01 www.indusface.com | Copyright 2012
PRESENTED BYManish Chasta | CISSP, CHFI, ITIL
Principal Consultant, Indusface
Securing Android Applications
02 www.indusface.com | Copyright 2012
Introduction to Android and Mobile Applications
Working with Android SDK and Emulator
Setting up GoatDroid Application
Memory Analysis
SQLite Database Analysis
Agenda
Intercepting Layer 7 traffic
Reverse Engineering Android Applications
Demo: ExploitMe application
03 www.indusface.com | Copyright 2012
What NUMBERS say!!!
Gartner Says: 8.2 Billion mobile applications have been
downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been downloaded
by 2014
04 www.indusface.com | Copyright 2012
Market Share
05 www.indusface.com | Copyright 2012
Introduction to Android
Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP) is
responsible for maintenance and further development
06 www.indusface.com | Copyright 2012
Android Architecture
07 www.indusface.com | Copyright 2012
Android Architecture: Linux Kernel
Linux kernel with system services: Security Memory and process management Network stack
Provide driver to access hardware: Camera Display and audio Wifi …
08 www.indusface.com | Copyright 2012
Android Architecture: Android RunTime
Core Libraries: Written in Java Provides the functionality of Java programming language Interpreted by Dalvik VM
Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory and less CPU
usage Java code (.class files) converted into .dex format to be able to
run on Android platform
09 www.indusface.com | Copyright 2012
Android Applications
010 www.indusface.com | Copyright 2012
Mobile Apps vs Web Applications
Thick and Thin Client Security Measures User Awareness
011 www.indusface.com | Copyright 2012
Setting-up Environment
Handset / Android Device
Android SDK and Eclipse
Emulator
Wireless Connectivity
And of course… Application file
012 www.indusface.com | Copyright 2012
Setting-up Lab
What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser
013 www.indusface.com | Copyright 2012
Working with Android SDK
014 www.indusface.com | Copyright 2012
Android SDK
Development Environment for Android Application Development
Components: SDK Manager AVD Manager Emulator
015 www.indusface.com | Copyright 2012
Android SDK
Can be downloaded from :
developer.android.com/sdk/
Requires JDK to be installed
Install Eclipse
Install ADT Plugin for Eclipse
016 www.indusface.com | Copyright 2012
Android SDK : Installing SDK
Simple Next-next process
017 www.indusface.com | Copyright 2012
Android SDK: Configuring Eclipse
Go to Help->Install new Software
Click Add
Give Name as ADT Plugin
Provide the below address in Location: http://dl-
ssl.google.com/android/eclipse/
Press OK
Check next to ‘Developer Tool’ and press next
Click next and accept the ‘Terms and Conditions’
Click Finish
018 www.indusface.com | Copyright 2012
Android SDK: Configuring Eclipse
Now go to Window -> Preferences
Click on Android in left panel
Browse the Android SDK directory
Press OK
019 www.indusface.com | Copyright 2012
SDK Manager
020 www.indusface.com | Copyright 2012
AVD Manager
021 www.indusface.com | Copyright 2012
Emulator: Running
Click on Start
022 www.indusface.com | Copyright 2012
Emulator: Running from Command Line
023 www.indusface.com | Copyright 2012
Emulator: Running with proxy
024 www.indusface.com | Copyright 2012
ADB: Android Debug Bridge
Android Debug Bridge (adb) is a versatile command
line tool that lets you communicate with an emulator
instance or connected Android-powered device.
