1.
@clviper
ca@integrity.pt
Cláudio André

2.
whoami
Pentester at Integrity S.A.
Web applications, Mobile applications and
Infrastructure.
BSc in Management InformationTechnology and
OSCP.
Photography addicted.

3.
- Environment Setup
- Tools OfTheTrade
- App Analysis
- Developers Heads Up
Up next...

4.
Physical Equipment Android SDK Emulator Android x86
Environment Setup

5.
Android x86
Environment Setup
Hint
Mouse insideVM : Disable Mouse Integration (Host+i)
Portrait Resolution : Edit /mnt/grub/menu.lst and
insert UVESA_MODE=320X480 DPI=160
Black screen(locked screen): ACPI Shutdown(Host+h)
Android Shell: Ctrl+F1 / Ctrl+F7

6.
- Root your device *
- Allow Unknown Sources (Settings->Security)
- Install proxy app (ProxyDroid,AutoProxy,etc...)
- Connect to favorite proxy server (Burp
Proxy,Fiddler,etc...)
*Physical approach only
Environment Setup

7.
Android SDK
Software Development Kit containing api libraries
and developer tools to build, test and debug
Android apps.
For our context, the more important ones are
adb,aapt,ddms and the emulator.
http://developer.android.com/sdk/
Tools OfTheTrade

8.
Android Debug Bridge (ADB)
Command-line tool to communicate with
emulator instance or connected physical/virtual
device.
http://developer.android.com/sdk/
adb devices
adb connect
adb shell
adb install
adb push | pull
.....
Usefull commands:
Tools OfTheTrade

9.
Dalvik Debug Monitor Server(DDMS)
Debugging tool that provides port-forwarding,
screen capture, heap dump, logcat, file manager
and many other features.
http://developer.android.com/sdk/
Tools OfTheTrade

10.
QtADB
Android Manager. Filemanager and applications
manager, access to logs and shell,take
screenshots, etc..*
http://qtadb.wordpress.com/
*Requires aapt that comes with Android SDK.
Tools OfTheTrade

11.
http://youtu.be/H4ysZblviZg
DEMO
QtADB
Tools OfTheTrade

12.
Tool for converting .dex Android format to .class
Java format.
https://code.google.com/p/dex2jar/
dex2jar
Tools OfTheTrade

13.
Java Decompiler with GUI to display java source
code of class files.
http://jd.benow.ca/
JD-GUI
Tools OfTheTrade

14.
Extract plain-text AndroidManifest.xml from
APK.
https://code.google.com/p/xml-apk-parser/
APKParser
Tools OfTheTrade

15.
Tool to analyse app behaviour during runtime
and help to identify potential security issues.
https://github.com/iSECPartners/Introspy-Android
Introspy-Android + Introspy-Analyser
Tool to Generate HTML reports based on the
database generated by Introspy-Android.
Tools OfTheTrade

16.
Tool to bypass SSL certificate pinning for most
applications *
https://github.com/iSECPartners/Android-SSL-TrustKiller
Android-SSL-TrustKiller
*Custom pinning implementations may need custom hooking
Tools OfTheTrade

17.
Install Cydia Substrate + AndroidSSLTrustKiller
Hint
Turn off SSLTrustKiller:
#1
#2
(Bypassing Pinning)
Android-SSL-TrustKiller
Tools OfTheTrade

18.
Proxy Server CA Certificate
Hint (Validate Pinning)
#1 Browse to proxy
server address and
download certificate
#2 Open file via
File Manager
#3 Save Certificate
Validate Pinning
Tools OfTheTrade

19.
Android-SSL-TrustKiller
Tools OfTheTrade
http://youtu.be/8NwbmSI9OWo
DEMO

20.
Security testing framework, great to determine
app attack surface and interact with it.
https://www.mwrinfosecurity.com/products/drozer/
Drozer(ex-mercury)
Tools OfTheTrade

21.
http://youtu.be/KAWPfHLHO0Y
DEMO
Drozer(ex-mercury)
Tools OfTheTrade

22.
Integrated platform for security testing of web
applications. For our context the main interest is
in the Proxy funcionallity to intercept and
inspect requests between the app and the
backend.
http://portswigger.net/burp/
Burp Suite
Tools OfTheTrade

23.
Android Environment Sandboxing
/data/data/app1 /data/data/app2
Process UID (10000) Process UID (10001)
APP1
Dalvik
APP2
Dalvik
App Analysis

24.
Android Application Components
App Analysis
Activities
Services
Broadcast Receivers
Content Providers

25.
Zip Archive
Contains Dalvik class files, assets, resources and
AndroidManifest.xml
Stored at /data/app
Android Application Package File (.apk)
App Analysis

26.
Presents information about the app to the
system.
Describes app components
Define permissions
AndroidManifest.xml
App Analysis

27.
XML format file with key-value pairs.
App settings.
Shared Preferences
App Analysis

28.
Single file relational database used to store
application data and settings.
SQLite Databases
App Analysis

29.
OWASPTop 10 Mobile Risks
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
M1:Weak Server Side Controls
M2: Insecure Data Storage
M3: InsufficientTransport Layer Protection
. . . . . . . . .
App Analysis

30.
GoatDroid
App Analysis
FourGoats is a location-based social network built for sharing everything about your life with
everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see
what your friends are doing as well as where they are doing it.
FourGoats also provides an API to other applications to allow their users to share even more
of their activities than ever before!
https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project

31.
GoatDroid
App Analysis
http://youtu.be/3DpLKK90oAY
DEMO

32.
http://youtu.be/tAyLOn5ttFo
DEMO
GoatDroid
App Analysis

33.
App Analysis
The Lost Art of Keeping a Secret

34.
http://youtu.be/QJF-pvpRSFE
DEMO
App Analysis
The Lost Art of Keeping a Secret

35.
Developers Heads Up
• Insecure Data Storage
- Shared Preferences without MODE_WORLD_READABLE.
- Sensitive information should not be stored. If needed, should be encrypted
from derivation of user Password/PIN and not with hardcoded encryption keys.
Still vulnerable to offline brute-force. Enforce strong password policy.
• InsufficientTransport Layer Protection
- Apply SSL/TLS transport in channels that the app transmits sensitive
information to the backend.
- Implement Certificate Pinning if very sensitive information is transmitted.

36.
• Client Side Injection
- Only export components(Activities,Services,Broadcast Receivers,Content
Providers) that make sense and that cannot bypass access controls and leak
Internal information.
• Lack of Binary Protection
- Obfuscate your code, at minimum with ProGuard. Dont make your attacker
life easier.
Developers Heads Up