Securing Android Applications

01 www.indusface.com | Copyright 2012

PRESENTED BYManish Chasta | CISSP, CHFI, ITIL

Principal Consultant, Indusface

Securing Android Applications


Introduction to Android and Mobile Applications

Working with Android SDK and Emulator

Setting up GoatDroid Application

Memory Analysis

SQLite Database Analysis

Agenda

Intercepting Layer 7 traffic

Reverse Engineering Android Applications

Demo: ExploitMe application


What NUMBERS say!!!

Gartner Says: 8.2 Billion mobile applications have been

downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been downloaded

by 2014


Market Share


Introduction to Android

Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is

responsible for maintenance and further development


Android Architecture


Android Architecture: Linux Kernel

Linux kernel with system services: Security Memory and process management Network stack

Provide driver to access hardware: Camera Display and audio Wifi …


Android Architecture: Android RunTime

Core Libraries: Written in Java Provides the functionality of Java programming language Interpreted by Dalvik VM

Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory and less CPU

usage Java code (.class files) converted into .dex format to be able to

run on Android platform


Android Applications


Mobile Apps vs Web Applications

Thick and Thin Client Security Measures User Awareness


Setting-up Environment

Handset / Android Device

Android SDK and Eclipse

Emulator

Wireless Connectivity

And of course… Application file


Setting-up Lab

What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser


Working with Android SDK


Android SDK

Development Environment for Android Application Development

Components: SDK Manager AVD Manager Emulator


Android SDK

Can be downloaded from :

developer.android.com/sdk/

Requires JDK to be installed

Install Eclipse

Install ADT Plugin for Eclipse


Android SDK : Installing SDK

Simple Next-next process


Android SDK: Configuring Eclipse

Go to Help->Install new Software

Click Add

Give Name as ADT Plugin

Provide the below address in Location: http://dl-

ssl.google.com/android/eclipse/

Press OK

Check next to ‘Developer Tool’ and press next

Click next and accept the ‘Terms and Conditions’

Click Finish


Android SDK: Configuring Eclipse

Now go to Window -> Preferences

Click on Android in left panel

Browse the Android SDK directory

Press OK


SDK Manager


AVD Manager


Emulator: Running

Click on Start


Emulator: Running from Command Line


Emulator: Running with proxy


ADB: Android Debug Bridge

Android Debug Bridge (adb) is a versatile command

line tool that lets you communicate with an emulator

instance or connected Android-powered device.

You can find the adb tool in <sdk>/platform-tools/


ADB: Important Commands

Install an application to emulator or device:



Push data to emulator / device

adb push <local> <remote>

Pull data to emulator / device

adb pull <remote> <local>

Remote - > Emulator and Local -> Machine



Getting Shell of Emulator or Device

adb shell

Reading Logs

adb logcat



Reading SQLite3 database

adb shell

Go to the path

SQLite3 database_name.db

.dump to see content of the db file and .schema to print the

schema of the database on the screen

Reading Logs

adb logcat


Auditing Application from

Android Phone


Need of Rooting

What is Android Rooting?


Rooting Android Phone

Step 1: Download CF Rooted Kernel files and Odin3 Software



Step 2: Keep handset on debugging mode



Step 3: Run Odin3



Step 4: Reboot the phone in download mode

Step 5: Connect to the PC



Step 6: Select required file i.e: PDA, Phone, CSC filesStep 7: Click on Auto Reboot and F. Reset Time and hit Start button



If your phone is Rooted... You will see PASS!! In Odin3


Important Tools

Terminal Emulator

Proxy tool (transproxy)


Setting Proxy

Both Android Phone and laptop (machine to be used

in auditing) needs to be in same wireless LAN.

Provide Laptops IP address and port where proxy is

listening in proxy tool (transproxy) installed in

machine.


Intercepting Traffic (Burp)

Burp is a HTTP proxy tool

Able to intercept layer 7 traffic and allows

users to manipulate the HTTP Requests and

Response


Memory Analysis with Terminal Emulator

DD Command:

dd if=filename.xyz of=/sdcard/SDA.dd

Application path on Android Device:

/data/data/com.application_name






Lab: GoatDroidA vulnerable Android application from the

OWASP


GoatDroid : Setting up

Install MySQL

Install fourgoats database.

