Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
Android Application Penetration Testing - Mohammed Adam
1.
2. ./ABOUT ME
• MOHAMMED ADAM
• INFORMATION SECURITY RESEARCHER
• SECURITY CONSULTANT AT CROSSBOW LABS
• FOSS ACTIVIST IN VGLUG (VILUPPURAM GNU/LINUX USERS GROUP)
• ACKNOWLEDGED BY TOP 50+ COMPANIES LIKE OPPO, NOKIA,
HONEYWELL, MCAFEE, VIRUS TOTAL, MASTERCARD, BITDEFENDER,
DELL TECHNOLOGIES, ASUS, INTEL, DUCKDUCKGO, CARBON BLACK
ETC IN BUG BOUNTIES.
3. ./AGENDA
• INTRODUCTION TO ANDROID PENETRATION TESTING
• REQUIREMENTS & TOOLS
• STATIC ANALYSIS - AUTOMATION & MANUAL TESTING
• DYNAMIC ANALYSIS - AUTOMATION & MANUAL TESTING
• DISCUSSION ON OWASP TOP 10 MOBILE 2016 VULNERABILITIES
4. ANDROID INTERNALS
• BASED ON LINUX KERNEL
• LATEST VERSION - ANDROID PIE
• ANDROID Q 10.0 ON THE WAY
• APPLICATION RUNS THROUGH DALVIK VM (DALVIK VIRTUAL
MACHINE)
• DALVIK VM RUNS EXECUTABLE FILES LIKE DEX (DALVIK
EXECUTABLE) OR APK FILES
• APK FILES ARE ZIPPED CONTENT OF RESOURCES, SIGNATURES,
CLASSES.DEX AND ANDROID MANIFEST.XML FILE.
5. ANDROID SECURITY MODEL
• APPLICATION ARE SANDBOXED (RUNS WITH DIFFERENT UID & GID)
• ZYGOTE SPAWNS A NEW PROCESS FOR EACH APPLICATION
• EACH APPLICATION RUNS WITH A SEPARATE INSTANCE OF DALVIK VM
• SPECIAL PERMISSIONS ARE PROVIDED TO ACCESS HARDWARE API'S
• PERMISSIONS ARE MENTIONED IN ANDROID MANIFEST.XML FILE.
6. ANDROID APPLICATION .APK
• JUST AN ARCHIVE !
• WRITTEN MAINLY IN JAVA & XML
• MULTIPLE ENTRY POINTS, SUCH AS ACTIVITY, SERVICES, INTENTS,
CONTENT PROVIDERS, ETC.
9. WHAT IS ADB ?
• ANDROID DEBUG BRIDGE (ADB) IS A COMMAND LINE TOOL THAT LETS YOU
COMMUNICATE WITH AN EMULATOR OR CONNECTED ANDROID DEVICE.
• ADB DEBUGGING - ADB DEVICES - ADB FORWARD - ADB KILL-SERVER
• WIRELESS - ADB CONNECT - ADB USB
• PACKAGE MANAGER - ADB INSTALL - ADB UNINSTALL- ADB SHELL PM LIST
PACKAGES - ADB SHELL PM PATH - ADB SHELL PM CLEAR
• NETWORK - ADB SHELL NETSTAT- ADB SHELL PING - ADB SHELL NETCFG - ADB
SHELL IP
• LOGCAT - ADB LOGCAT -ADB SHELL DUMPSYS - ADB SHELL DUMPSTATE
• REFERENCES - HTTP://ADBSHELL.COM/
10. STATIC ANALYSIS - MANUAL TESTING• REVERSE ENGINEERING ANDROID APPLICATIONS
• THE UNZIP UTILITY CAN BE USED TO EXTRACT FILES THAT ARE
STORED INSIDE THE APK.
11. APKTOOL
• APKTOOL - A TOOL FOR REVERSE ENGINEERING 3RD PARTY,
CLOSED, BINARY ANDROID APPS. IT CAN DECODE
RESOURCES TO NEARLY ORIGINAL FORM AND REBUILD
THEM AFTER MAKING SOME MODIFICATIONS.
