILE OF A SPECIFIC APPLICATION
LIST THE EXPORTED ACTIVITIES • RUN APP.ACTIVITY.INFO -A ORG.MOZILLA.FIREFOX TO LIST THE EXPORTED ACTIVITIES; WE CAN SEE THAT THERE IS AN EXPORTED ACTIVITY NAMED ORG.MOZILLA.FIR EFOX.APP THAT DOES NOT REQUIRE ANY PERMISSION TO BE STARTED.
LIST OF VULNERABLE ANDROID APPLICATIONS • DAMN VULNERABLE HYBRID MOBILE APPLICATION • ANDROID DIGITAL BANK • DAMN INSECURE AND VULNERABLE APPLICATION • HACKME BANK • INSECURE BANK • DAMN VULNERABLE ANDROID APPLICATION • OWASP GOATDROID • DODO VULNERABLE BANK
Android Pentesting
REFERENCES: • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APPLICATION-SECURITY-TESTING-GUIDE-PART-1/ • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APP-SEC-TEST-GUIDE-PART-2/ • HTTPS://KING-SABRI.NET/ANDROID-HACKING-DROZER-SECURITY-ASSESSMENT-FRAMEWORK/ • HTTPS://SECURITYGRIND.COM/USING-THE-DROZER-FRAMEWORK-FOR-ANDROID-PENTESTING/ • HTTPS://PENTESTLAB.BLOG/CATEGORY/MOBILE-PENTESTING/ • HTTPS://GITHUB.COM/TANPRATHAN/MOBILEAPP-PENTEST-CHEATSHEET • HTTPS://PENTESTLAB.BLOG/2016/11/07/LIST-OF-VULNERABLE-ANDROID-APPLICATIONS/
THANKS https://twitter.com/iam_amdadam https://www.linkedin.com/in/ mohammedadam24/

More Related Content

Android Pentesting

  • 2. ./ABOUT ME • MOHAMMED ADAM • INFORMATION SECURITY RESEARCHER • SECURITY CONSULTANT AT CROSSBOW LABS • FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP) • ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA, HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER, DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK ETC IN BUG BOUNTIES.
  • 3. ./AGENDA • INTRODUCTION TO ANDROID PENETRATION TESTING • REQUIREMENTS & TOOLS • STATIC ANALYSIS - AUTOMATION & MANUAL TESTING • DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING • DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
  • 4. ANDROID INTERNALS • BASED ON LINUX KERNEL • LATEST VERSION - ANDROID PIE • ANDROID Q 10.0 ON THE WAY • APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL MACHINE) • DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK EXECUTABLE) OR APK FILES • APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES, CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
  • 5. ANDROID SECURITY MODEL • APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID) • ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION • EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM • SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S • PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
  • 6. ANDROID APPLICATION .APK • JUST AN ARCHIVE ! • WRITTEN MAINLY IN JAVA & XML • MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS, CONTENT PROVIDERS, ETC.
  • 7. REQUIREMENTS & TOOLS • Android Tamer- https://androidtamer.com/ • Genymotion - https://www.genymotion.com/fun-zone/
  • 9. WHAT IS ADB ? • ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE. • ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER • WIRELESS - ADB CONNECT - ADB USB • PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR • NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB SHELL IP • LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE • REFERENCES - HTTP://ADBSHELL.COM/
  • 10. STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS • THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE STORED INSIDE THE APK.
  • 11. APKTOOL • APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY, CLOSED, BINARY ANDROID APPS. IT CAN DECODE RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD THEM AFTER MAKING SOME MODIFICATIONS. • DISASSEMBLING ANDROID APK FILE APKTOOL D <APK FILE>
  • 12. EVERY APK CONTAINS THE FOLLOWING FILES: • ANDROIDMANIFEST.XML - DEFINES THE PERMISSIONS OF THE APPLICATION • CLASSES.DEX - CONTAINS ALL THE JAVA CLASS FILES • RESOURCES.ARSC - CONTAINS ALL THE META-INFORMATION ABOUT THE RESOURCES AND NODES
  • 13. SECURITY GUIDELINES FOR ANDROID MANIFEST.XML
  • 14. CAN THESE PERMISSION BE BYPASSED ?
