Securing Android ApplicationsMansih Chasta | CISSP,

CHFI, ITIL

About Me

Principal Consultant @ Indusface,

India

Over 6 years experience in

Information and Application Security

CISSP, CHFI, ITIL

What comes to any Indian’s mind when they think of Russia?

Agenda

Introduction to Android and Mobile Applications

Working with Android SDK and Emulator

Setting up GoatDroid Application

Memory Analysis

Intercepting Layer 7 traffic

Reverse Engineering Android Applications

SQLite Database Analysis

Demo: ExploitMe application

What NUMBERS says!!!

Gartner Says: 8.2 Billion mobile applications have been

downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been

downloaded by 2014

Market Share

Introduction to Android

Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP)

is responsible for maintenance and further development

Android Architecture

Android Architecture: Linux Kernel

Linux kernel with system services: Security Memory and process management Network stack

Provide driver to access hardware: Camera Display and audio Wifi …

Android Architecture: Android RunTime

Core Libraries: Written in Java Provides the functionality of Java programming

language Interpreted by Dalvik VM

Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory

and less CPU usage Java code (.class files) converted into .dex format to

be able to run on Android platform

Android Applications

Mobile Apps vs Web Applications

Thick and Thin Client Security Measures User Awareness

Setting-up Environment

Handset / Android Device

Android SDK and Eclipse

Emulator

Wireless Connectivity

And of course… Application file

Setting-up Lab

What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser

Working with Android SDK

Android SDK

Development Environment for

Android Application Development

Components: SDK Manager AVD Manager Emulator

Android SDK

Can be downloaded from :

developer.android.com/sdk/

Requires JDK to be installed

Install Eclipse

Install ADT Plugin for Eclipse

Android SDK : Installing SDK

Simple Next-next process

Android SDK: Configuring Eclipse

Go to Help->Install new Software

Click Add

Give Name as ADT Plugin

Provide the below address in Location:

http://dl-ssl.google.com/android/eclipse/

Press OK

Check next to ‘Developer Tool’ and press next

Click next and accept the ‘Terms and Conditions’

Click Finish

Android SDK: Configuring Eclipse

Now go to Window -> Preferences

Click on Android in left panel

Browse the Android SDK directory

Press OK

SDK Manager

AVD Manager

Emulator: Running

Click on Start

Emulator: Running from Command Line

Emulator: Running with proxy

ADB: Android Debug Bridge

Android Debug Bridge (adb) is a versatile

command line tool that lets you

communicate with an emulator instance

or connected Android-powered device.

You can find the adb tool in

<sdk>/platform-tools/

ADB: Important Commands

Install an application to emulator or

device:

ADB: Important Commands

Push data to emulator / device

adb push <local> <remote>

Pull data to emulator / device

adb pull <remote> <local>

Remote - > Emulator and Local ->

Machine

ADB: Important Commands

Getting Shell of Emulator or Device

adb shell

Reading Logs

adb logcat

ADB: Important Commands

Reading SQLite3 database

adb shell

Go to the path

SQLite3 database_name.db

.dump to see content of the db file and .schema to

print the schema of the database on the screen

Reading Logs

adb logcat

Auditing Application from Android Phone

Need of Rooting

What is Android Rooting?

Rooting Android Phone

Step 1: Download CF Rooted Kernel files and Odin3 Software

Rooting Android Phone

Step 2: Keep handset on debugging mode

Rooting Android Phone

Step 3: Run Odin3

Rooting Android Phone

Step 4: Reboot the phone in download mode

Step 5: Connect to the PC

Rooting Android Phone

Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit

Start button

Rooting Android Phone If your phone is Rooted... You will see PASS!! In

Odin3

Important Tools

Terminal Emulator

Proxy tool (transproxy)

Setting Proxy

Both Android Phone and laptop (machine

to be used in auditing) needs to be in

same wireless LAN.

Provide Laptops IP address and port where

proxy is listening in proxy tool (transproxy)

installed in machine.

