Humla workshop on Android Security Testing - null Singapore

mwrinfosecurity.com | MWR InfoSecurity 1 mwrinfosecurity.com | MWR InfoSecurity

Android Penetration Testing Workshop31st March 2016Hamla (Null – SG)

mwrinfosecurity.com | MWR InfoSecurity 2

About Me• I am working with MWR Infosecurity as a security

consultant, offering professional penetration tests to help clients improve their level of IT security.

• Double Masters (Research) in Information Security

• OSCP/CRT/OSCE Certified


DisclaimerNo Android Architecture

No Android Permission Model

No Java Programming

No Zero-Day Vulnerability


Outline

Android Basics Android Attack Surface

Demo

Reverse Engineering (.apk) Static Analysis Demo

Dynamic Analysis Demo


Environment Setup• VMPlayer

• Ubuntu 14.04

• Genymotion (Android 4.1.1)

• Tools – apktool, jd-gui, dex2jar, android studio

• Vulnerable APKs


Android Basic• The communication between applications is performed

in a well-defined manner that is strictly facilitated by akernel module named binder, which is an Inter-Process Communication (IPC) system.

• Android applications can make use of four standard components that can be invoked via calls to binder – Activities, Services, Broadcast Receivers, Content Providers.


Android Basic• Activities represent visual screens of an application

with which users interact. For example, when you launch an application, you see its main activity.

• Services are components that do not provide a graphical interface. They provide the facility to perform tasks that are long running in the background and run even when user has opened another application.


Android Basic• Broadcast receivers are non-graphical components

that allow an application to register for certainsystems or application events.

• Content providers are the data storehouses of an application, that provide a standard way to retrieve, modify, and delete data.


Android Basic• Each Android package contains a file named

AndroidManifest. xml in the root of the archive. This file defines the package configuration, application components, and security attributes.

• An intent is a defined object used for messaging which is created and communicated to an intended application component.


Attacking Android Application• Exploiting Activities• Exploiting Insecure Content Providers• Attacking Insecure Services• Abusing Broadcast Receivers


Drozer• Drozer is an Android assessment tool.

• Drozer has two distinct use cases – • Finding vulnerabilities in applications or devices• Providing exploits and useful payloads for known

vulnerabilities.

• For more information – https://labs.mwrinfosecurity.com/tools/drozer/

https://labs.mwrinfosecurity.com/tools/drozer/

https://labs.mwrinfosecurity.com/tools/drozer/


How Drozer works • Drozer is a distributed system that makes use of some key components -

• Agent— A lightweight Android application that runs on the device or emulator being used for testing.

• Console—A command-line interface running on your computer that allows you to interact with the device through the agent

• Server—Provides a central point where consoles and agents can route sessions between them.


Demo


Root Detection• Default Files and Configurations

Check if release-keys tag is present on non-rooted device - /system/build.prop

• Installed Files & Packages

eu.chainfire.supersu, com.koushikdutta.superuser,/system/bin/su, /system/xbin/su

• Directory Permissions

Check write permission on the directories – /system, /system/bin, /system/sbin

• Commands

Execute commands - `id`, `busybox`


Static Analysis

.apk .dex

.jar

unzip

dex2jarjd-gui

.apk .smaliapktool

.java


Demo


Dynamic AnalysisDebug android application using Android Studio.

.apk .dex

.jar

unzip

dex2jarjd-gui

.java

source package Android Studio

apktool


Demo


Recommended Books

Date post:	15-Jan-2017
Category:	Technology
Upload:	nu-the-open-security-community
View:	363 times
Download:	2 times

Humla workshop on Android Security Testing - null Singapore

Technology