  • 15. ANDROID MANIFEST.XML OMG! • ACTIVITIES, SERVICES, RECEIVERS SHOULD NOT BE EXPORTED OR ELSE YOU CAN BYPASS THOSE ACTIVITIES!
  • 16. UPLOADING A SENSITIVE FILES FROM SD-CARD TO REMOTE SERVER WITHOUT ANY PERMISSION !
  • 17. ANDROID MANIFEST.XML OMG! • ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A NIGHTMARE! • BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER. • FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17" OR HIGHER, THE DEFAULT IS "FALSE"
  • 18. DEBUG MODE • THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER. <APPLICATION ANDROID:DEBUGGABLE="FALSE" </APPLICATION>
  • 19. BACKUP FLAG • THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING. THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC. <APPLICATION ANDROID:ALLOWBACKUP="FALSE" </APPLICATION>
  • 20. EXTERNAL STORAGE • APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO SENSITIVE INFORMATION IS STORED. • <USES-PERMISSION ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
  • 21. ANDROID:PROTECTIONLEVEL • THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE: • NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM • ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT THEY DON’T INTRODUCE A SECURITY RISK. <PERMISSION> ANDROID:PROTECTIONLEVEL="SIGNATURE" </PERMISSION>
  • 22. INTENTS • INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY SENSITIVE INFORMATION THAT COULD BE INTERCEPTED. <INTENT-FILTER> <ACTION ANDROID:NAME="STRING" /> <CATEGORY ANDROID:NAME="STRING" /> </INTENT-FILTER>
  • 23. CLASSES DEX • THE CLASSES.DEX FILE CONTAINS ALL THE JAVA CLASSES OF THE APPLICATION AND IT CAN BE DISASSEMBLED WITH BAKSMALI TOOL TO RETRIEVE THE JAVA SOURCE CODE.
  • 24. CONVERT CLASSES.DEX FILES TO JAR • TO DECOMPILE CLASSES.DEX FILE > D2J-DEX2JAR CLASSES.DEX
  • 25. TO READ JAR FILE – USE JDGUI • IN JDGUI, FILE-> OPEN THE FILE/DIRECTORY WHERE JAR FILE IS PRESENTED
  • 26. ANDROID WEBVIEW VULNERABILITIES • WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT RISK.
  • 27. LOADING CLEAR-TEXT CONTENT • IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK SUCH AS MITM. • MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
  • 28. SSL ERROR HANDLING • THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE WOULD BE ACCEPTED BY THE APPLICATION. @OVERRIDE PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER, SSLERROR ERROR) { HANDLER.PROCEED(); }
  • 29. JAVASCRIPT ENABLED • ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO EXECUTE JAVASCRIPT CODE. WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS(); WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
  • 30. ACCESSING LOCAL RESOURCES • IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
  • 31. ANDROID CODING BEST PRACTICES • FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY • TOP 10 MOBILE RISKS OWASP 2016 – HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10 • HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02- J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU GH+FILE+SCHEME • HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW- ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/ • HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD DJAVASCRIPTINTERFACE
  • 32. DYNAMIC ANALYSIS WIDELY USED TOOLS •BURPSUITE •DROZER
  • 33. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • TO CONFIGURE THE PROXY GO TO SETTINGS. A SCREEN SOMETHING LIKE THE BELOW ONE WILL COME UP. SELECT “MORE”.
  • 34. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE INTERCEPTION CAN BE DONE BY USING WIFI NETWORKS AS WELL AS MOBILE NETWORKS. HERE IM SHOWING MOBILE NETWORK IN THE NEXT MENU, SELECT “MOBILE NETWORKS”.
  • 35. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE SELECT ACCESS POINT NAMES OPTION AS SHOWN IN THE IMAGE.
  • 36. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE IMAGE BELOW. CHOOSE THIS NETWORK.
  • 37. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • PUT THE IP ADDRESS OF YOUR INTERFACE WHERE YOU WILL BE LISTENING THE TRAFFIC, I.E. WHERE YOU WILL RUN BURP. DOWN TO THAT, PUT THE PORT NUMBER ON WHICH YOU WANT TO LISTEN. BY DEFAULT IT’S 8080 IN BURP, BUT FEEL FREE TO CHANGE IT, JUST MAKE SURE YOU HAVE SAME PORT NUMBER CONFIGURED AT BOTH END POINTS.
