Alice Android DiyarındaCANBERK BOLAT

CYPSEC ‘14

24 APR 2014

whoami• Canberk Bolat

- Security Researcher (@adeosecurity)

- Reverse Engineering, Fuzzing, Pentest

- Blogger/Writer- http://cbolat.blogspot.com

- Contact

- @cnbrkbolat && canberk.bolat@gmail.com

agenda• Introduction to Android

• Why Android Security?

• Common Android Application Vulnerabilities

• Exploiting addJavaScriptInterface Vulnerability

• Cross-compiling for Android

• Popping Shell on Android

• exit(0)

introduction to android

introduction to android• 49 Adımda Android’in uzmanı olun!

* NOT: İngiliz Köyü’nden "49 Steps" kapısıteşekkürler Kasım Erkan!

introduction to android• Sandbox

• Application Framework

• Memory Management

• File System Security

• User-granted / App-specific Permissions

why android security?• BYOD

• Çok popüler

• 1 yılda ortalama• 29,000,000,000 uygulama download ediliyor

• Cihaz başına 60~ uygulama

• Zayıf uygulama denetimi (Google Play)

• Platform güncelleme sorunsalı• KitKat’ı olmayanlar parmak kaldırsın!

common android application vulnerabilities• Logging

• Unencrypted/Plain-text/Weak credentials

• Unsecure Communication• HTTP Traffic :(

• XSS (?)• WebView• setJavaScriptEnabled

• addJavaScriptInterface

common android application vulnerabilities• Logging

• Unencrypted/Plain-text/Weak credentials

• Unsecure Communication• HTTP Traffic :(

• XSS (?)• WebView• setJavaScriptEnabled

• addJavaScriptInterface

exploiting addJavaScriptInterface vulnerability• setJavaScriptEnabled

• addJavaScriptInterface

exploiting addJavaScriptInterface vulnerability•

exploiting addJavaScriptInterface vulnerability•

exploiting addJavaScriptInterface vulnerability•

cross-compiling for android• Android NDK

• ndk-build

• Kodu derlemek için aşağıdaki gibi bir klasör yapısı gerekiyor

cross-compiling for android• Android.mk dosyasının içeriği• Works for me!

cross-compiling for androidC:\Users\Canberk\helloworld\jni>ndk-build

[armeabi] Compile thumb : hello_world <= helloworld.c

[armeabi] Executable : hello_world

[armeabi] Install : hello_world => libs/armeabi/hello_world

C:\Users\Canberk\helloworld\jni>adb push ..\libs\armeabi\hello_world data

C:\Users\Canberk\helloworld\jni>adb shell chmod 777 /data/hello_world

C:\Users\Canberk\helloworld\jni>adb shell ./data/hello_world

hello arm!

popping shell on android• cross-compile your reverse_connect_backdoor.c for ARM

• convert binary to \x02X format

• write converted binary to file system• mitm and manipulate HTTP traffic

• exploit addJavaScriptInterface vulnerability

• chmod 777 backdoor

• run backdoor

• pop the shell on android

popping shell on android

demo

exit(0)• teşekkürler!