Securing Android Applications

  • View

  • Download

Embed Size (px)


Securing Android Applications

Text of Securing Android Applications

01 | Copyright 2012


Principal Consultant, Indusface

Securing Android Applications

02 | Copyright 2012

Introduction to Android and Mobile Applications

Working with Android SDK and Emulator

Setting up GoatDroid Application

Memory Analysis

SQLite Database Analysis


Intercepting Layer 7 traffic

Reverse Engineering Android Applications

Demo: ExploitMe application

03 | Copyright 2012

What NUMBERS say!!!

Gartner Says: 8.2 Billion mobile applications have been

downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been downloaded

by 2014

04 | Copyright 2012

Market Share

05 | Copyright 2012

Introduction to Android

Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is

responsible for maintenance and further development

06 | Copyright 2012

Android Architecture

07 | Copyright 2012

Android Architecture: Linux Kernel

Linux kernel with system services: Security Memory and process management Network stack

Provide driver to access hardware: Camera Display and audio Wifi

08 | Copyright 2012

Android Architecture: Android RunTime

Core Libraries: Written in Java Provides the functionality of Java programming language Interpreted by Dalvik VM

Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory and less CPU

usage Java code (.class files) converted into .dex format to be able to

run on Android platform

09 | Copyright 2012

Android Applications

010 | Copyright 2012

Mobile Apps vs Web Applications

Thick and Thin Client Security Measures User Awareness

011 | Copyright 2012

Setting-up Environment

Handset / Android Device

Android SDK and Eclipse


Wireless Connectivity

And of course Application file

012 | Copyright 2012

Setting-up Lab

What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser

013 | Copyright 2012

Working with Android SDK

014 | Copyright 2012

Android SDK

Development Environment for Android Application Development

Components: SDK Manager AVD Manager Emulator

015 | Copyright 2012

Android SDK

Can be downloaded from :

Requires JDK to be installed

Install Eclipse

Install ADT Plugin for Eclipse

016 | Copyright 2012

Android SDK : Installing SDK

Simple Next-next process

017 | Copyright 2012

Android SDK: Configuring Eclipse

Go to Help->Install new Software

Click Add

Give Name as ADT Plugin

Provide the below address in Location: http://dl-

Press OK

Check next to Developer Tool and press next

Click next and accept the Terms and Conditions

Click Finish

018 | Copyright 2012

Android SDK: Configuring Eclipse

Now go to Window -> Preferences

Click on Android in left panel

Browse the Android SDK directory

Press OK

019 | Copyright 2012

SDK Manager

020 | Copyright 2012

AVD Manager

021 | Copyright 2012

Emulator: Running

Click on Start

022 | Copyright 2012

Emulator: Running from Command Line

023 | Copyright 2012

Emulator: Running with proxy

024 | Copyright 2012

ADB: Android Debug Bridge

Android Debug Bridge (adb) is a versatile command

line tool that lets you communicate with an emulator

instance or connected Android-powered device.

You can find the adb tool in /platform-tools/

025 | Copyright 2012

ADB: Important Commands

Install an application to emulator or device:

026 | Copyright 2012

ADB: Important Commands

Push data to emulator / device

adb push

Pull data to emulator / device

adb pull

Remote - > Emulator and Local -> Machine

027 | Copyright 2012

ADB: Important Commands

Getting Shell of Emulator or Device

adb shell

Reading Logs

adb logcat

028 | Copyright 2012

ADB: Important Commands

Reading SQLite3 database

adb shell

Go to the path

SQLite3 database_name.db

.dump to see content of the db file and .schema to print the

schema of the database on the screen

Reading Logs

adb logcat

029 | Copyright 2012

Auditing Application from

Android Phone

030 | Copyright 2012

Need of Rooting

What is Android Rooting?

031 | Copyright 2012

Rooting Android Phone

Step 1: Download CF Rooted Kernel files and Odin3 Software

032 | Copyright 2012

Rooting Android Phone

Step 2: Keep handset on debugging mode

033 | Copyright 2012

Rooting Android Phone

Step 3: Run Odin3

034 | Copyright 2012

Rooting Android Phone

Step 4: Reboot the phone in download mode

Step 5: Connect to the PC

035 | Copyright 2012

Rooting Android Phone

Step 6: Select required file i.e: PDA, Phone, CSC filesStep 7: Click on Auto Reboot and F. Reset Time and hit Start button

036 | Copyright 2012

Rooting Android Phone

If your phone is Rooted... You will see PASS!! In Odin3

037 | Copyright 2012

Important Tools

Terminal Emulator

Proxy tool (transproxy)

038 | Copyright 2012

Setting Proxy

Both Android Phone and laptop (machine to be used

in auditing) needs to be in same wireless LAN.

Provide Laptops IP address and port where proxy is

listening in proxy tool (transproxy) installed in


039 | Copyright 2012

Intercepting Traffic (Burp)

Burp is a HTTP proxy tool

Able to intercept layer 7 traffic and allows

users to manipulate the HTTP Requests and


040 | Copyright 2012

Memory Analysis with Terminal Emulator

DD Command:

dd of=/sdcard/SDA.dd

Application path on Android Device:


041 | Copyright 2012

Memory Analysis with Terminal Emulator

042 | Copyright 2012

Memory Analysis with Terminal Emulator

043 | Copyright 2012

Lab: GoatDroidA vulnerable Android application from the


044 | Copyright 2012

GoatDroid : Setting up

Install MySQL

Install fourgoats database.

Create a user with name as "goatboy", password as

"goatdroid" and Limit Connectivity to Hosts Matching

"localhost". Also "goatboy" needs to have insert,

delete, update, select on fourgoats database.

045 | Copyright 2012

GoatDroid : Setting up

Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory

and Virtual Devices: Click Configure -> edit and click on Android tab Set path for Android SDK, typically it should be

C:\Program Files\Android\android-sdk

Set path for Virtual Devices, typically it should be C:\Documents and Settings\Manish\android\avd

046 | Copyright 2012

GoatDroid : Setting up

Start web services

Start emulator through GoatDroid jar file

Push / Install the application to Device

Run FourGoat application from emulator

Click on Menu and then click on Destination Info

Provide following information in required fields:

Server: and Port 8888

047 | Copyright 2012

GoatDroid : Setting up

Demo / Hands On

048 | Copyright 2012

GoatDroid : Setting up proxy

Assuming FourGoat is already installed

Run goatdroid-beta-v0.1.2.jar file and start web services

Start any HTTP Proxy (Burp) tool on port 7000

Configure Burp to forward the incoming traffic to port 8888

Start emulator from command line by giving following


emulator avd test2 http-proxy