Manish Chasta - Securing Android Applications

  • View
    1.728

  • Download
    1

Embed Size (px)

DESCRIPTION

 

Text of Manish Chasta - Securing Android Applications

Securing Android Applications

Securing Android Applications

Mansih Chasta | CISSP, CHFI, ITIL

About Me

Principal Consultant @ Indusface, IndiaOver 6 years experience in Information and Application SecurityCISSP, CHFI, ITIL

What comes to any Indians mind when they think of Russia?

Agenda

Introduction to Android and Mobile ApplicationsWorking with Android SDK and EmulatorSetting up GoatDroid ApplicationMemory AnalysisIntercepting Layer 7 trafficReverse Engineering Android ApplicationsSQLite Database AnalysisDemo: ExploitMe application

What NUMBERS says!!!

Gartner Says:8.2 Billion mobile applications have been downloaded in 201017.7 Billion by 2011185 Billion application will have been downloaded by 2014

The figure have reached 17.7 Billion which is 117% increase compared to applications downloaded in 2010

6

Market Share

Introduction to Android

Most widely used mobile OSDeveloped by GoogleOS + Middleware + ApplicationsAndroid Open Source Project (AOSP) is responsible for maintenance and further development

Android Architecture

Android Architecture: Linux Kernel

Linux kernel with system services:Security Memory and process managementNetwork stackProvide driver to access hardware:CameraDisplay and audioWifi

Android Architecture: Android RunTime

Core Libraries: Written in JavaProvides the functionality of Java programming languageInterpreted by Dalvik VMDalvik VM: Java based VM, a lightweight substitute to JVMUnlike JVM, DVM is a register based Virtual MachineDVM is optimized to run on limited main memory and less CPU usageJava code (.class files) converted into .dex format to be able to run on Android platform

Android Applications

Mobile Apps vs Web Applications

Thick and Thin ClientSecurity MeasuresUser Awareness

Setting-up Environment

Handset / Android DeviceAndroid SDK and EclipseEmulatorWireless ConnectivityAnd of course Application file

Setting-up Lab

What we need:Android SDKEclipsGoatDroid (Android App from OWASP)MySQL.Net FramworkProxy tool (Burp)AgnitioAndroid Device (Optional)SQLitebrowser

Working with Android SDK

Android SDK

Development Environment for Android Application DevelopmentComponents:SDK ManagerAVD ManagerEmulator

Android SDK

Can be downloaded from : developer.android.com/sdk/Requires JDK to be installedInstall EclipseInstall ADT Plugin for Eclipse

Android SDK : Installing SDK

Simple Next-next process

Android SDK: Configuring Eclipse

Go to Help->Install new SoftwareClick AddGive Name as ADT PluginProvide the below address in Location: http://dl-ssl.google.com/android/eclipse/Press OKCheck next to Developer Tool and press nextClick next and accept the Terms and ConditionsClick Finish

Android SDK: Configuring Eclipse

Now go to Window -> PreferencesClick on Android in left panelBrowse the Android SDK directoryPress OK

SDK Manager

AVD Manager

Emulator: Running

Click on Start

Emulator: Running from Command Line

Emulator: Running with proxy

ADB: Android Debug Bridge

Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device.You can find the adb tool in /platform-tools/

ADB: Important Commands

Install an application to emulator or device:

ADB: Important Commands

Push data to emulator / deviceadb push Pull data to emulator / deviceadb pull Remote - > Emulator and Local -> Machine

ADB: Important Commands

Getting Shell of Emulator or Deviceadb shellReading Logsadb logcat

ADB: Important Commands

Reading SQLite3 databaseadb shellGo to the pathSQLite3 database_name.db.dump to see content of the db file and .schema to print the schema of the database on the screenReading Logsadb logcat

Auditing Application from Android Phone

Need of Rooting

What is Android Rooting?

Rooting Android Phone

Step 1: Download CF Rooted Kernel files and Odin3 Software

Rooting Android Phone

Step 2: Keep handset on debugging mode

Rooting Android Phone

Step 3: Run Odin3

Rooting Android Phone

Step 4: Reboot the phone in download modeStep 5: Connect to the PC

Rooting Android Phone

Step 6: Select required file i.e: PDA, Phone, CSC filesStep 7: Click on Auto Reboot and F. Reset Time and hit Start button

Rooting Android Phone

If your phone is Rooted... You will see PASS!! In Odin3

Important Tools

Terminal EmulatorProxy tool (transproxy)

Setting Proxy

Both Android Phone and laptop (machine to be used in auditing) needs to be in same wireless LAN.Provide Laptops IP address and port where proxy is listening in proxy tool (transproxy) installed in machine.

