SlideShare a Scribd company logo

Pentesting Android Applications

Download as PPTX, PDF
Cláudio André
Cláudio André

This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester. So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.

Technology
1 of 36
@clviper ca@integrity.pt Cláudio André
whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
- Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
Physical Equipment Android SDK Emulator Android x86 Environment Setup
Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
- Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
http://youtu.be/H4ysZblviZg DEMO QtADB Tools OfTheTrade
Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
Android-SSL-TrustKiller Tools OfTheTrade http://youtu.be/8NwbmSI9OWo DEMO
Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
http://youtu.be/KAWPfHLHO0Y DEMO Drozer(ex-mercury) Tools OfTheTrade
Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
XML format file with key-value pairs. App settings. Shared Preferences App Analysis
Single file relational database used to store application data and settings. SQLite Databases App Analysis
OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
GoatDroid App Analysis http://youtu.be/3DpLKK90oAY DEMO
http://youtu.be/tAyLOn5ttFo DEMO GoatDroid App Analysis
App Analysis The Lost Art of Keeping a Secret
http://youtu.be/QJF-pvpRSFE DEMO App Analysis The Lost Art of Keeping a Secret
Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
• Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up

Recommended

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 

Recommended

Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Roshan Kumar Gami
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
Avinash Sinha
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 

More Related Content

What's hot

API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 

What's hot (20)

Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 

Viewers also liked

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
Avinash Sinha
 
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
RootedCON
 
Android and it’s applications
Android and it’s applicationsAndroid and it’s applications
Android and it’s applications
amee yaami
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
Ammar WK
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
Merlin Govender
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
guest536dd0e
 

Viewers also liked (20)

My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
Pentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web ScanPentesting con android - Nipper Toolkit Web Scan
Pentesting con android - Nipper Toolkit Web Scan
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
 
Is my app secure?
Is my app secure?Is my app secure?
Is my app secure?
 
Image handling in Android
Image handling in AndroidImage handling in Android
Image handling in Android
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android applications By #Manoj_Rockstar
Android applications By #Manoj_RockstarAndroid applications By #Manoj_Rockstar
Android applications By #Manoj_Rockstar
 
Android and it’s applications
Android and it’s applicationsAndroid and it’s applications
Android and it’s applications
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 

Similar to Pentesting Android Applications

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Introduction phonegap
Introduction phonegapIntroduction phonegap
Introduction phonegap
Rakesh Jha
 
Advanced programing in phonegap
Advanced programing in phonegapAdvanced programing in phonegap
Advanced programing in phonegap
Rakesh Jha
 

Similar to Pentesting Android Applications (20)

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Cross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobileCross platform mobile apps using rhomobile and jquery mobile
Cross platform mobile apps using rhomobile and jquery mobile
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Phonegap Development & Debugging
Phonegap Development & DebuggingPhonegap Development & Debugging
Phonegap Development & Debugging
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Visual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and IonicVisual Studio Tools for Apache Cordova (TACO) and Ionic
Visual Studio Tools for Apache Cordova (TACO) and Ionic
 
Introduction phonegap
Introduction phonegapIntroduction phonegap
Introduction phonegap
 
Advanced programing in phonegap
Advanced programing in phonegapAdvanced programing in phonegap
Advanced programing in phonegap
 
Introduction To Mobile-Automation
Introduction To Mobile-AutomationIntroduction To Mobile-Automation
Introduction To Mobile-Automation
 
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
Creating mobile apps with Cordova for iOS, Android and BlackBerry 10
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Pentesting Android Applications