• DISASSEMBLING ANDROID APK FILE
APKTOOL D <APK FILE>
12. EVERY APK CONTAINS
THE FOLLOWING FILES:
• ANDROIDMANIFEST.XML -
DEFINES THE PERMISSIONS OF
THE APPLICATION
• CLASSES.DEX - CONTAINS ALL
THE JAVA CLASS FILES
• RESOURCES.ARSC - CONTAINS
ALL THE META-INFORMATION
ABOUT THE RESOURCES AND
NODES
17. ANDROID MANIFEST.XML OMG!
• ANDROID:EXPORTED="TRUE" IN <PROVIDER> WILL TURN INTO A
NIGHTMARE!
• BTW BY DEFAULT IT IS "TRUE" IF EITHER ANDROID:MINSDKVERSION
OR ANDROID:TARGETSDKVERSION TO "16" OR LOWER.
• FOR APPLICATIONS THAT SET EITHER OF THESE ATTRIBUTES TO "17"
OR HIGHER, THE DEFAULT IS "FALSE"
18. DEBUG MODE
• THE DEBUG TAG DEFINES WHETHER THE APPLICATION CAN BE
DEBUGGED OR NOT. IF THE APPLICATION CAN BE DEBUGGED THEN IT
CAN PROVIDE PLENTY OF INFORMATION TO AN ATTACKER.
<APPLICATION
ANDROID:DEBUGGABLE="FALSE"
</APPLICATION>
19. BACKUP FLAG
• THIS SETTING DEFINES WHETHER APPLICATION DATA CAN BE BACKED
UP AND RESTORED BY A USER WHO HAS ENABLED USB DEBUGGING.
THEREFORE APPLICATIONS THAT HANDLE AND STORE SENSITIVE
INFORMATION SUCH AS CARD DETAILS, PASSWORDS ETC.
<APPLICATION
ANDROID:ALLOWBACKUP="FALSE"
</APPLICATION>
20. EXTERNAL STORAGE
• APPLICATIONS THAT HAVE THE PERMISSION TO COPY DATA TO
EXTERNAL STORAGE SHOULD BE REVIEWED TO ENSURE THAT NO
SENSITIVE INFORMATION IS STORED.
• <USES-PERMISSION
ANDROID:NAME="ANDROID.PERMISSION.WRITE_EXTERNAL_STORAGE"/>
21. ANDROID:PROTECTIONLEVEL
• THE ANDROID:PROTECTIONLEVEL ATTRIBUTE DEFINES THE PROCEDURE THAT THE SYSTEM SHOULD
FOLLOW BEFORE GRANTS THE PERMISSION TO THE APPLICATION THAT HAS REQUESTED IT. THERE
ARE FOUR VALUES THAT CAN BE USED WITH THIS ATTRIBUTE:
• NORMAL – DANGEROUS – SIGNATURE – SIGNATURE OR SYSTEM
• ALL THE PERMISSIONS THAT THE APPLICATION REQUESTS SHOULD BE REVIEWED TO ENSURE THAT
THEY DON’T INTRODUCE A SECURITY RISK.
<PERMISSION>
ANDROID:PROTECTIONLEVEL="SIGNATURE"
</PERMISSION>
22. INTENTS
• INTENTS CAN BE USED TO LAUNCH AN ACTIVITY, TO SEND IT TO ANY
INTERESTED BROADCAST RECEIVER COMPONENTS, AND TO
COMMUNICATE WITH A BACKGROUND SERVICE. INTENTS MESSAGES
SHOULD BE REVIEWED TO ENSURE THAT THEY DOESN’T CONTAIN ANY
SENSITIVE INFORMATION THAT COULD BE INTERCEPTED.
<INTENT-FILTER>
<ACTION ANDROID:NAME="STRING" />
<CATEGORY ANDROID:NAME="STRING" />
</INTENT-FILTER>
23. CLASSES DEX
• THE CLASSES.DEX
FILE CONTAINS ALL
THE JAVA CLASSES
OF THE APPLICATION
AND IT CAN BE
DISASSEMBLED WITH
BAKSMALI TOOL TO
RETRIEVE THE JAVA
SOURCE CODE.
25. TO READ JAR FILE
– USE JDGUI
• IN JDGUI, FILE->
OPEN THE
FILE/DIRECTORY
WHERE JAR FILE IS
PRESENTED
26. ANDROID WEBVIEW VULNERABILITIES
• WEBVIEWS ARE USED IN ANDROID APPLICATIONS TO LOAD CONTENT
AND HTML PAGES WITHIN THE APPLICATION. DUE TO THIS
FUNCTIONALITY THE IMPLEMENTATION OF WEBVIEW IT MUST BE
SECURE IN ORDER NOT TO INTRODUCE THE APPLICATION TO GREAT
RISK.
