View
1.736
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Securing Android ApplicationsMansih Chasta | CISSP,
CHFI, ITIL
About Me
Principal Consultant @ Indusface,
India
Over 6 years experience in
Information and Application Security
CISSP, CHFI, ITIL
What comes to any Indian’s mind when they think of Russia?
Agenda
Introduction to Android and Mobile Applications
Working with Android SDK and Emulator
Setting up GoatDroid Application
Memory Analysis
Intercepting Layer 7 traffic
Reverse Engineering Android Applications
SQLite Database Analysis
Demo: ExploitMe application
What NUMBERS says!!!
Gartner Says: 8.2 Billion mobile applications have been
downloaded in 2010 17.7 Billion by 2011 185 Billion application will have been
downloaded by 2014
Market Share
Introduction to Android
Most widely used mobile OS Developed by Google OS + Middleware + Applications Android Open Source Project (AOSP)
is responsible for maintenance and further development
Android Architecture
Android Architecture: Linux Kernel
Linux kernel with system services: Security Memory and process management Network stack
Provide driver to access hardware: Camera Display and audio Wifi …
Android Architecture: Android RunTime
Core Libraries: Written in Java Provides the functionality of Java programming
language Interpreted by Dalvik VM
Dalvik VM: Java based VM, a lightweight substitute to JVM Unlike JVM, DVM is a register based Virtual Machine DVM is optimized to run on limited main memory
and less CPU usage Java code (.class files) converted into .dex format to
be able to run on Android platform
Android Applications
Mobile Apps vs Web Applications
Thick and Thin Client Security Measures User Awareness
Setting-up Environment
Handset / Android Device
Android SDK and Eclipse
Emulator
Wireless Connectivity
And of course… Application file
Setting-up Lab
What we need: Android SDK Eclips GoatDroid (Android App from OWASP) MySQL .Net Framwork Proxy tool (Burp) Agnitio Android Device (Optional) SQLitebrowser
Working with Android SDK
Android SDK
Development Environment for
Android Application Development
Components: SDK Manager AVD Manager Emulator
Android SDK
Can be downloaded from :
developer.android.com/sdk/
Requires JDK to be installed
Install Eclipse
Install ADT Plugin for Eclipse
Android SDK : Installing SDK
Simple Next-next process
Android SDK: Configuring Eclipse
Go to Help->Install new Software
Click Add
Give Name as ADT Plugin
Provide the below address in Location:
http://dl-ssl.google.com/android/eclipse/
Press OK
Check next to ‘Developer Tool’ and press next
Click next and accept the ‘Terms and Conditions’
Click Finish
Android SDK: Configuring Eclipse
Now go to Window -> Preferences
Click on Android in left panel
Browse the Android SDK directory
Press OK
SDK Manager
AVD Manager
Emulator: Running
Click on Start
Emulator: Running from Command Line
Emulator: Running with proxy
ADB: Android Debug Bridge
Android Debug Bridge (adb) is a versatile
command line tool that lets you
communicate with an emulator instance
or connected Android-powered device.
You can find the adb tool in
<sdk>/platform-tools/
ADB: Important Commands
Install an application to emulator or
device:
ADB: Important Commands
Push data to emulator / device
adb push <local> <remote>
Pull data to emulator / device
adb pull <remote> <local>
Remote - > Emulator and Local ->
Machine
ADB: Important Commands
Getting Shell of Emulator or Device
adb shell
Reading Logs
adb logcat
ADB: Important Commands
Reading SQLite3 database
adb shell
Go to the path
SQLite3 database_name.db
.dump to see content of the db file and .schema to
print the schema of the database on the screen
Reading Logs
adb logcat
Auditing Application from Android Phone
Need of Rooting
What is Android Rooting?
Rooting Android Phone
Step 1: Download CF Rooted Kernel files and Odin3 Software
Rooting Android Phone
Step 2: Keep handset on debugging mode
Rooting Android Phone
Step 3: Run Odin3
Rooting Android Phone
Step 4: Reboot the phone in download mode
Step 5: Connect to the PC
Rooting Android Phone
Step 6: Select required file i.e: PDA, Phone, CSC files Step 7: Click on Auto Reboot and F. Reset Time and hit
Start button
Rooting Android Phone If your phone is Rooted... You will see PASS!! In
Odin3
Important Tools
Terminal Emulator
Proxy tool (transproxy)
Setting Proxy
Both Android Phone and laptop (machine
to be used in auditing) needs to be in
same wireless LAN.
