Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

The art of android hacking by Abhinav Mishra (0ctac0der)

Android application security
○ Android architecture
○ Application structure
○ Cool tools and distributions
○ Emulators, Devices, Attacks, Vulnerabilities …..
● What (& How) to look for in an android application
● Some interesting findings
● (Random talks)
● Cool demonstrations
● Next steps to learn android appsec

  • Inicia sesión para ver los comentarios

The art of android hacking by Abhinav Mishra (0ctac0der)

  1. 1. The Art Of Android Hacking by, Abhinav Mishra (0ctac0der)
  2. 2. Who is this weird tall guy?? Abhinav Mishra | @0ctac0der Senior Security Consultant @ TOTHENEW Digital Top 5 Mobile Security Researcher | Synack Red Team (@SynackRedTeam) Web and Mobile Application Security Researcher Bug Bounty Hunter, Speaker, Trainer, Traveler, Movie buff Have you seen “Mr. Robot” ? Any comments? Link
  3. 3. What is he talking about?? ● Android application security ○ Android architecture ○ Application structure ○ Cool tools and distributions ○ Emulators, Devices, Attacks, Vulnerabilities ….. ● What (& How) to look for in an android application ● Some interesting findings ● (Random talks) ● Cool demonstrations ● Next steps to learn android appsec
  4. 4. Que le jeu commence….. Quick Questions ● What all you know about android… ● Application structure ● Vulnerability ? Okay, my turn now ● What you want to know/learn? ● What you want me to demo? ● Any tool you love? We can talk….
  5. 5. Quick Android Walkthrough ● Linux Kernel ● Privilege separation Model (UID & GID) ● Android Permission model (android manifest) ● APK components: ○ AndroidManifest.xml ○ Classes.dex ○ META-INF ○ Resources.arsc ○ Assets ○ Res ○ Lib
  6. 6. Reversing a cute APK Things I am going to do in next 10-15 minutes: ● Choose any apk ● Decompile with apktool | $apktool d package_name.apk ● Read and understand the AndroidManifest.xml ● Showing components in the code: ○ Activities, Broadcast receivers, Content providers …. ● Extract the apk with any extractor ● Change the classes.dex to jar | $dex2jar classes.dex ● Show multiple java classes ● Possible issues to be discovered ● SMALI files and converting to JAR
  7. 7. Tools & Demos ● Emulators??? ○ Genymotion ○ Android Studio | AVD ● ADB (Android Debug Bridge) ○ $adb install ○ $ adb pull / push ● AppUse Virtual Machine ● Android Monitor / Logcat ● Application Local files
  8. 8. Drozer Basics ● Drozer client and server ● Setting up the console ● Basic commands: ○ $ run app.packer.list ○ $run app.package.info ○ $run app.package.attacksurface ○ $ run app.activity.start
  9. 9. 15 min checks 1. Debuggable | Backup : True ??? 2. AndroidManifest: Permissions 3. Hardcoded stuff 4. SSL Pinning ?? 5. Drozer: attack surface | exported components 6. Local storage encryption 7. Sdcard storage | public folder usage 8. TLS protection check
  10. 10. Because Money matters Vulnerability 1 Date: Mar-2014 Issue: Debuggable = True Bounty: $500 How to check: APK AndroidManifest.xml “debuggable=true”
  11. 11. Because Money matters Vulnerability 2 Date: May-2015 Issue: App fragment injection Bounty: $250 How to check: Anyone?
  12. 12. Because Money matters Vulnerability 3 Date: May-2015 Issue: Hardcoded Account Credentials Bounty: $200 How to check: Anyone?
  13. 13. Because Money matters Vulnerability 4 Date: June-2015 Issue: Exported component malicious usage Bounty: $1000 How to check: Anyone?
  14. 14. Because Money matters Vulnerability 5 Date: Oct-2015 Issue: Parameter manipulation Bounty: $1000 How to check: Let me explain this one to you.
  15. 15. My virtual machine (Droider) Prerequisites ● 16 GB RAM ● Intel COREi7 processor ● 500 GB free hard disk space ● Minimum internet speed required 50 MBPS ● Google Nexus 7 device, rooted
  16. 16. What Next …. ● Learn more ● Read online ● Use tools: Drozer, QARK etc. ● Start practising

×