You can find the adb tool in <sdk>/platform-tools/
025 www.indusface.com | Copyright 2012
ADB: Important Commands
Install an application to emulator or device:
026 www.indusface.com | Copyright 2012
ADB: Important Commands
Push data to emulator / device
adb push <local> <remote>
Pull data to emulator / device
adb pull <remote> <local>
Remote - > Emulator and Local -> Machine
027 www.indusface.com | Copyright 2012
ADB: Important Commands
Getting Shell of Emulator or Device
adb shell
Reading Logs
adb logcat
028 www.indusface.com | Copyright 2012
ADB: Important Commands
Reading SQLite3 database
adb shell
Go to the path
SQLite3 database_name.db
.dump to see content of the db file and .schema to print the
schema of the database on the screen
Reading Logs
adb logcat
029 www.indusface.com | Copyright 2012
Auditing Application from
Android Phone
030 www.indusface.com | Copyright 2012
Need of Rooting
What is Android Rooting?
031 www.indusface.com | Copyright 2012
Rooting Android Phone
Step 1: Download CF Rooted Kernel files and Odin3 Software
032 www.indusface.com | Copyright 2012
Rooting Android Phone
Step 2: Keep handset on debugging mode
033 www.indusface.com | Copyright 2012
Rooting Android Phone
Step 3: Run Odin3
034 www.indusface.com | Copyright 2012
Rooting Android Phone
Step 4: Reboot the phone in download mode
Step 5: Connect to the PC
035 www.indusface.com | Copyright 2012
Rooting Android Phone
Step 6: Select required file i.e: PDA, Phone, CSC filesStep 7: Click on Auto Reboot and F. Reset Time and hit Start button
036 www.indusface.com | Copyright 2012
Rooting Android Phone
If your phone is Rooted... You will see PASS!! In Odin3
037 www.indusface.com | Copyright 2012
Important Tools
Terminal Emulator
Proxy tool (transproxy)
038 www.indusface.com | Copyright 2012
Setting Proxy
Both Android Phone and laptop (machine to be used
in auditing) needs to be in same wireless LAN.
Provide Laptops IP address and port where proxy is
listening in proxy tool (transproxy) installed in
machine.
039 www.indusface.com | Copyright 2012
Intercepting Traffic (Burp)
Burp is a HTTP proxy tool
Able to intercept layer 7 traffic and allows
users to manipulate the HTTP Requests and
Response
040 www.indusface.com | Copyright 2012
Memory Analysis with Terminal Emulator
DD Command:
dd if=filename.xyz of=/sdcard/SDA.dd
Application path on Android Device:
/data/data/com.application_name
041 www.indusface.com | Copyright 2012
Memory Analysis with Terminal Emulator
042 www.indusface.com | Copyright 2012
Memory Analysis with Terminal Emulator
043 www.indusface.com | Copyright 2012
Lab: GoatDroidA vulnerable Android application from the
OWASP
044 www.indusface.com | Copyright 2012
GoatDroid : Setting up
Install MySQL
Install fourgoats database.
Create a user with name as "goatboy", password as
"goatdroid" and Limit Connectivity to Hosts Matching
"localhost". Also "goatboy" needs to have insert,
delete, update, select on fourgoats database.