Provide Laptops IP address and port where
proxy is listening in proxy tool (transproxy)
installed in machine.
Intercepting Traffic (Burp)
Burp is a HTTP proxy tool
Able to intercept layer 7 traffic and
allows users to manipulate the HTTP
Requests and Response
Memory Analysis with Terminal Emulator
DD Command:
dd if=filename.xyz
of=/sdcard/SDA.dd
Application path on Android Device:
/data/data/com.application_name
Memory Analysis with Terminal Emulator
Memory Analysis with Terminal Emulator
Lab : GoatDroid A vulnerable Android application from the OWASP
GoatDroid : Setting up
Install MySQL
Install fourgoats database.
Create a user with name as "goatboy",
password as "goatdroid" and Limit
Connectivity to Hosts Matching "localhost".
Also "goatboy" needs to have insert, delete,
update, select on fourgoats database.
GoatDroid : Setting up
Run goatdroid-beta-v0.1.2.jar file Set the path for Android SDK Root
directory and Virtual Devices: Click Configure -> edit and click on
Android tab Set path for Android SDK, typically it
should be▪ C:\Program Files\Android\android-sdk
Set path for Virtual Devices, typically it should be▪ C:\Documents and Settings\Manish\android\
avd
GoatDroid : Setting up
Start web services
Start emulator through GoatDroid jar file
Push / Install the application to Device
Run FourGoat application from emulator
Click on Menu and then click on Destination Info
Provide following information in required fields:
Server: 10.0.2.2 and Port 8888
GoatDroid : Setting up
Demo / Hands On
GoatDroid : Setting up proxy
Assuming FourGoat is already installed
Run goatdroid-beta-v0.1.2.jar file and start web
services
Start any HTTP Proxy (Burp) tool on port 7000
Configure Burp to forward the incoming traffic to port
8888
Start emulator from command line by giving following
command:
emulator –avd test2 –http-proxy 127.0.0.1:7000
GoatDroid : Setting up proxy
Open the FourGoat application in
emulator
Click on Mene to set Destination Info
Set Destination Info as below:
Server: 10.0.2.2 and port as 7000
Now see if you are able to intercept
the trrafic in Burp
GoatDroid : Setting up Proxy
Demo / Hands On
GoatDroid: Intercepting Traffic
Demo / Hands On
GoatDroid: Parameter Manipulation Attack
Demo / Hands On
GoatDroid: Handset Memory Analysis
Demo / Hands On
GoatDroid: Auditing from Android Device
• Install the app in Android device• Set the destination info as below:• Server: IP address (WLAN) of your
laptop and port as 8888 (incase no proxy is listening)
• Memory Analysis through Terminal Emulator and DD command
GoatDroid: Reverse Engineering
Next Topic
Reverse Engineering Android
Applications
Reverse Engineering Android Application
Vulnerabilities can be found through
Reverse Engineering :
Vulnerabilities in Source Code
Re-compile the application
Commented Code
Hard coded information
Reverse Engineering Android Application
Dex to jar (dex2jar)
C:\dex2jar-version\dex2jar.bat
someApk.apk
Open code files in any Java
decompile
Reverse Engineering Android Application
Demo / Hands On
Agnitio
Mobile Application Coder Review tool
Install: Next-Next process
Can analyze Codebase as well
as .apk file
Agnitio
Demo / Hands On
Analyzing SQLite Database
Analyzing SQLite Database
SQLite Database:
SQLite is a widely used, lightweight database
Used by most mobile OS i.e. iPhone, Android,
Symbian, webOS
SQLite is a free to use and open source database
Zero-configuration - no setup or administration
needed.
A complete database is stored in a single cross-
platform disk file.
Analyzing SQLite Database
Pull the .db files out of the emulator / Device as explained eirler
Tools SQLite browser Epilog
Analyzing SQLite Database
Demo / Hands On
ExploitMeOne more Vulnerable application from Security Compass
ExploitMe
Demo / Hands On
Manish ChastaEmail: [email protected]
Twitter: twitter.com/manish_chasta
LinkedIn: http://www.linkedin.com/pub/dir/Manish/Chasta
Спасибо