Intercepting Traffic (Burp)

Burp is a HTTP proxy tool

Able to intercept layer 7 traffic and

allows users to manipulate the HTTP

Requests and Response

Memory Analysis with Terminal Emulator

DD Command:

dd if=filename.xyz

of=/sdcard/SDA.dd

Application path on Android Device:

/data/data/com.application_name

Memory Analysis with Terminal Emulator

Memory Analysis with Terminal Emulator

Lab : GoatDroid A vulnerable Android application from the OWASP

GoatDroid : Setting up

Install MySQL

Install fourgoats database.

Create a user with name as "goatboy",

password as "goatdroid" and Limit

Connectivity to Hosts Matching "localhost".

Also "goatboy" needs to have insert, delete,

update, select on fourgoats database.

GoatDroid : Setting up

Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root

directory and Virtual Devices: Click Configure -> edit and click on

Android tab Set path for Android SDK, typically it

should be▪ C:\Program Files\Android\android-sdk

Set path for Virtual Devices, typically it should be▪ C:\Documents and Settings\Manish\android\

avd

GoatDroid : Setting up

Start web services

Start emulator through GoatDroid jar file

Push / Install the application to Device

Run FourGoat application from emulator

Click on Menu and then click on Destination Info

Provide following information in required fields:

Server: 10.0.2.2 and Port 8888

GoatDroid : Setting up

Demo / Hands On

GoatDroid : Setting up proxy

Assuming FourGoat is already installed

Run goatdroid-beta-v0.1.2.jar file and start web

services

Start any HTTP Proxy (Burp) tool on port 7000

Configure Burp to forward the incoming traffic to port

8888

Start emulator from command line by giving following

command:

emulator –avd test2 –http-proxy 127.0.0.1:7000

GoatDroid : Setting up proxy

Open the FourGoat application in

emulator

Click on Mene to set Destination Info

Set Destination Info as below:

Server: 10.0.2.2 and port as 7000

Now see if you are able to intercept

the trrafic in Burp

GoatDroid : Setting up Proxy

Demo / Hands On

GoatDroid: Intercepting Traffic

Demo / Hands On

GoatDroid: Parameter Manipulation Attack

Demo / Hands On

GoatDroid: Handset Memory Analysis

Demo / Hands On

GoatDroid: Auditing from Android Device

• Install the app in Android device• Set the destination info as below:• Server: IP address (WLAN) of your

laptop and port as 8888 (incase no proxy is listening)

• Memory Analysis through Terminal Emulator and DD command

GoatDroid: Reverse Engineering

Next Topic

Reverse Engineering Android

Applications

Reverse Engineering Android Application

Vulnerabilities can be found through

Reverse Engineering :

Vulnerabilities in Source Code

Re-compile the application

Commented Code

Hard coded information

Reverse Engineering Android Application

Dex to jar (dex2jar)

C:\dex2jar-version\dex2jar.bat

someApk.apk

Open code files in any Java

decompile

Reverse Engineering Android Application

Demo / Hands On

Agnitio

Mobile Application Coder Review tool

Install: Next-Next process

Can analyze Codebase as well

as .apk file

Agnitio

Demo / Hands On

Analyzing SQLite Database

Analyzing SQLite Database

SQLite Database:

SQLite is a widely used, lightweight database

Used by most mobile OS i.e. iPhone, Android,

Symbian, webOS

SQLite is a free to use and open source database

Zero-configuration - no setup or administration

needed.

A complete database is stored in a single cross-

platform disk file.

Analyzing SQLite Database

Pull the .db files out of the emulator / Device as explained eirler

Tools SQLite browser Epilog

Analyzing SQLite Database

Demo / Hands On

ExploitMeOne more Vulnerable application from Security Compass

ExploitMe

Demo / Hands On

Manish ChastaEmail: manish.chasta@owasp.org

Twitter: twitter.com/manish_chasta

LinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta

Спасибо