View
230
Download
1
Tags:
Embed Size (px)
Citation preview
Alice Android DiyarındaCANBERK BOLAT
CYPSEC ‘14
24 APR 2014
whoami• Canberk Bolat
- Security Researcher (@adeosecurity)
- Reverse Engineering, Fuzzing, Pentest
- Blogger/Writer- http://cbolat.blogspot.com
- Contact
- @cnbrkbolat && [email protected]
agenda• Introduction to Android
• Why Android Security?
• Common Android Application Vulnerabilities
• Exploiting addJavaScriptInterface Vulnerability
• Cross-compiling for Android
• Popping Shell on Android
• exit(0)
introduction to android
introduction to android• 49 Adımda Android’in uzmanı olun!
* NOT: İngiliz Köyü’nden "49 Steps" kapısıteşekkürler Kasım Erkan!
introduction to android• Sandbox
• Application Framework
• Memory Management
• File System Security
• User-granted / App-specific Permissions
why android security?• BYOD
• Çok popüler
• 1 yılda ortalama• 29,000,000,000 uygulama download ediliyor
• Cihaz başına 60~ uygulama
• Zayıf uygulama denetimi (Google Play)
• Platform güncelleme sorunsalı• KitKat’ı olmayanlar parmak kaldırsın!
common android application vulnerabilities• Logging
• Unencrypted/Plain-text/Weak credentials
• Unsecure Communication• HTTP Traffic :(
• XSS (?)• WebView• setJavaScriptEnabled
• addJavaScriptInterface
common android application vulnerabilities• Logging
• Unencrypted/Plain-text/Weak credentials
• Unsecure Communication• HTTP Traffic :(
• XSS (?)• WebView• setJavaScriptEnabled
• addJavaScriptInterface
exploiting addJavaScriptInterface vulnerability• setJavaScriptEnabled
• addJavaScriptInterface
exploiting addJavaScriptInterface vulnerability•
exploiting addJavaScriptInterface vulnerability•
exploiting addJavaScriptInterface vulnerability•
cross-compiling for android• Android NDK
• ndk-build
• Kodu derlemek için aşağıdaki gibi bir klasör yapısı gerekiyor
cross-compiling for android• Android.mk dosyasının içeriği• Works for me!
cross-compiling for androidC:\Users\Canberk\helloworld\jni>ndk-build
[armeabi] Compile thumb : hello_world <= helloworld.c
[armeabi] Executable : hello_world
[armeabi] Install : hello_world => libs/armeabi/hello_world
C:\Users\Canberk\helloworld\jni>adb push ..\libs\armeabi\hello_world data
C:\Users\Canberk\helloworld\jni>adb shell chmod 777 /data/hello_world
C:\Users\Canberk\helloworld\jni>adb shell ./data/hello_world
hello arm!
popping shell on android• cross-compile your reverse_connect_backdoor.c for ARM
• convert binary to \x02X format
• write converted binary to file system• mitm and manipulate HTTP traffic
• exploit addJavaScriptInterface vulnerability
• chmod 777 backdoor
• run backdoor
• pop the shell on android
popping shell on android
demo
exit(0)• teşekkürler!