27. LOADING CLEAR-TEXT CONTENT
• IF WEBVIEW IS ALLOWING TO LOAD CLEAR-TEXT CONTENT FROM THE
INTERNET THEN IT WOULD BE OPEN TO VARIOUS FORMS OF ATTACK
SUCH AS MITM.
• MYWEBVIEW.LOADURL("HTTP://WWW.DROIDSEC.ORG/TESTS/ADDJSIF/");
28. SSL ERROR HANDLING
• THE CODE BELOW INSTRUCTS THE WEBVIEW CLIENT TO PROCEED WHEN AN SSL ERROR OCCUR. THIS
MEANS THAT THE APPLICATION IS VULNERABLE TO MITM ATTACKS AS IT COULD ALLOW AN
ATTACKER TO READ OR MODIFY CONTENT THAT IS DISPLAYED TO THE USER SINCE ANY CERTIFICATE
WOULD BE ACCEPTED BY THE APPLICATION.
@OVERRIDE
PUBLIC VOID ONRECEIVEDSSLERROR(WEBVIEW VIEW, SSLERRORHANDLER HANDLER,
SSLERROR ERROR)
{
HANDLER.PROCEED();
}
29. JAVASCRIPT ENABLED
• ALLOWING JAVASCRIPT CONTENT TO BE EXECUTED WITHIN THE
APPLICATION VIA WEBVIEW MIGHT GIVE THE OPPORTUNITY TO AN
ATTACKER TO EXECUTE ARBITRARY JAVASCRIPT CODE IN ORDER TO
PERFORM MALICIOUS ACTIONS. THIS SETTING ALLOW WEBVIEW TO
EXECUTE JAVASCRIPT CODE.
WEBSETTINGS WEBSETTINGS = MYWEBVIEW.GETSETTINGS();
WEBSETTINGS.SETJAVASCRIPTENABLED(TRUE);
30. ACCESSING LOCAL RESOURCES
• IF THE WEBVIEW IS ALLOWING TO ACCESS CONTENT FROM OTHER
APPLICATIONS THAT EXIST ON THE SAME DEVICE THEN IT COULD BE
POSSIBLE FOR AN ATTACKER TO CREATE A MALICIOUS HTML FILE
THAT COULD BE INJECTED INSIDE THE TARGET APPLICATION
THROUGH THE USE FILE:SCHEME. IN ORDER FOR THIS MALICIOUS FILE
TO BE LOADED NEEDS TO HAVE WORLD READABLE PERMISSIONS.
31. ANDROID CODING BEST PRACTICES
• FOLLOW -> HTTPS://DEVELOPER.ANDROID.COM/GUIDE/PRACTICES/COMPATIBILITY
• TOP 10 MOBILE RISKS OWASP 2016 –
HTTPS://WWW.OWASP.ORG/INDEX.PHP/MOBILE_TOP_10_2016-TOP_10
• HTTPS://WIKI.SEI.CMU.EDU/CONFLUENCE/DISPLAY/ANDROID/DRD02-
J.+DO+NOT+ALLOW+WEBVIEW+TO+ACCESS+SENSITIVE+LOCAL+RESOURCE+THROU
GH+FILE+SCHEME
• HTTPS://LABS.MWRINFOSECURITY.COM/BLOG/WEBVIEW-
ADDJAVASCRIPTINTERFACE-REMOTE-CODE-EXECUTION/
• HTTPS://WWW.RAPID7.COM/DB/MODULES/EXPLOIT/ANDROID/BROWSER/WEBVIEW_AD
DJAVASCRIPTINTERFACE
33. INTERCEPTING MOBILE APP
TRAFFIC USING BURPSUITE
• TO CONFIGURE THE PROXY GO
TO SETTINGS. A SCREEN
SOMETHING LIKE THE BELOW
ONE WILL COME UP. SELECT
“MORE”.
36. INTERCEPTING MOBILE APP TRAFFIC USING
BURPSUITE
• NO, THERE MUST BE A MOBILE NETWORK ALREADY CONFIGURED, AND
THE NAME OF THE NETWORK WILL BE “TELKILA”, AS SHOWN IN THE
IMAGE BELOW. CHOOSE THIS NETWORK.