045 www.indusface.com | Copyright 2012
GoatDroid : Setting up
Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root directory
and Virtual Devices: Click Configure -> edit and click on Android tab Set path for Android SDK, typically it should be C:\Program Files\Android\android-sdk
Set path for Virtual Devices, typically it should be C:\Documents and Settings\Manish\android\avd
046 www.indusface.com | Copyright 2012
GoatDroid : Setting up
Start web services
Start emulator through GoatDroid jar file
Push / Install the application to Device
Run FourGoat application from emulator
Click on Menu and then click on Destination Info
Provide following information in required fields:
Server: 10.0.2.2 and Port 8888
047 www.indusface.com | Copyright 2012
GoatDroid : Setting up
Demo / Hands On
048 www.indusface.com | Copyright 2012
GoatDroid : Setting up proxy
Assuming FourGoat is already installed
Run goatdroid-beta-v0.1.2.jar file and start web services
Start any HTTP Proxy (Burp) tool on port 7000
Configure Burp to forward the incoming traffic to port 8888
Start emulator from command line by giving following
command:
emulator –avd test2 –http-proxy 127.0.0.1:7000
049 www.indusface.com | Copyright 2012
GoatDroid : Setting up proxy
Open the FourGoat application in emulator
Click on Mene to set Destination Info
Set Destination Info as below:
Server: 10.0.2.2 and port as 7000
Now see if you are able to intercept the trrafic
in Burp
050 www.indusface.com | Copyright 2012
GoatDroid : Setting up Proxy
Demo / Hands On
051 www.indusface.com | Copyright 2012
GoatDroid: Intercepting Traffic
Demo / Hands On
052 www.indusface.com | Copyright 2012
GoatDroid: Parameter Manipulation Attack
Demo / Hands On
053 www.indusface.com | Copyright 2012
GoatDroid: Handset Memory Analysis
Demo / Hands On
054 www.indusface.com | Copyright 2012
GoatDroid: Auditing from Android Device
Install the app in Android device Set the destination info as below: Server: IP address (WLAN) of your laptop
and port as 8888 (incase no proxy is listening)
Memory Analysis through Terminal Emulator and DD command
055 www.indusface.com | Copyright 2012
GoatDroid: Reverse Engineering
Next Topic
056 www.indusface.com | Copyright 2012
Reverse Engineering Android Applications
057 www.indusface.com | Copyright 2012
Reverse Engineering Android Application
Vulnerabilities can be found through Reverse
Engineering :
Vulnerabilities in Source Code
Re-compile the application
Commented Code
Hard coded information
058 www.indusface.com | Copyright 2012
Reverse Engineering Android Application
Dex to jar (dex2jar)
C:\dex2jar-version\dex2jar.bat someApk.apk
Open code files in any Java decompile
059 www.indusface.com | Copyright 2012
Reverse Engineering Android Application
Demo / Hands On
060 www.indusface.com | Copyright 2012
Agnitio
Mobile Application Coder Review tool
Install: Next-Next process
Can analyze Codebase as well as .apk file
061 www.indusface.com | Copyright 2012
Agnitio
Demo / Hands On
062 www.indusface.com | Copyright 2012
Analyzing SQLiteDatabase
063 www.indusface.com | Copyright 2012
Analyzing SQLite Database
SQLite Database:
SQLite is a widely used, lightweight database
Used by most mobile OS i.e. iPhone, Android, Symbian, webOS
SQLite is a free to use and open source database
Zero-configuration - no setup or administration needed.
A complete database is stored in a single cross-platform disk file.
064 www.indusface.com | Copyright 2012
Analyzing SQLite Database
Pull the .db files out of the emulator / Device as explained eirler Tools SQLite browser Epilog
065 www.indusface.com | Copyright 2012
Analyzing SQLite Database
Demo / Hands On
066 www.indusface.com | Copyright 2012
ExploitMeOne more Vulnerable
application from Security Compass
067 www.indusface.com | Copyright 2012
ExploitMe
Demo / Hands On
069 www.indusface.com | Copyright 2012
Thank You
VADODARA, INDIAA/2-3, 3rd Floor, Status PlazaOpp Relish ResortAtladara Old Padra RoadVadodara – 390020Gujarat, India
T : +91 265 3933000F : +91 265 2355820
BANGALORE, INDIA408, 2nd FloorRegency Enclave4, Magrath RoadBangalore – 560025Karnataka, India
T : +91 80 65608570+91 80 65608571
F : +91 80 41129296
MUMBAI, INDIA1357 / 1359, Regus Serviced Offices, Level 13, Platinum Techno Park 17 & 18, Sector 30, Vashi, Navi Mumbai – 400705Maharashtra, India.
T : +91 22 61214961
OTTAWA, CANADA137 Goodman DriveKanata, Ottawa K2W 1C7Ontario, Canada
T : +1 613 721 9363
Sales : [email protected] Marketing : [email protected] Technical : [email protected]
HOUSTON, USA1001 Fannin Street, Ste 1250Houston, Texas 77002USA
T : +1 832 295 1462