Create a user with name as "goatboy", password as

"goatdroid" and Limit Connectivity to Hosts Matching

"localhost". Also "goatboy" needs to have insert,

delete, update, select on fourgoats database.



Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory

and Virtual Devices: Click Configure -> edit and click on Android tab Set path for Android SDK, typically it should be C:\Program Files\Android\android-sdk

Set path for Virtual Devices, typically it should be C:\Documents and Settings\Manish\android\avd



Start web services

Start emulator through GoatDroid jar file

Push / Install the application to Device

Run FourGoat application from emulator

Click on Menu and then click on Destination Info

Provide following information in required fields:

Server: 10.0.2.2 and Port 8888



Demo / Hands On


GoatDroid : Setting up proxy

Assuming FourGoat is already installed

Run goatdroid-beta-v0.1.2.jar file and start web services

Start any HTTP Proxy (Burp) tool on port 7000

Configure Burp to forward the incoming traffic to port 8888

Start emulator from command line by giving following

command:

emulator –avd test2 –http-proxy 127.0.0.1:7000


GoatDroid : Setting up proxy

Open the FourGoat application in emulator

Click on Mene to set Destination Info

Set Destination Info as below:

Server: 10.0.2.2 and port as 7000

Now see if you are able to intercept the trrafic

in Burp


GoatDroid : Setting up Proxy

Demo / Hands On


GoatDroid: Intercepting Traffic

Demo / Hands On


GoatDroid: Parameter Manipulation Attack

Demo / Hands On


GoatDroid: Handset Memory Analysis

Demo / Hands On


GoatDroid: Auditing from Android Device

Install the app in Android device Set the destination info as below: Server: IP address (WLAN) of your laptop

and port as 8888 (incase no proxy is listening)

Memory Analysis through Terminal Emulator and DD command


GoatDroid: Reverse Engineering

Next Topic


Reverse Engineering Android Applications


Reverse Engineering Android Application

Vulnerabilities can be found through Reverse

Engineering :

Vulnerabilities in Source Code

Re-compile the application

Commented Code

Hard coded information



Dex to jar (dex2jar)

C:\dex2jar-version\dex2jar.bat someApk.apk

Open code files in any Java decompile



Demo / Hands On


Agnitio

Mobile Application Coder Review tool

Install: Next-Next process

Can analyze Codebase as well as .apk file


Agnitio

Demo / Hands On


Analyzing SQLiteDatabase


Analyzing SQLite Database

SQLite Database:

SQLite is a widely used, lightweight database

Used by most mobile OS i.e. iPhone, Android, Symbian, webOS

SQLite is a free to use and open source database

Zero-configuration - no setup or administration needed.

A complete database is stored in a single cross-platform disk file.



Pull the .db files out of the emulator / Device as explained eirler Tools SQLite browser Epilog



Demo / Hands On


ExploitMeOne more Vulnerable

application from Security Compass


ExploitMe

Demo / Hands On


Manish ChastaEmail: [email protected]


Thank You

VADODARA, INDIAA/2-3, 3rd Floor, Status PlazaOpp Relish ResortAtladara Old Padra RoadVadodara – 390020Gujarat, India

T : +91 265 3933000F : +91 265 2355820

BANGALORE, INDIA408, 2nd FloorRegency Enclave4, Magrath RoadBangalore – 560025Karnataka, India

T : +91 80 65608570+91 80 65608571

F : +91 80 41129296

MUMBAI, INDIA1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705Maharashtra, India.

T : +91 22 61214961

OTTAWA, CANADA137 Goodman DriveKanata, Ottawa K2W 1C7Ontario, Canada

T : +1 613 721 9363

Sales : [email protected] Marketing : [email protected] Technical : [email protected]

HOUSTON, USA1001 Fannin Street, Ste 1250Houston, Texas 77002USA

T : +1 832 295 1462

Technology

Securing Android Applications