Securing Android Applications

  • View
    33

  • Download
    1

Embed Size (px)

Text of Securing Android Applications

PRESENTED BYManish Chasta | CISSP, CHFI, ITIL Principal Consultant, Indusface

Securing Android Applications

01

www.indusface.com | Copyright 2012

AgendaIntroduction to Android and Mobile Applications Working with Android SDK and Emulator Setting up GoatDroid Application Memory Analysis Intercepting Layer 7 traffic Reverse Engineering Android Applications SQLite Database Analysis Demo: ExploitMe application02www.indusface.com | Copyright 2012

What NUMBERS say!!! Gartner Says: 8.2 Billion mobile applications have been downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been downloaded by 2014

03

www.indusface.com | Copyright 2012

Market Share

04

www.indusface.com | Copyright 2012

Introduction to Android

Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is responsible for maintenance and further development

05

www.indusface.com | Copyright 2012

Android Architecture

06

www.indusface.com | Copyright 2012

Android Architecture: Linux Kernel Linux kernel with system services: Security Memory and process management Network stack

Provide driver to access hardware: Camera Display and audio Wifi 07www.indusface.com | Copyright 2012

Android Architecture: Android RunTime Core Libraries: Written in Java Provides the functionality of Java programming language Interpreted by Dalvik VM

Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory and less CPU usage Java code (.class files) converted into .dex format to be able to run on Android platform08www.indusface.com | Copyright 2012

Android Applications

09

www.indusface.com | Copyright 2012

Mobile Apps vs Web Applications Thick and Thin Client Security Measures User Awareness

010 www.indusface.com | Copyright 2012

Setting-up Environment Handset / Android Device Android SDK and Eclipse Emulator Wireless Connectivity And of course Application file011 www.indusface.com | Copyright 2012

Setting-up Lab What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser

012 www.indusface.com | Copyright 2012

Working with Android SDK

013 www.indusface.com | Copyright 2012

Android SDK Development Environment for Android Application Development Components: SDK Manager AVD Manager Emulator

014 www.indusface.com | Copyright 2012

Android SDK Can be downloaded from : developer.android.com/sdk/ Requires JDK to be installed Install Eclipse Install ADT Plugin for Eclipse

015 www.indusface.com | Copyright 2012

Android SDK : Installing SDK

Simple Next-next process

016 www.indusface.com | Copyright 2012

Android SDK: Configuring Eclipse Go to Help->Install new Software Click Add Give Name as ADT Plugin Provide the below address in Location: http://dlssl.google.com/android/eclipse/ Press OK Check next to Developer Tool and press next Click next and accept the Terms and Conditions Click Finish

017 www.indusface.com | Copyright 2012

Android SDK: Configuring Eclipse Now go to Window -> Preferences Click on Android in left panel Browse the Android SDK directory Press OK

018 www.indusface.com | Copyright 2012

SDK Manager

019 www.indusface.com | Copyright 2012

AVD Manager

020 www.indusface.com | Copyright 2012

Emulator: Running Click on Start

021 www.indusface.com | Copyright 2012

Emulator: Running from Command Line

022 www.indusface.com | Copyright 2012

Emulator: Running with proxy

023 www.indusface.com | Copyright 2012

ADB: Android Debug Bridge

Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. You can find the adb tool in /platform-tools/

024 www.indusface.com | Copyright 2012

ADB: Important Commands

Install an application to emulator or device:

025 www.indusface.com | Copyright 2012

ADB: Important Commands Push data to emulator / device adb push

Pull data to emulator / device adb pull Remote - > Emulator and Local -> Machine

026 www.indusface.com | Copyright 2012

ADB: Important Commands Getting Shell of Emulator or Device adb shell Reading Logs adb logcat

027 www.indusface.com | Copyright 2012

ADB: Important Commands Reading SQLite3 database adb shell Go to the path SQLite3 database_name.db .dump to see content of the db file and .schema to print the schema of the database on the screen Reading Logs adb logcat028 www.indusface.com | Copyright 2012

Auditing Application from Android Phone

029 www.indusface.com | Copyright 2012

Need of Rooting

What is Android Rooting?