  • 38. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE • NOW IN BURPSUITE, GO TO THE “PROXY” TAB, SELECT THE “OPTIONS” TAB. SELECT THE DEFAULT CONFIGURED INTERFACE, AND CLICK ON “EDIT”.
  • 39. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE PROXY > INTERCEPT > “INTERCEPT IS ON”
  • 40. INTERCEPTING MOBILE APP TRAFFIC USING BURPSUITE “INTERCEPT RESPONSE BASED ON THE FOLLOWING RULES”
  • 41. SSL PINNING BYPASS • REQUIRED TOOLS FOR SSL PINNING BYPASS • ROOTED MOBILE • SSLUNPINNING APK • XPOSED FRAMEWORK & XPOSED INSTALLER APK FOR SPECIFIC MOBILE (DEPENDS ON SDK)
  • 42. DROZER – GAME CHANGER TOOL FOR ANDROID APP PT • CONNECTING DROZER TO THE MOBILE DEVICE • CONNECT YOUR MOBILE DEVICE TO YOUR COMPUTER USING A USB CABLE; • OPEN DROZER AGENT APPLICATION ON YOUR MOBILE DEVICE AND CLICK THE ON BUTTON FROM THE BOTTOM-RIGHT;
  • 43. DROZER – CONT. • USE ADB.EXE TO OPEN A TCP SOCKET BETWEEN YOUR COMPUTER AND THE SERVER EMBEDDED IN DROZER AGENT: • ADB.EXE FORWARD TCP:31415 TCP:31415 • GO TO THE FOLDER WHERE YOU INSTALLED DROZER AND CONNECT TO THE MOBILE DEVICE: • DROZER CONSOLE CONNECT
  • 44. STARTING AN ACTIVITY FROM ANOTHER PACKAGE • OK, NOW WE HAVE AN INTERACTIVE DROZER CONSOLE. WHAT CAN WE DO? LET’S START AN ACTIVITY, COMMAND BY COMMAND: • LIST, WILL DISPLAY A LIST OF COMMANDS AVAILABLE IN DROZER
  • 45. FIND A LIST OF PACKAGES • RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES THAT CONTAIN THE STRING “FIREFOX”; WE FOUND ORG.MOZILLA.FIREFOX.
  • 46. IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION • RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND 113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8 EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A GOOD EXAMPLE OF A BIG ATTACK SURFACE.
  • 47. MORE INFORMATION ABOUT A SPECIFIC PACKAGE
  • 48. INSPECT THE MANIFEST FILE OF A SPECIFIC APPLICATION
  • 49. LIST THE EXPORTED ACTIVITIES • RUN APP.ACTIVITY.INFO -A ORG.MOZILLA.FIREFOX TO LIST THE EXPORTED ACTIVITIES; WE CAN SEE THAT THERE IS AN EXPORTED ACTIVITY NAMED ORG.MOZILLA.FIR EFOX.APP THAT DOES NOT REQUIRE ANY PERMISSION TO BE STARTED.
  • 50. LIST OF VULNERABLE ANDROID APPLICATIONS • DAMN VULNERABLE HYBRID MOBILE APPLICATION • ANDROID DIGITAL BANK • DAMN INSECURE AND VULNERABLE APPLICATION • HACKME BANK • INSECURE BANK • DAMN VULNERABLE ANDROID APPLICATION • OWASP GOATDROID • DODO VULNERABLE BANK
  • 52. REFERENCES: • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APPLICATION-SECURITY-TESTING-GUIDE-PART-1/ • HTTPS://RESOURCES.INFOSECINSTITUTE.COM/ANDROID-APP-SEC-TEST-GUIDE-PART-2/ • HTTPS://KING-SABRI.NET/ANDROID-HACKING-DROZER-SECURITY-ASSESSMENT-FRAMEWORK/ • HTTPS://SECURITYGRIND.COM/USING-THE-DROZER-FRAMEWORK-FOR-ANDROID-PENTESTING/ • HTTPS://PENTESTLAB.BLOG/CATEGORY/MOBILE-PENTESTING/ • HTTPS://GITHUB.COM/TANPRATHAN/MOBILEAPP-PENTEST-CHEATSHEET • HTTPS://PENTESTLAB.BLOG/2016/11/07/LIST-OF-VULNERABLE-ANDROID-APPLICATIONS/