Pentesting Android Applications

  • View
    1.577

  • Download
    6

Embed Size (px)

DESCRIPTION

This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester. So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.

Text of Pentesting Android Applications

  • 1. @clviper ca@integrity.pt Cludio Andr
  • 2. whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
  • 3. - Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
  • 4. Physical Equipment Android SDK Emulator Android x86 Environment Setup
  • 5. Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
  • 6. - Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
  • 7. Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
  • 8. Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
  • 9. Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
  • 10. QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
  • 11. http://youtu.be/H4ysZblviZg DEMO QtADB Tools OfTheTrade
  • 12. Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
  • 13. Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
  • 14. Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
  • 15. Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
  • 16. Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
  • 17. Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
  • 18. Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
  • 19. Android-SSL-TrustKiller Tools OfTheTrade http://youtu.be/8NwbmSI9OWo DEMO
  • 20. Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
  • 21. http://youtu.be/KAWPfHLHO0Y DEMO Drozer(ex-mercury) Tools OfTheTrade
  • 22. Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
  • 23. Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
  • 24. Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
  • 25. Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
  • 26. Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
  • 27. XML format file with key-value pairs. App settings. Shared Preferences App Analysis
  • 28. Single file relational database used to store application data and settings. SQLite Databases App Analysis
  • 29. OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
  • 30. GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
  • 31. GoatDroid App Analysis http://youtu.be/3DpLKK90oAY DEMO
  • 32. http://youtu.be/tAyLOn5ttFo DEMO GoatDroid App Analysis