030 www.indusface.com | Copyright 2012

Rooting Android PhoneStep 1: Download CF Rooted Kernel files and Odin3 Software

031 www.indusface.com | Copyright 2012

Rooting Android Phone Step 2: Keep handset on debugging mode

032 www.indusface.com | Copyright 2012

Rooting Android PhoneStep 3: Run Odin3

033 www.indusface.com | Copyright 2012

Rooting Android Phone

Step 4: Reboot the phone in download mode Step 5: Connect to the PC

034 www.indusface.com | Copyright 2012

Rooting Android PhoneStep 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit Start button

035 www.indusface.com | Copyright 2012

Rooting Android PhoneIf your phone is Rooted... You will see PASS!! In Odin3

036 www.indusface.com | Copyright 2012

Important Tools

Terminal Emulator Proxy tool (transproxy)

037 www.indusface.com | Copyright 2012

Setting Proxy

Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN. Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.

038 www.indusface.com | Copyright 2012

Intercepting Traffic (Burp)

Burp is a HTTP proxy tool Able to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response

039 www.indusface.com | Copyright 2012

Memory Analysis with Terminal Emulator

DD Command: dd if=filename.xyz of=/sdcard/SDA.dd Application path on Android Device: /data/data/com.application_name

040 www.indusface.com | Copyright 2012

Memory Analysis with Terminal Emulator

041 www.indusface.com | Copyright 2012

Memory Analysis with Terminal Emulator

042 www.indusface.com | Copyright 2012

Lab: GoatDroid A vulnerable Android application from the OW ASP

043 www.indusface.com | Copyright 2012

GoatDroid : Setting up Install MySQL Install fourgoats database. Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to have insert, delete, update, select on fourgoats database.

044 www.indusface.com | Copyright 2012

GoatDroid : Setting up Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory and Virtual Devices: Click Configure -> edit and click on Android tab Set path for Android SDK, typically it should be C:\Program Files\Android\android-sdk

Set path for Virtual Devices, typically it should be C:\Documents and Settings\Manish\android\avd

045 www.indusface.com | Copyright 2012

GoatDroid : Setting up Start web services Start emulator through GoatDroid jar file Push / Install the application to Device Run FourGoat application from emulator Click on Menu and then click on Destination Info Provide following information in required fields: Server: 10.0.2.2 and Port 8888046 www.indusface.com | Copyright 2012

GoatDroid : Setting up

Demo / Hands On

047 www.indusface.com | Copyright 2012

GoatDroid : Setting up proxy Assuming FourGoat is already installed Run goatdroid-beta-v0.1.2.jar file and start web services Start any HTTP Proxy (Burp) tool on port 7000 Configure Burp to forward the incoming traffic to port 8888 Start emulator from command line by giving following command: emulator avd test2 http-proxy 127.0.0.1:7000

048 www.indusface.com | Copyright 2012

GoatDroid : Setting up proxy Open the FourGoat application in emulator Click on Mene to set Destination Info Set Destination Info as below: Server: 10.0.2.2 and port as 7000

Now see if you are able to intercept the trrafic in Burp 049 www.indusface.com | Copyright 2012

GoatDroid : Setting up Proxy

Demo / Hands On

050 www.indusface.com | Copyright 2012

GoatDroid: Intercepting Traffic

Demo / Hands On

051 www.indusface.com | Copyright 2012

GoatDroid: Parameter Manipulation Attack

Demo / Hands On

052 www.indusface.com | Copyright 2012

GoatDroid: Handset Memory Analysis

Demo / Hands On

053 www.indusface.com | Copyright 2012

GoatDroid: Auditing from Android Device

Install the app in Android device Set the destination info as below: Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening) Memory Analysis through Terminal Emulator and DD command

054 www.indusface.com | Copyright 2012

GoatDroid: Reverse Engineering

Next Topic055