  • 2. whoami Pentester at Integrity S.A. Web applications, Mobile applications and Infrastructure. BSc in Management InformationTechnology and OSCP. Photography addicted.
  • 3. - Environment Setup - Tools OfTheTrade - App Analysis - Developers Heads Up Up next...
  • 4. Physical Equipment Android SDK Emulator Android x86 Environment Setup
  • 5. Android x86 Environment Setup Hint Mouse insideVM : Disable Mouse Integration (Host+i) Portrait Resolution : Edit /mnt/grub/menu.lst and insert UVESA_MODE=320X480 DPI=160 Black screen(locked screen): ACPI Shutdown(Host+h) Android Shell: Ctrl+F1 / Ctrl+F7
  • 6. - Root your device * - Allow Unknown Sources (Settings->Security) - Install proxy app (ProxyDroid,AutoProxy,etc...) - Connect to favorite proxy server (Burp Proxy,Fiddler,etc...) *Physical approach only Environment Setup
  • 7. Android SDK Software Development Kit containing api libraries and developer tools to build, test and debug Android apps. For our context, the more important ones are adb,aapt,ddms and the emulator. http://developer.android.com/sdk/ Tools OfTheTrade
  • 8. Android Debug Bridge (ADB) Command-line tool to communicate with emulator instance or connected physical/virtual device. http://developer.android.com/sdk/ adb devices adb connect adb shell adb install adb push | pull ..... Usefull commands: Tools OfTheTrade
  • 9. Dalvik Debug Monitor Server(DDMS) Debugging tool that provides port-forwarding, screen capture, heap dump, logcat, file manager and many other features. http://developer.android.com/sdk/ Tools OfTheTrade
  • 10. QtADB Android Manager. Filemanager and applications manager, access to logs and shell,take screenshots, etc..* http://qtadb.wordpress.com/ *Requires aapt that comes with Android SDK. Tools OfTheTrade
  • 12. Tool for converting .dex Android format to .class Java format. https://code.google.com/p/dex2jar/ dex2jar Tools OfTheTrade
  • 13. Java Decompiler with GUI to display java source code of class files. http://jd.benow.ca/ JD-GUI Tools OfTheTrade
  • 14. Extract plain-text AndroidManifest.xml from APK. https://code.google.com/p/xml-apk-parser/ APKParser Tools OfTheTrade
  • 15. Tool to analyse app behaviour during runtime and help to identify potential security issues. https://github.com/iSECPartners/Introspy-Android Introspy-Android + Introspy-Analyser Tool to Generate HTML reports based on the database generated by Introspy-Android. Tools OfTheTrade
  • 16. Tool to bypass SSL certificate pinning for most applications * https://github.com/iSECPartners/Android-SSL-TrustKiller Android-SSL-TrustKiller *Custom pinning implementations may need custom hooking Tools OfTheTrade
  • 17. Install Cydia Substrate + AndroidSSLTrustKiller Hint Turn off SSLTrustKiller: #1 #2 (Bypassing Pinning) Android-SSL-TrustKiller Tools OfTheTrade
  • 18. Proxy Server CA Certificate Hint (Validate Pinning) #1 Browse to proxy server address and download certificate #2 Open file via File Manager #3 Save Certificate Validate Pinning Tools OfTheTrade
  • 20. Security testing framework, great to determine app attack surface and interact with it. https://www.mwrinfosecurity.com/products/drozer/ Drozer(ex-mercury) Tools OfTheTrade
  • 22. Integrated platform for security testing of web applications. For our context the main interest is in the Proxy funcionallity to intercept and inspect requests between the app and the backend. http://portswigger.net/burp/ Burp Suite Tools OfTheTrade
  • 23. Android Environment Sandboxing /data/data/app1 /data/data/app2 Process UID (10000) Process UID (10001) APP1 Dalvik APP2 Dalvik App Analysis
  • 24. Android Application Components App Analysis Activities Services Broadcast Receivers Content Providers
  • 25. Zip Archive Contains Dalvik class files, assets, resources and AndroidManifest.xml Stored at /data/app Android Application Package File (.apk) App Analysis
  • 26. Presents information about the app to the system. Describes app components Define permissions AndroidManifest.xml App Analysis
  • 27. XML format file with key-value pairs. App settings. Shared Preferences App Analysis
  • 28. Single file relational database used to store application data and settings. SQLite Databases App Analysis
  • 29. OWASPTop 10 Mobile Risks https://www.owasp.org/index.php/OWASP_Mobile_Security_Project M1:Weak Server Side Controls M2: Insecure Data Storage M3: InsufficientTransport Layer Protection . . . . . . . . . App Analysis
  • 30. GoatDroid App Analysis FourGoats is a location-based social network built for sharing everything about your life with everyone. Using FourGoats, you can check in at various places, earn loyalty rewards, and see what your friends are doing as well as where they are doing it. FourGoats also provides an API to other applications to allow their users to share even more of their activities than ever before! https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
  • 33. App Analysis The Lost Art of Keeping a Secret
  • 35. Developers Heads Up • Insecure Data Storage - Shared Preferences without MODE_WORLD_READABLE. - Sensitive information should not be stored. If needed, should be encrypted from derivation of user Password/PIN and not with hardcoded encryption keys. Still vulnerable to offline brute-force. Enforce strong password policy. • InsufficientTransport Layer Protection - Apply SSL/TLS transport in channels that the app transmits sensitive information to the backend. - Implement Certificate Pinning if very sensitive information is transmitted.
  • 36. • Client Side Injection - Only export components(Activities,Services,Broadcast Receivers,Content Providers) that make sense and that cannot bypass access controls and leak Internal information. • Lack of Binary Protection - Obfuscate your code, at minimum with ProGuard. Dont make your attacker life easier. Developers Heads Up

Editor's Notes

  1. Activities – GUI disponibilizado ao utilizador; Services – Componente que corre operações em background sem user interface BroadCast Receivers – Componente que permite receber notifcações de sistema ou de outras aplicações. Content Provider – Componente que gere acesso a dados estruturados tipicamente SQLite
  2. DexGuard