37. INTERCEPTING MOBILE APP
TRAFFIC USING BURPSUITE
• PUT THE IP ADDRESS OF YOUR
INTERFACE WHERE YOU WILL BE
LISTENING THE TRAFFIC, I.E. WHERE
YOU WILL RUN BURP. DOWN TO THAT,
PUT THE PORT NUMBER ON WHICH
YOU WANT TO LISTEN. BY DEFAULT
IT’S 8080 IN BURP, BUT FEEL FREE
TO CHANGE IT, JUST MAKE SURE
YOU HAVE SAME PORT NUMBER
CONFIGURED AT BOTH END POINTS.
38. INTERCEPTING MOBILE
APP TRAFFIC USING
BURPSUITE
• NOW IN BURPSUITE,
GO TO THE “PROXY”
TAB, SELECT THE
“OPTIONS” TAB.
SELECT THE DEFAULT
CONFIGURED
INTERFACE, AND
CLICK ON “EDIT”.
41. SSL PINNING BYPASS
• REQUIRED TOOLS
FOR SSL PINNING
BYPASS
• ROOTED MOBILE
• SSLUNPINNING APK
• XPOSED
FRAMEWORK &
XPOSED INSTALLER
APK FOR SPECIFIC
MOBILE (DEPENDS ON
SDK)
42. DROZER – GAME CHANGER TOOL
FOR ANDROID APP PT
• CONNECTING DROZER TO THE MOBILE
DEVICE
• CONNECT YOUR MOBILE DEVICE TO YOUR
COMPUTER USING A USB CABLE;
• OPEN DROZER AGENT APPLICATION ON
YOUR MOBILE DEVICE AND CLICK THE ON
BUTTON FROM THE BOTTOM-RIGHT;
43. DROZER – CONT.
• USE ADB.EXE TO OPEN A TCP SOCKET
BETWEEN YOUR COMPUTER AND THE
SERVER EMBEDDED IN DROZER
AGENT:
• ADB.EXE FORWARD TCP:31415
TCP:31415
• GO TO THE FOLDER WHERE YOU
INSTALLED DROZER AND CONNECT
TO THE MOBILE DEVICE:
• DROZER CONSOLE CONNECT
44. STARTING AN ACTIVITY
FROM ANOTHER
PACKAGE
• OK, NOW WE HAVE AN
INTERACTIVE DROZER
CONSOLE. WHAT CAN WE
DO? LET’S START AN
ACTIVITY, COMMAND BY
COMMAND:
• LIST, WILL DISPLAY A LIST OF
COMMANDS AVAILABLE IN
DROZER
45. FIND A LIST OF PACKAGES
• RUN APP.PACKAGE.LIST -F FIREFOX TO FIND A LIST OF PACKAGES
THAT CONTAIN THE STRING “FIREFOX”; WE
FOUND ORG.MOZILLA.FIREFOX.
46. IDENTIFY THE ATTACK SURFACE FOR OUR
APPLICATION
• RUN APP.PACKAGE.ATTACKSURFACE ORG.MOZILLA.FIREFOX TO
IDENTIFY THE ATTACK SURFACE FOR OUR APPLICATION; WE FOUND
113 EXPORTED ACTIVITIES, 12 EXPORTED BROADCAST RECEIVERS, 8
EXPORTED CONTENT PROVIDERS AND 1 EXPORTED SERVICE; THIS IS A
GOOD EXAMPLE OF A BIG ATTACK SURFACE.
49. LIST THE EXPORTED
ACTIVITIES
• RUN APP.ACTIVITY.INFO -A
ORG.MOZILLA.FIREFOX TO
LIST THE EXPORTED
ACTIVITIES; WE CAN SEE
THAT THERE IS AN
EXPORTED ACTIVITY
NAMED ORG.MOZILLA.FIR
EFOX.APP THAT DOES NOT
REQUIRE ANY
PERMISSION TO BE
STARTED.
50. LIST OF VULNERABLE ANDROID APPLICATIONS
• DAMN VULNERABLE HYBRID MOBILE APPLICATION
• ANDROID DIGITAL BANK
• DAMN INSECURE AND VULNERABLE APPLICATION
• HACKME BANK
• INSECURE BANK
• DAMN VULNERABLE ANDROID APPLICATION
• OWASP GOATDROID
• DODO VULNERABLE BANK