Intercepting Traffic (Burp)

Burp is a HTTP proxy toolAble to intercept layer 7 traffic and allows users to manipulate the HTTP Requests and Response

Memory Analysis with Terminal Emulator

DD Command:dd if=filename.xyz of=/sdcard/SDA.ddApplication path on Android Device:/data/data/com.application_name

Memory Analysis with Terminal Emulator

Memory Analysis with Terminal Emulator

Lab : GoatDroid A vulnerable Android application from the OWASP

GoatDroid : Setting up

Install MySQLInstall fourgoats database.Create a user with name as "goatboy", password as "goatdroid" and Limit Connectivity to Hosts Matching "localhost". Also "goatboy" needs to haveinsert, delete, update, select on fourgoats database.

GoatDroid : Setting up

Run goatdroid-beta-v0.1.2.jar fileSet the path for Android SDK Root directory and Virtual Devices: Click Configure -> edit and click on Android tabSet path for Android SDK, typically it should beC:\Program Files\Android\android-sdkSet path for Virtual Devices, typically it should beC:\Documents and Settings\Manish\android\avd

GoatDroid : Setting up

Start web servicesStart emulator through GoatDroid jar filePush / Install the application to DeviceRun FourGoat application from emulatorClick on Menu and then click on Destination Info Provide following information in required fields:Server: 10.0.2.2 and Port 8888

GoatDroid : Setting up

Demo / Hands On

GoatDroid : Setting up proxy

Assuming FourGoat is already installedRun goatdroid-beta-v0.1.2.jar file and start web services Start any HTTP Proxy (Burp) tool on port 7000Configure Burp to forward the incoming traffic to port 8888 Start emulator from command line by giving following command:emulator avd test2 http-proxy 127.0.0.1:7000

GoatDroid : Setting up proxy

Open the FourGoat application in emulatorClick on Mene to set Destination InfoSet Destination Info as below:Server: 10.0.2.2 and port as 7000Now see if you are able to intercept the trrafic in Burp

GoatDroid : Setting up Proxy

Demo / Hands On

GoatDroid: Intercepting Traffic

Demo / Hands On

GoatDroid: Parameter Manipulation Attack

Demo / Hands On

GoatDroid: Handset Memory Analysis

Demo / Hands On

GoatDroid: Auditing from Android Device

Install the app in Android deviceSet the destination info as below:Server: IP address (WLAN) of your laptop and port as 8888 (incase no proxy is listening)Memory Analysis through Terminal Emulator and DD command

GoatDroid: Reverse Engineering

Next Topic

Reverse Engineering Android Applications

Reverse Engineering Android Application

Vulnerabilities can be found through Reverse Engineering :Vulnerabilities in Source CodeRe-compile the applicationCommented CodeHard coded information

Reverse Engineering Android Application

Dex to jar (dex2jar)C:\dex2jar-version\dex2jar.bat someApk.apkOpen code files in any Java decompile

Reverse Engineering Android Application

Demo / Hands On

Agnitio

Mobile Application Coder Review toolInstall: Next-Next processCan analyze Codebase as well as .apk file

Agnitio

Demo / Hands On

Analyzing SQLite Database

Analyzing SQLite Database

SQLite Database:SQLite is a widely used, lightweight databaseUsed by most mobile OS i.e. iPhone, Android, Symbian, webOS SQLite is a free to use and open source databaseZero-configuration - no setup or administration needed.A complete database is stored in a single cross-platform disk file.

Analyzing SQLite Database

Pull the .db files out of the emulator / Device as explained eirlerToolsSQLite browserEpilog

Analyzing SQLite Database

Demo / Hands On

ExploitMeOne more Vulnerable application from Security Compass

ExploitMe

Demo / Hands On

Manish ChastaEmail: manish.chasta@owasp.orgTwitter: twitter.com/manish_chastaLinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta